Box in no rush to open EU data centres, sees end of Safe Harbor
Box in no rush to open EU data centres, sees end of Safe Harbor

Box, which filed for a US$250 million (£165 million) IPO just over a year ago, has enjoyed a rapid ascent in recent years, competing fiercely with Dropbox, Microsoft and others in the consumer and enterprise IT markets and winning millions of customers, including the likes of GE and Procter & Gamble, along the way.

The Redmond City-based firm held its Box World Tour in London last week, an event which saw the announcement of key new partners, including Lancaster and Dundee University, and Ritual Cosmetics. The topic of conversation veered from digital enterprise software to secure content management and collaboration.

Speaking after the event to, Whitney Bouck, general manager of enterprise and SVP of global marketing at Box, confirmed that Box was looking at opening data centres in the EU. “It's an ongoing investigation, and actually we will at some point, but it depends where and when,” she told SC.

Bouck added that the firm was “still in the process” of checking locations, and making sure servers "stand-up", but reiterated it was “an ongoing process” and that the firm was “not at the point of making an announcement”.

European data centres aren't required under the EU General Data Protection Regulation (GDPR), which is due to come into effect later this year, nor are they required under the current European data protection directive. However, there has been some pressure for US-based firms to have servers in Europe, at least for European customers, to shield them from further NSA surveillance.

The current European Directive stipulates that transfers of data outside the EEA can be done only to countries where there are adequate safeguards in place.

Speaking at the event last week, Box CEO Aaron Levie said that the company plans to build data centres for its web servers outside the US over the next 12-18 months, while Bouck added that Box's Enterprise Key Management (EKM) solution is sufficient for now, putting the private encryption keys in the hands of users and away from the cloud.

“It's bridging the gap for most companies, so they can manage their own encryption keys and they don't have to hand over any assets,” she said.

Some companies found this was more secure than on-premise systems, she said, while refuting the implications of some experts that the keys are leaving the hardware appliance.

On the legal front, Bouck says that Box is “working very closely with the EU and with country governments on EU law and Binding Corporate Rules (BCRs)”, which she says are increasingly replacing the Safe Harbor agreement for data privacy and security.

“My understanding is that Safe Harbor is viewed as a bit outdated now and that BCRs will replace it over time,” she said.