The Blurred Lines of Data Sovereignty: Do You Really Own Your Data?

It’s been clear for a long while that data is subject to the rules and regulations of the country where it’s located, restrictions in how data can be used, and heightened rules for oversight (not to mention bigger penalties for violations). As we’ve covered in several recent blog posts, regulations such as the EU Data Act and the EU’s Digital Operational Resilience Act (DORA) put constraints on organizations whose data is mobile.

This is why data sovereignty matters—a lot. Data sovereignty is the concept that data is subject to the laws and regulations of the country in which it is located. In a globalized digital landscape where different regions may have varying data protection and privacy laws, the physical location of your data matters. 

Legal jurisdiction, privacy regulations, and compliance requirements differ and frequently change. It’s important to make informed decisions about where to store and process data to align with specific regional or national laws. 

If you’re skeptical about the concept, here are just a few examples of organizations that have run afoul of data sovereignty and faced penalties in the last few years:

• Google was fined $391 million for deceptively collecting location data on its users.
• Amazon was hit with an $886 million fine for processing personal data in violation of the EU’s General Data Protection Regulation (GDPR) rules.
• Epic Games paid $520 million over alleged violations of the U.S Children’s Online Privacy Protection Act (COPPA). 

While many judgments are being appealed, numbers like these can’t be ignored. 

The Deep Dive on Data Sovereignty

Data sovereignty is the set of legal frameworks used by governments to assert control over how citizen user data can be generated, used, and housed, both within borders and beyond, as in the case of international web traffic. Data residency simply refers to the physical location where data is stored. Data localization is the practice of housing data within national or state borders to achieve compliance with data residency requirements.

Data sovereignty is an essential tool in providing a deterrent to cybercriminals and combating misuse or poor stewardship of personal information and data. Data sovereignty has also evolved to be a tool of consumer empowerment, increasing transparency by compelling online entities to seek consent for data collection.

As more enterprises operate globally, the need to comply with data sovereignty is critical. Currently, the EU has the most comprehensive and far-reaching data protection law in the world, but individual US states have also passed their own laws. Looking ahead, the data sovereignty landscape is sure to grow in scope and complexity. Businesses with strong compliance cultures will be well-prepared for whatever the future brings.

The Impact of Data Sovereignty on Business

Data sovereignty compliance can be a major factor in decisions on data management, data security, data residency, and even IT architecture and cloud vendor selection.

Not surprisingly, data sovereignty creates compliance challenges for organizations that collect data on individuals. Operating in one jurisdiction has challenges enough. Organizations may need to update their websites to increase transparency, track account info in new ways, institute data sharing rules, and set up processes for compliance reporting.

Operating globally takes the challenges to another level. Simply moving data across borders can entail extra processes that impede the seamless flow of data. Organizations also need to figure out where data must reside and then design data architecture and processing that’s compliant and secure. This can be a complex job requiring skilled personnel and lots of IT resources of all kinds: networking, encryption and other security measures, dispersed computing, and cloud deployments in various localities. 

Improving Compliance in a Data Sovereignty Environment

Here are some steps organizations can consider taking to augment their compliance strategies:

• Appoint a Data Protection Officer (DPO): While many large U.S. organizations are creating this position, businesses in the EU are required to have a DPO. A well-supported DPO can be given the responsibility of maintaining compliance and data integrity as regulations change, new markets are entered, and data processing needs evolve.
• Conduct data auditing: Thorough periodic audits of transmission, movements, and residency are an essential first step for ensuring compliance. Larger organizations are likely to have advanced tools, including intelligent storage and data fabric software that provide continuous visibility into data operations and generate audits.
• Strengthen data protection: Robust encryption, access controls, and monitoring will be needed to protect data both in transit and in storage. 
• Choose providers ready for data sovereignty: Even data stored in the cloud has to reside somewhere. Cloud providers should be chosen based on how well they can support an enterprise’s localization and processing needs.

How Countries Manage Data Sovereignty

One of the trickiest parts of global compliance is navigating the patchwork of different laws around the world. 

For example, the EU has what may be the toughest data privacy legislation in the world: 2018’s General Data Protection Regulation (GDPR). This legislation applies to data collected not just within the EU, but to any data collected on EU citizens by global entities. Among the most important of this law’s regulations is the requirement that users give their consent to data collection and that they be furnished with their data upon request. 

The “Accept Cookies?” messages we see on many websites originate with GDPR compliance. The GDPR has regulations covering both personal information—birthdates, addresses, contact info—and personal data, a category that includes tracking info, online behavior, geotagging, and purchasing history.

Recently, the EU passed the Digital Operational Resilience Act (DORA), which directs financial entities such as banks, insurance companies, and investment firms to strengthen IT security and take steps to increase resilience against operational disruptions. The EU also passed the Data Governance Act (DGA), which creates frameworks for data sharing to support innovation, research, and competitiveness.

While the United States does not have a GDPR equivalent, it does have laws protecting specific classes of data. For example, the Health Insurance Portability and Accountability Act (HIPAA) regulates protected health information (PHI). The Children’s Online Privacy Protection Act (COPPA) restricts content and data collection for children 13 and under. The Gramm-Leach-Bliley Act of 1999 imposes disclosure, transparency, and consent requirements on financial institutions’ use of customer data.