Ars Tecnica | Sep 28, 2016
Cloud providers draw battle lines against TISA, will keep personal data in the EU
The fight for where and how data can flow promises to be bloody in new trade deal.
A new coalition of cloud companies on Tuesday published a code of conduct to keep European data inside Europe, just as the issue looks set to become one of the most hotly contested points in the controversial Trade in Services Agreement (TISA).
Cloud Infrastructure Services Providers in Europe (CISPE) is a newly formed coalition of more than 20 cloud infrastructure providers including Arsys, Art of Automation, Aruba, Daticum, Dominion, Fasthosts, Gigas, Ikoula, LeaseWeb, Lomaco, Outscale, Seeweb, and UpCloud.
Its new code foresees “the ability to exclusively process and store data within the EU or EEA territories.” This so-called "data localisation" option requires signatories to “provide to the customer information about the region and country where its data is stored and processed by or on behalf of the CISP (cloud infrastructure service provider), including if the CISP sub-contracts part of the processing to third parties. For security reasons, only a general location (such as a city or city region area) needs to be provided. This general description shall, at least, allow the customer to identify which EU member state has jurisdiction over the customer for processing performed by the customer using the service.”
Those that sign up will be identified by a “trust mark” and customers will receive “the assurance that providers of cloud infrastructure services do not process their personal data, for their own benefit or for the resale to third parties, such as for the mining of personal data, profiling of data subjects, marketing or similar actions.”
“This is the first industry-wide Code of Conduct to do so. It gives customers the assurance that their data always remains in their control and in their ownership. Customers from industry or software vendors procuring cloud infrastructure services can control where their data is processed and stored physically,” said CISPE chairman Alban Schmutz.
MEP Eva Paunova and French digital affairs minister Axelle Lemaire were keen to support the initiative. But their position is under threat from many of those supporting the TISA deal.
TISA is currently being negotiated as a replacement to the mostly defunct WTO General Agreement on Trade in Services (GATS) from 1995, and a final agreement could be reached as early as next year—the latest talks are scheduled for December.
The proposals in the TISA text have raised alarm bells among privacy advocates. UK based Global Justice Now warned last month that “big business” wants to use the agreement to gain “more control of the Internet and flows of data.”
“A number of countries, including the US, support text that says ’no Party may prevent a service supplier of another Party from transferring, [accessing, processing or storing] information, including personal information, within or outside the Party’s territory, where such activity is carried out in connection with the conduct of the service supplier’s business.’ Although TISA stipulates that privacy laws have to be applied in the receiving country, it is not clear how this will be guaranteed, respected and enforced,” said the organisation in a statement.
Earlier this month a coalition of international service providers pressed for “strong and clear TISA provisions on data localisation.”
“As businesses around the world compete in the global market, the free flow of data across borders has become the lifeblood of trade. All trade in goods and services—from the placing of an order to confirmation of delivery—now involves the electronic transfer of data. This means that forced data localisation policies and practices, where they exist or are proposed, have emerged as a major trade barrier, threatening to disrupt the continued growth and success of trade and commerce worldwide,” said the Global Services Coalition in its manifesto before urging TISA negotiators to “redouble their efforts to prohibit forced data localisation.”
firstname.lastname@example.org // Twitter @Brusselsgeek