On July 16, 2020, the European Court of Justice got rid of the four-year-old Privacy Shield agreement struck between the U.S. and the EU that had exposed Europeans to possible U.S. surveillance. The agreement had also allowed U.S. companies like Facebook and Google to store data about European residents outside of the region.
This move is yet another great example of the EU doing “right” by their constituents and holding tech companies responsible for their users' data privacy. The news also builds on the EU’s General Data Protection Regulation (GDPR) leadership, extending its consumer protections and providing a model for the rest of the world to work from as global data privacy policies continue to evolve.
The end of Privacy Shield is just a part of evolving data compliance regulations
This legislation presents significant compliance complications for organizations of all sizes. In this modern environment, nearly every organization conducts business across international lines, and very few employ data centers local to each of these jurisdictions. This change may require orgs to consider this as a deployment model. But that's just one part of the problem. Even if each organization setup data centers in every jurisdiction they would still struggle to comply with this legislation as most rely on legacy database technology that requires intense operational overhead, domain knowledge, and manual intervention/process to segment data into separate repositories.
And compliance is critical as these laws have teeth. Regulatory change has proven especially prickly as data regulations vary by region and non-compliance can be quite expensive. This is evidenced by the €50M fine France issued to Google back in January for failing to comply with its GDPR obligations.
A paradigm shift from siloed, monolithic data to distributed systems/data has allowed many companies to gain global scale and conduct business wherever they like. But when it comes time to move data domiciled in one location to another, the task is so difficult that many may just ignore compliance in favor of eating the fines and moving on. As the issue of consumer privacy moves to the fore, this strategy of curing the symptoms rather than curing the cause will expose those who neglect to address the foundation of the problem: the database.
The cloud-native advantage to data regulation compliance
The global pandemic has accelerated the transition of organizations to become completely cloud-native, digital-centric businesses. Digital is no longer a goal, rather it is current state. It is requisite. And those companies that have not only transitioned to the cloud but have adopted a cloud-native approach for the infrastructure, apps, and data have an advantage right now. They're more well-prepared for the increased reliance on the scale and globally distributed nature of this new world and are more likely to survive.
How to comply with data compliance regulations? Geo-partition your data.
Geo-partitioning, a foundational capability of CockroachDB has broad application to these global jurisdictional challenges. It was originally developed to meet latency requirements in globally dispersed environments, as it allows data to be tied to a location and lets the database tie data to a user location. However, this capability leads a double life and has become incredibly important for adhering to the privacy obligations as outlined in this recent legislation. Legacy technologies such as Oracle have created band-aid-like features to mask their inability to do this efficiently, but this retrofit does not allow orgs to efficiently automate and adapt to these compliance requirements.
Geo-partitioning delivers a level of automation that not only allows the data to decide where it should physically reside but also gives the administrator options to modify these requirements in production. This means as you expand your business into new geographies, you won’t incur downtime. You simply alter a configuration and the database physically moves the data to where it needs to be. When you open up a new data center in a new jurisdiction, you simply ALTER TABLE to instruct the database to move the right data to this new location. CockroachDB automates the rest. No application changes. No downtime. Just compliance.
CockroachDB delivers geo-partitioning so you can both adhere to regional compliance obligations and preserve low latency experiences without operational complexity or inordinate costs. Physically the database would have nodes in both the US and the EU, but to applications, it would present logically as a monolithic database. While CockroachDB has had the ability since version 1.0 to replicate databases and tables with geographic constraints, geo-partitioning significantly extends this by enabling row-level control.
Organizations that employ CockroachDB are simply better prepared to meet the requirements placed on data that were presented today and most likely will allow them to meet many of the modifications in jurisdiction that are still yet to come.
