Since launching last May, InCountry has been operating primarily in the tech vendor equivalent of a journalism beat. The company offers services to assist with data localization law compliance, and thus, their business primarily came from areas in which those rules are prevalent, such as the Middle East, Asia and Russia.
InCountry CEO Peter Yared said the vendor started to have conversations with a few European Union countries, but its primary focus still centered on the lands where data localization loomed large.
Then the Court of Justice of the European Union invalidated the EU-U.S. Privacy Shield agreement, and all of a sudden, the entire privacy paradigm shifted.
Following the decision, Yared saw an opportunity to build upon those conversations with the EU and made its move. InCountry recently announced it will expand its services to all 27 countries within the European Union, in addition to Iceland, Norway and Lichtenstein in the European Economic Area.
Yared said he was caught off guard by the CJEU's decision to invalidate Privacy Shield but also described it as a welcomed surprise. It also wasn't the only shock to the vendor's system, as InCountry quickly saw increased attention from companies that needed answers.
"What we were not expecting was an onslaught of west-based, (software-as-a-service) companies asking us to solve this problem and quickly," Yared said. "One thing we needed to provide was guidance. Usually, our legal counsel is in places like Saudi Arabia, Indonesia and Russia. All of a sudden, we had to provide local guidance for the EU and U.S. so we can package that up for customers to help them understand what they needed to do."
Yared thought the trends were pointing favorably in the company's direction as more privacy laws popped up around the world and the location of data became increasingly important; however, he was not expecting the surge to come so soon.
He credits his staff and research team in keeping the vendor on top of global legal developments, which, in turn, made the decision to expand its European presence all the easier.
"We are used to doing this quickly and for very obscure markets. We will get an inbound about Malaysia, there will be some regulation we didn’t even know about, and we have to spin up local counsel. We have to get our teams educated. We have to start working with local regulators," Yared said. "It’s funny that this is a known process for us and then all of a sudden we are applying it to the EU. It went pretty quickly, and I think people have a pretty good understanding of what’s required."
InCountry conducts its services by storing information inside of a data center it operates within the borders of the respective country. Yared said one of the biggest challenges the vendor faces is finding data centers with all the certifications and specifications needed to properly store information. It can result in lengthy startup times to get a company where it needs to be to comply with data localization rules.
Those data centers may be hard to come by in the countries where it currently operates, but they are far more available in Europe.
"It’s interesting because, in Europe, there are modern facilities available in every country and a predictable business environment," Yared said. "For us to engage in Europe and accelerate our efforts, it was actually easy to find the facilities in the right counties."
Perhaps what Yared believes is one of the most important developments to come out of the "Schrems II" ruling is increased attention to where data resides and its destination.
Companies had to pay attention to data localization when they expanded into the Middle East or Asia. Once they took care of those requirements in those areas of the world, Yared said they likely figured it would not become a recurring problem. Now they have to be cognizant of the information coming and going from Europe. Yared said it became a "great conversation starter" that Europe, an area where so much business is conducted, "jumped to the top of the list."
Yared also doesn't expect this to be temporary and advises organizations not to stick their head in the sand when dealing with data localization and transborder data transfers.
"We’ve seen it happen in other markets, and it usually does not get better. You can see it with the 'Schrems' decision. People ask, 'Will this apply to data, or will it apply to processing, and what about cross-border transfers? Do contract clauses still apply or not?' It becomes a slippery slope and leads to a lot of headaches," Yared said. "For us, we just dig and double down, and we expect it to keep getting more complicated rather than simpler. We don’t expect that the regulators and governments have an interest anymore for businesses. They definitely are aligned with the consumers on this."
Photo by British Library on Unsplash