Data Sovereignty and the GDPR; Do You Know Where Your Data Is?
With the rising popularity of cloud computing and Software as a Service (SaaS) solutions, data sovereignty issues have become a greater focus and risk for Chief regulatory Officers (CRO) and General Counsels (GC). Data sovereignty is a country-specific requirement that data is subject to the laws of the country in which it is collected or processed and must remain within its borders. Many countries have had these laws for decades, and new privacy laws such as the GDPR are only making them more prominent. For example, countries like Russia, China, Germany, France, Indonesia, and Vietnam (to name a few) require that their citizen’s data must be stored on physical servers within the country’s borders. They argue that it’s in the government’s and their citizen’s interest to protect personal information against any misuse, especially outside of the country’s jurisdiction.
To complicate matters further, there are two terms that are used interchangeably (but incorrectly) by many to mean the same thing – data residency and data sovereignty. In reality, they have slightly different legal meanings so you must be careful when asking questions of vendors:
- Data residency is where a business specifies that their data is stored in a specific geographic location of their choice. An example of a data residency requirement in action is where a company wishes to take advantage of a better tax regime.
- Data sovereignty differs from data residency in that not only is the data stored in a designated location – usually due to regulatory requirements – but is also subject to the laws of the country in which it is physically stored. Data subjects have different privacy and security protections according to where the data centers are located. So, to take advantage of the protections of a country’s specific privacy laws, some nations require local storage and highly regulate how or the data can be moved out of the country and for what reason.
Data sovereignty & GDPR, then and now
In reality, multinational corporations have been (hopefully) following a complex environment of maintaining data sovereignty across many countries for decades. For example, many years ago, while assisting on an internal investigation at a Fortune 50 multinational, we requested old emails for several employees from a division in France. We were quickly told that they could not turn the data over, even to company representatives, to anyone outside the country without the “worker’s committee” approval. I later found this was a French national law and ignoring it would trigger huge fines.
Now, with the advent of the EU’s GDPR and the huge fines that go along with it, organizations have begun to take a much more serious look at their data sovereignty requirements and capabilities.
Location, location, location
The three largest public cloud vendors, Microsoft, AWS, and Google, have built cloud data centers in countries around the globe, specifically to address the data sovereignty issues. However, many second and third-tier SaaS cloud vendors either offer only one or two data centers or, if relying on one of the big three public cloud vendors for their cloud infrastructure, have contracted to use only one of their data centers. To compete for data sovereignty business, a SaaS cloud provider will need to offer multiple data center locations based on local regulatory requirements, or specify which data sovereignty regulations they meet – based on data center locations. Additionally, the SaaS provider would also need to offer data orchestration, i.e., allow the company, to either manually or programmatically choose where data is stored based on geographic location as well as incorporate access and security controls based on local regulations.
Data sovereignty and the GDPR
Besides the “right to be forgotten” provision of the GDPR, the other obvious provision that companies are paying attention to is that of data sovereignty. The GDPR requires that all data collected on citizens must be either stored in the EU, so it is subject to European privacy laws, or within a jurisdiction that has similar levels of protection. Additionally, it applies to both data controllers and data processors so, whether your organization uses or provides a cloud service that processes EU resident data, your company is directly affected.
Data sovereignty and the courts
Litigation often spans country borders, but how is eDiscovery and data sovereignty handled when data generated and stored outside the United States? Many countries have laws that stipulate that data created in a particular country must also be stored in that same country. However, during a lawsuit’s legal discovery phase, supporting content can be requested no matter where that data is stored.
A landmark case began in 2013 which collided head-on with country data sovereignty and corporate rights. American law enforcement sought data on a user of Microsoft services in relation to a drug trafficking case; Microsoft argued in Microsoft Corp v. United States that the data in question was located exclusively in a data center in Ireland and argued that the data held exclusively on Irish servers were not subject to U.S. jurisdiction. A federal court issued a warrant under the Stored Communications Act against Microsoft for both personal user data and email.
Microsoft challenged the warrant but lost. Microsoft appealed to the U.S. Second Circuit Court who froze the warrant until a decision could be handed down. While the case was awaiting judgment by the U.S. Supreme Court, the U.S. Congress passed the Cloud Act.
The CLOUD Act states that companies must provide information properly requested by law enforcement “regardless of whether such communication, record, or other information is located within or outside of the United States.” The passing of the Cloud Act finally decided the question of the federal courts and cross-border eDiscovery. In fact, Microsoft agreed with the Act and issued the following statement:
“We welcome the Supreme Court’s ruling ending our case in light of the CLOUD Act being signed into law. Our goal has always been a new law and international agreements with strong privacy protections that govern how law enforcement gathers digital evidence across borders. As the governments of the UK and Australia have recognized, the CLOUD Act encourages these types of agreements, and we urge the US government to move quickly to negotiate them.”
Multi-cloud strategies and data sovereignty / GDPR
Many companies have begun to look at multi-cloud strategies to help them protect against vendor lock-in, but they carry with them a higher cost – more systems to manage and regulatory and legal complexity – they must determine where the data is stored and whether it can be moved legally once stored in a specific country under local laws.
Multi-cloud is the use of multiple cloud computing and storage services in a single heterogeneous architecture. This definition also refers to the distribution of cloud assets, software, applications, etc. across several cloud-hosting environments. With a typical multi-cloud architecture consisting of two or more public clouds as well as potentially additional private clouds, a multi-cloud environment aims to eliminate the reliance on any single cloud provider. Also, in a multi-cloud environment, synchronization between different vendors is not crucial to complete a computation process. However, the company must be able to stipulate storage locations.
For example, if an organization was running applications and services within a multi-cloud infrastructure, they could be in violation of multiple nations’ data sovereignty regulations at the same time. Consider this; violating Brazil’s LGPD data protection law as well as the EU’s GDPR could end up generating fines equal to a combined 6% of the company’s global revenue.
Data Sovereignty and SaaS usually don’t mix
Because of the distributed nature of the cloud, where data is stored may not be known to a customer or the SaaS provider may not be able to ensure storage in a specific geographic location. Furthermore, most SaaS cloud platforms are not designed with data sovereignty in mind. For example, many SaaS platforms are designed around a single data center, meaning SaaS cloud subscribers agree to store their data in the vendor’s cloud infrastructure no matter where it is, usually in one or two countries. To ensure against misunderstandings, both the customer and SaaS provider must take extra precautions to ensure all data sovereignty requirements can be met. Potential customers should be aware of their data sovereignty requirements and ask the vendor if they support specific country laws. SaaS providers should limit their data sovereignty claims to only those countries where they have data centers.
Basic data sovereignty topics to discuss with cloud vendors:
- Where the data will be stored: Finding out where data is stored is not always obvious for the current generation of cloud and SaaS hosted services. Who decides on the geographical location of your data? Does your service provider have a mandate to request your consent to move your data interstate or even internationally? The world of distributed infrastructure running cloud services means that it is difficult to be sure as to the sovereignty of your data when it resides in the hands of a third party. Additionally, have backup copies been made? Where are they stored?
- Local laws: With the distributed computing nature of the cloud, data hosted by SaaS applications can land in not-so-obvious places. While this practice may keep costs down for the customer (as well as the SaaS vendor), and make access to the data faster, it leaves the company’s data vulnerable to the foreign governments and their associated laws.
- Data privacy: Do local country laws stipulate data retention and management and security mandates? When you move your data off the hosted service, can it be moved without violating data residency laws? Is there a secure destruction policy or process? What security controls are in place to protect your data from breach, etc.?
- Who owns the data: Organizations may not be aware of the ownership rights over data stored in different countries. Data that was protected by strong privacy laws in the EU may well not be protected in a different foreign jurisdiction. This can make legal challenges to data access hard to defend.
- How the data will be secured: When dealing with third-party SaaS providers, it can be difficult to know and be comfortable with the security of the data and services they control. Does the SaaS provider conduct annual security audits with external third-party security specialists?
Find out why major, regulated organizations around the world trust Archive360 with their most sensitive data. Contact us today to find out how we can help.