Whether we realize it or not, every like, search, purchase, and download is building an evolving digital representation of our lives. Even your most private emails are being stored on a server somewhere in the world. This prompts the question – Who owns the data? Is it the individual or the company collecting it, and what laws are they subject to? This is a question Microsoft had to answer when the U.S. Government served a search warrant for information on a foreign citizen, that was being stored on Microsoft servers in Ireland. As a U.S. based company, Microsoft had to determine their obligation to provide the information or if there was a lack of jurisdiction because the data was stored in a foreign country? This created a multi-year court battle and ultimately ended with new legislation. However, it is also a reason it’s vitally important for companies to understand what data sovereignty is, before they find themselves in a similar position to Microsoft.
What is Data Sovereignty?
As consumer data is becoming one of the most leveraged assets on the planet, governments are enacting data sovereignty laws to protect their citizens’ data from bad actors. Data sovereignty can be defined as “the idea that data are subject to the laws and governance structures within the nation it is collected.” Additionally, many data sovereignty laws include how personal data may be transmitted to another nation, if it’s allowed at all. If your business is gathering or processing personal data, this means you must understand and adhere to the data privacy laws of the host country you are operating within. If you do not comply, there can be significant monetary penalties or other measures utilized to obtain compliance.
Data Sovereignty vs. Data Localization & Data Residency
It’s important to understand the distinction between data sovereignty, data localization, and data residency, as they are similar and often incorrectly referenced.
Data sovereignty is a governmental law or policy stating data is subject to the privacy and data laws of a certain geographic location. An example of this is Australia’s Privacy Principles (APP). Personal data stored in Australia must adhere to the 13 standards set forth by the APP, including how data is collected, used, the rights of an individual to access their personal information.
Often used interchangeably with the term data sovereignty, data localization is a governmental law or policy stating where data may be located. An example of this is the EU’s GDPR. It states any personal data gathered on European citizens within the EU, must be hosted within the EU, EER, or a select number of countries. This is to ensure their citizens’ data is protected at a level they deem acceptable.
On the other hand, data residency is a business directed policy requiring data to be stored in a geographic location, usually for performance, regulatory, or tax reasons. An example of this would be accompany wanting to utilize favorable tax laws within a specific country and needing to conduct a certain amount of business within the country to qualify for its tax benefits. To achieve this, the company may create a data residency policy stating all data must be stored and processed within the country’s borders.
For companies looking to expand internationally, it’s imperative to understand if your organization will have a data residency policy or if it will be subject to data sovereignty and localization laws.
Data Sovereignty Complications
Expanding internationally is an important step for many companies. However, data sovereignty can create significant financial and infrastructure complications. Instead of solely evaluating the business opportunity of a new market, businesses must also consider the expense of needing to purchase hardware to be utilized in each country, creating new data transfer policies to meet the country’s sovereignty or localization laws, and potentially hiring additional staff to oversee compliance. This is not a new requirement for companies with a mature global footprint, however, they must evaluate if they are accomplishing this as efficiently as possible. When companies evaluate the expense of support renewals, hardware refreshes, and growing these environments, maintaining physical databases around the world may not be the right answer.
Solving Data Sovereignty with the Cloud
While simple in definition, data sovereignty adds expense and complexity for companies processing data internationally. Fortunately, the public cloud offers a simpler solution. Rather than purchasing hardware, shipping it around the globe, and maintaining it over time, major public clouds have data centers already distributed globally. This allows companies to simply designate what region they want their data to reside in, instead of needing to build a data center. This provides a substantial advantage in time-to-market as it reduces the effort and expense needed to identify new data centers, procure hardware, and have it installed at the designated locations. Additionally, the cloud provides a significantly more efficient and scalable solution for companies to maintain their current data growth rates, without needing to continually expand capacity well ahead of anticipated growth. Once a cloud provider and region have been identified, the complex task of adhering to data sovereignty is reduced to setting and maintaining policies that align with the specific country. As companies plan for data sovereignty adherence, cloud platforms can reduce time-to-market, mitigate risk, and reduce the need to pre-buy to support dynamic growth.