Data sovereignty is the intersection of data management and international compliance. Data falls under the regulations of the nation in which it is hosted, and with contemporary data services, that can become a complicated picture. Whether you are a business looking to protect you and your customers’ data or a private citizen trying to stay private in the digital age, you need to understand how data sovereignty affects your security.
Local Laws, Global Communications
The rapid rise of the Internet has outpaced the oversight of governments and regulating bodies. It has taken a while for laws and the justice system to develop their understanding of hacking, privacy, social media, corporate responsibility, and other key concepts in the digital space.
The fast adjustment means that different nations often have very different laws about data and the Internet. This should not come as too much of a surprise- after all, each country can have vastly divergent regulations governing health care, international trade, pollution, and other important topics. But for data, this becomes especially complex. The problem is that while laws are confined to borders, data is not.
Data flows from server to server, and it’s very common for users and consumers not to know the chain of custody for their data. Would you know the exact route that an email follows when you send it to your boss? It’s not uncommon for them to reach servers stored in multiple countries. Anytime it resides on a particular server, it is in the jurisdiction of the nation where that server sits.
For emails, this is usually not a big deal- email will spend most of its time on local hosting near its destination. But for a business storing data about its customers, or a hospital maintaining records about its patients, or a person setting up the software for their new smart speaker, the storage point for their data might be very important.
For example, consider the cloud. Most of the world’s cloud services come from Microsoft and Amazon, with Google and other tech companies handling the rest of the market. If you are a company based in Canada or Europe, you should do some careful research about the data center or centers where your information is located, because it might well be in the US. The US and the EU have very different rules for data privacy and security, and different legal authorities oversee them.
It is also worth being concerned about security from government intrusion. National governments have shown an interest in developing tools and regulations that allow them to pry into private data stores for national security or criminal justice. The US and American tech companies have gone to court many times over attempts the US government has made to create backdoors and shortcuts around the security Apple, Google, and others build for their products. If you are a company based outside the US, but your data is stored on an American server, then your data might be at greater risk than you realize.
The opposite might be true if you are from outside the EU, but your data sits in a data center within EU territory. The EU has passed a law called the General Data Protection Regulation, or GDPR. The GDPR is a set of rules designed to protect consumers and hold companies liable in the event of a hack or other misuse of data. Since the laws govern any data held in the EU, you might be exposed to greater regulation than you realize.
Navigating Data Sovereignty
Legally, your data might fall under any of several different sets of regulations depending on where it is stored. That means you need to be careful to research the storage of that data as well as the local data laws that might apply to you. Not knowing about those laws will not protect you in the case of an adverse legal event- it is your responsibility to understand the relevant law and comply with it.
Many companies are not intentionally trying to flaunt data regulations- they just are not aware of the specifics of where their data lives and what laws govern it. Small businesses are especially vulnerable because they need to outsource more of their IT and tech solutions. That means, for example, they won’t control their own servers and hosting for their company website or ecommerce platform. Depending on the vendor they use, the information might not be easy to obtain, either. Big companies face different problems: they can keep more data internal to the company, but they face much larger risks of hacking as well as steeper penalties if anything goes wrong. Additionally, large companies have a higher profile, so they will have more direct scrutiny from regulators. The EU government might not be interested in investigating the compliance of a small bakery’s online ordering system, but they will certainly pay close attention to how well Facebook follows their rules.
The bottom line is that the best way to learn about data sovereignty and ensure that you are in compliance is to consult with experts. Data sovereignty exists at a difficult intersection of international law and technology. An outside set of consultants dedicated to understanding the risks and challenges of international data compliance can reduce your risk and save you money. This is also true if you are a consumer and you believe that your data rights are being violated. Rather than try to navigate the technical and legal maze on your own, you can get help from professionals.
Seek out experts such as Crown Sterling leader in data sovereignty. Companies that have exactly the right mix of cutting-edge tech expertise and legal know-how to deal with any problem related to data sovereignty, and also keep up with the latest developments in both the legal and technical worlds. That is important because the way we store and regulate data is changing rapidly. Consumers are advocating for greater privacy, governments and corporations are battling over surveillance, and law enforcement is struggling to come up with laws they can actually enforce.