*US group Oracle scrambled to clarify its position yesterday after comments from a senior executive indicated that it was one of the first multinationals to indicate it was keeping the data of European citizens within its EU-based data centres, in order to comply with the recent European Court of Justice (ECJ) data privacy ruling in the Max Schrems case.
In response to a question at a briefing at Oracle's annual OpenWorld customer event here, Thomas Kurian, president of product development at Oracle, told journalists at a briefing: "No [European] data is sent across the geographical boundaries to any other legislative boundary."
However, the company later stated his comments applied only to the storage of data, and not to other cloud operations requiring access to that data.
The Schrems ruling – a response to a case taken by Austrian student Max Schrems against the Irish Data Protection Commissioner over his Facebook data – has create uncertainty for businesses and governments sending European data to the United States.
For 15 years, thousands of companies have relied on a set of data transfer principles called Safe Harbour to enable such transfers. But in its Schrems ruling, the ECJ invalidated Safe Harbour. Justices said the principles did not ensure protection from US surveillance or give Europeans the same data privacy rights they have in the EU.
After giving his annual keynote Tuesday to an audience of several thousand at Oracle’s annual OpenWorld customer conference, Mr Kurian met journalists. He was asked about Oracle’s handling of cloud data in the wake of the Schrems ruling, with specific reference to the data sovereignty issue.
"We are very comfortable [with] our operational practices and the way we handle data privacy and residency," Mr Kurian replied. "All of our data centres in Europe have European operators. They have local production and, within the same European legislative region, disaster recovery. No data is sent across the geographical boundaries to any other legislative boundary."
He added: “So we are very comfortable with where we are with our cloud offerings and the new regulatory framework around data governance.”
A reply by Oracle’s co-chief executive Mark Hurd in a Twitter-based question and answer session Monday also seemed to imply Oracle was keeping data in its data centres with respect to sovereign borders.
The question read: “@Oracle @MarkVHurd How does #Oracle #Cloud strategy address #data sovereignty, e.g. for Canada?”
Mr Hurd replied: “#oow15 We deploy #Cloud Ops in data centers around the globe, including Canada.”
Following the publication of an initial story in The Irish Times on Kurian’s comments, Oracle issued a clarification.
“Oracle offers cloud customers the ability to store their data in Europe so that it is not sent for storage elsewhere. Certain cloud operations may require access from engineering resources in other regions. Those resources are subject to EU data transfer requirements without reliance on the Safe Harbor Framework.”
Oracle did not give any detail on how the company is complying with EU data transfer requirements, but it likely is using a direct form of contracts between parties, called “model contracts”.
Following the Schrems decision, some multinationals, including Amazon and Salesforce, have told customers that data transfers are safe because they are using model contracts.
But the Article 29 Working Group of European Data Protection Commissioners has said that while organisations might opt to use model contracts in the short term, they may not shield companies from liability and prosecution.
Many privacy advocate groups, as well as several German regional data protection authorities, have said model contracts are inadequate as they cannot meet the ECJ’s central concerns over secret surveillance.
Oracle has several data centres based in EU countries, including the UK, Germany and the Netherlands. At OpenWorld last year, when the company announced it would open two new data centres in Germany, Oracle acknowledged this was in part to address possible shifts in data protection and privacy regulations.
On Monday, EU Justice Commissioner Vera Jourova said the US and EU had agreed "in principle" a replacement set of data governance rules, but indicated critical hurdles have not yet been overcome.
The parties were “still discussing how to ensure that these commitments are binding enough to fully meet the requirements of the court,” she said.