What happens in Vegas, stays in Vegas — and, for enterprise software vendor Infor, what happens in Europe, stays in Europe.
At its annual customer meeting in Paris on Tuesday, the company told European Union customers to move their data to its cloud services — just a week after German data protection authorities told companies handling Europeans’ personal information to shun U.S. service providers and keep the data at home.
Infor CEO Charles Phillips said that although it’s not an issue for most customers, the company can provision servers in Europe on request.
“Data created in Europe stays in Europe,” company president Stephan Scholl told customers attending the Inforum Europe event.
The German regulators wanting to keep data at home were reacting to the striking down on Oct. 6 of the Safe Harbor agreement, under which companies could promise to apply strict EU privacy protection laws to personal data they processed in return for the right to export it to the U.S.
The decision by the Court of Justice of the European Union has caused legal uncertainty for many businesses. Things looked good initially, with the European Commission reassuring them that other legal tools were available to replace Safe Harbor, and Europe’s national data protection authorities saying they would wait until the end of January before enforcing the rules, to give businesses and legislators time to adapt.
Scholl is able to claim that the data of Infor’s ERP and CRM customers stays in Europe because the company relies on Amazon Web Services for its cloud infrastructure, and AWS allows customers to confine their data to clusters of data centers in Ireland and Germany — or any of nine other clusters (AWS calls them “regions”) outside the EU.
AWS was one of the companies registered under the Safe Harbor agreement, but moved swiftly to reassure customers such as Infor that they needn’t worry about the agreement’s demise because its standard data processing agreement also contains model contract clauses approved by European privacy watchdogs. Such clauses are among the alternative legal measures the European Commission reminded businesses they could use.
Last week, Germany’s regional data protection authorities said they did not believe the model contract clauses met the standards required in European data protection law, and said they would grant no new authorizations to use them. They also said they would take immediate legal action against companies in breach of the law, making clear that, in their opinion, the only safe place for Europeans’ personal data was in Europe.
AWS already has its authorization, so its customers are safe on that score, but the company’s system of confining data to chosen regions is not an ironclad guarantee that the data will never leave them. AWS says it will not move or replicate customer content to other regions “except as legally required and as necessary to maintain the AWS services and provide them to our customers and their end users.”
That could still put data held by AWS within reach of a U.S. search warrant like the one concerning data held on a server in Ireland that Microsoft is fighting in a federal appeals court.
The AWS policy also leaves the company a get-out should it need to move data for load-balancing or disaster recovery purposes, although in that case it would have to weigh which posed the greater threat to its reputation: a short service outage, or a potentially irreparable breach of privacy.
Meanwhile, Infor customers that said three years ago they would never move to the cloud are now looking at it seriously, even in sensitive industries such as aerospace or defense, said Phillips.
The size of Infor’s cloud deals keeps growing. The company has signed its five largest contracts ever within the last eight months, Scholl said, all of them cloud-based. And within the next two weeks it hopes to announce its biggest cloud deal yet, with a government entity outside the U.S. “I can’t say any more than that without getting into trouble,” Scholl said.