- January 25, 2023
Download this ebook about GDPR compliance
Data sovereignty laws and the courts
Litigation often spans country borders, but how is eDiscovery and data sovereignty handled when data generated and stored outside the United States? Many countries have laws that stipulate that data created in a particular country must also be stored in that same country. However, during a lawsuit’s legal discovery phase, supporting content can be requested no matter where that data is stored.
A landmark case began in 2013 which collided head-on with country data sovereignty and corporate rights. American law enforcement sought data on a user of Microsoft services in relation to a drug trafficking case; Microsoft argued in Microsoft Corp v. United States that the data in question was located exclusively in a data center in Ireland and argued that the data held exclusively on Irish servers were not subject to U.S. jurisdiction. A federal court issued a warrant under the Stored Communications Act against Microsoft for both personal user data and email.
Microsoft challenged the warrant but lost. Microsoft appealed to the U.S. Second Circuit Court who froze the warrant until a decision could be handed down. While the case was awaiting judgment by the U.S. Supreme Court, the U.S. Congress passed the Cloud Act.
The CLOUD Act states that companies must provide information properly requested by law enforcement “regardless of whether such communication, record, or other information is located within or outside of the United States.” The passing of the Cloud Act finally decided the question of the federal courts and cross-border eDiscovery. In fact, Microsoft agreed with the Act and issued the following statement:
“We welcome the Supreme Court’s ruling ending our case in light of the CLOUD Act being signed into law. Our goal has always been a new law and international agreements with strong privacy protections that govern how law enforcement gathers digital evidence across borders. As the governments of the UK and Australia have recognized, the CLOUD Act encourages these types of agreements, and we urge the US government to move quickly to negotiate them.”
Multi-cloud strategies and data sovereignty / GDPR
Many companies have begun to look at multi-cloud strategies to help them protect against vendor lock-in, but they carry with them a higher cost – more systems to manage and regulatory and legal complexity – they must determine where the data is stored and whether it can be moved legally once stored in a specific country under local laws.
Multi-cloud is the use of multiple cloud computing and storage services in a single heterogeneous architecture. This definition also refers to the distribution of cloud assets, software, applications, etc. across several cloud-hosting environments. With a typical multi-cloud architecture consisting of two or more public clouds as well as potentially additional private clouds, a multi-cloud environment aims to eliminate the reliance on any single cloud provider. Also, in a multi-cloud environment, synchronization between different vendors is not crucial to complete a computation process. However, the company must be able to stipulate storage locations.
For example, if an organization was running applications and services within a multi-cloud infrastructure, they could be in violation of multiple nations’ data sovereignty regulations at the same time. Consider this; violating Brazil’s LGPD data protection law as well as the EU’s GDPR could end up generating fines equal to a combined 6% of the company’s global revenue.
Data Sovereignty and SaaS usually don’t mix
Because of the distributed nature of the cloud, where data is stored may not be known to a customer or the SaaS provider may not be able to ensure storage in a specific geographic location. Furthermore, most SaaS cloud platforms are not designed with data sovereignty in mind. For example, many SaaS platforms are designed around a single data center, meaning SaaS cloud subscribers agree to store their data in the vendor’s cloud infrastructure no matter where it is, usually in one or two countries. To ensure against misunderstandings, both the customer and SaaS provider must take extra precautions to ensure all data sovereignty requirements can be met. Potential customers should be aware of their data sovereignty requirements and ask the vendor if they support specific country laws. SaaS providers should limit their data sovereignty claims to only those countries where they have data centers.
Basic data sovereignty topics to discuss with cloud vendors:
- Where the data will be stored: Finding out where data is stored is not always obvious for the current generation of cloud and SaaS hosted services. Who decides on the geographical location of your data? Does your service provider have a mandate to request your consent to move your data interstate or even internationally? The world of distributed infrastructure running cloud services means that it is difficult to be sure as to the sovereignty of your data when it resides in the hands of a third party. Additionally, have backup copies been made? Where are they stored?
- Local laws: With the distributed computing nature of the cloud, data hosted by SaaS applications can land in not-so-obvious places. While this practice may keep costs down for the customer (as well as the SaaS vendor), and make access to the data faster, it leaves the company’s data vulnerable to the foreign governments and their associated data sovereignty laws.
- Data privacy: Do local country laws stipulate data retention and management and security mandates? When you move your data off the hosted service, can it be moved without violating data residency laws? Is there a secure destruction policy or process? What security controls are in place to protect your data from breach, etc.?
- Who owns the data: Organizations may not be aware of the ownership rights over data stored in different countries. Data that was protected by strong privacy laws in the EU may well not be protected in a different foreign jurisdiction. This can make legal challenges to data access hard to defend.
- How the data will be secured: When dealing with third-party SaaS providers, it can be difficult to know and be comfortable with the security of the data and services they control. Does the SaaS provider conduct annual security audits with external third-party security specialists?
Find out why major, regulated organizations around the world trust Archive360 with their most sensitive data. Contact us today to find out how we can help.
Archive360 is trusted by thousands of companies, including Netflix, Samsung, McKesson, and 3M, with migrating Enterprise Vault and other archiving major migration workloads.