Data Sovereignty and the GDPR; Do You Know Where Your Data Is?
As more companies move their data to the cloud, the question of data sovereignty is becoming a hotter topic. Data sovereignty is the requirement that digital data is subject to the laws of the country in which it is collected or processed. Many countries have requirements that data collected domestically must stay in that country. They argue that it’s in the Government’s interest to protect their citizen's personal information against any misuse.
Data collected here stays here
For example, countries like Russia, Germany, France, Indonesia, and Vietnam, to name a few, require that their citizen’s data must be stored on physical servers within the country’s physical borders.
Certain United States federal agencies require that data under their control be stored exclusively within the United States. Australia has defined a legal framework with its updated Australia Privacy Act on how its citizen's data should be stored and controlled. Europe’s General Data Protection Regulation (GDPR) also restricts companies from transferring personal data that originated in the EU to any country with inadequate data protection laws. To enable data transfers to the U.S., the U.S. and EU developed the Privacy Shield Scheme which enables companies to self-certify that they meet the EU security requirements.
The Privacy Shield’s main purpose is to enable US companies to more easily receive personal data from EU entities under EU privacy laws meant to protect European Union citizens. The Privacy Shield was developed as a replacement for the International Safe Harbor Privacy Principles, which were declared invalid by the European Court of Justice in October 2015. An up to date Privacy Shield listing of companies can be found here.
Data Sovereignty and the GDPR
The GDPR sovereignty requirements apply directly to the collection and processing of EU residents’ data, regardless of where that processing takes place. Additionally, it applies to both data controllers and data processors, so, whether your organization uses or provides a cloud service that processes EU residents’ data, you are directly affected.
Chapter V of the GDPR states that personal data can be transferred outside the EU under (only) two circumstances:
- On the basis of an adequacy decision (Article 45): Under the GDPR’s predecessor, the Data Protection Directive 1995, transfers of personal data to a third country (one that is not an EU member state), a territory, or an international organization may take place only if the European Commission has decided that there is “an adequate level of protection”.
To date, the Commission has adopted 12 adequacy decisions – with Andorra, Argentina, Canada (for transfers to commercial organizations that are subject to the Personal Information Protection and Electronic Documents Act (PIPEDA)), the Faroe Islands, Guernsey, Israel, the Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the US (for companies certified to the EU–US Privacy Shield).
- When subject to appropriate safeguards (Article 46): If there is no adequacy decision, controllers or processors may transfer EU residents’ data to a third country or an international organization if they provide appropriate safeguards and “enforceable data subject rights and effective legal remedies for data subjects are available” (Article 46).
Data Sovereignty and SaaS usually don’t mix
Many cloud platform providers are not designed with data sovereignty in mind. For example, many Software as a Service (SaaS) platforms are mostly designed around a single data center - meaning SaaS cloud service subscribers agree to have their data moved up to the vendor’s cloud, usually at one location. These SaaS cloud sites are usually located in only one country.
The impact of global laws with stricter data sovereignty requirements will drive SaaS cloud platforms to develop data centers in multiple regions, raising their costs, in order to store data locally and minimize the impact of new data sovereignty regulations.
Data gravity, data sovereignty, and the cloud
Data gravity is a metaphor that large data sets and applications are attracted to each other, much like the attraction between objects. With the increasing adoption of enterprise data analytics, as data sets continue to grow, they become harder to move. At some point, large data sets need to stay put to enable seamless processes, preferably in a compliant cloud so large data sets no longer need to be moved.
As organizations mature in their analytics practices, they find that analytics becomes unwieldy. With massive amounts of data spread across different enterprise storage systems, it can be difficult, costly, and risky to move that data to their analytics clusters. These barriers become even higher if you want to run analytics in the cloud on data stored in the enterprise, or vice-versa. These new realities for a world of ever-growing data sets point to the need to design enterprise IT architectures in a manner that reflects the reality of data gravity or alternatively, consolidate your data in a cloud platform where the analytics capabilities reside (and which includes data sovereignty guarantees).
Archive360 and Azure Data Sovereignty
Archive2Azure is a native Azure Information Management and Archiving platform that manages data within the customer’s Azure tenancy. The customer stores their data in their Azure tenancy in their geography of choice and Archive2Azure manages it using policies created by them. For the GDPR, data storage would be directed (by the customer) to the various Azure data centers located within the EU. Azure enables organizations to make technology placement decisions based on business needs—simplifying meeting custom compliance, sovereignty, and data gravity requirements.
Customer data can be replicated within a selected geographic area for enhanced data durability, in case of a major data center disaster, for data sovereignty requirements and, if directed, will not be replicated outside it.
To allow for the continuous flow of information required by international business (including the cross-border transfer of personal data), many Microsoft business cloud services offer customers EU Standard Contractual Clauses that provide contractual guarantees around transfers of personal data for in-scope cloud services. The Microsoft implementation of the EU Model Clauses has been validated by EU data protection authorities as being in line with the rigorous privacy standards that regulate international data transfers by companies operating in its member states.
Microsoft is also certified to the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the EU to the United States. Microsoft participation in the Privacy Shield applies to all personal data that is subject to the Microsoft Privacy Statement and is received from the EU, European Economic Area, and Switzerland. Microsoft also abides by Swiss data protection law regarding the processing of personal data from the European Economic Area and Switzerland.
Microsoft will not transfer to any third party (not even for storage purposes), data that you provide to Microsoft, using their business cloud services that are covered under the Microsoft Online Services Terms.
For more information on GDPR and the Privacy Shield, you can read the following blogs:
And be sure to download the GDPR eBook: What you should know about the GDPR
About Bill Tolson
Bill is the Vice President of Global Compliance for Archive360. Bill brings more than 29 years of experience with multinational corporations and technology start-ups, including 19-plus years in the archiving, information governance, and eDiscovery markets. Bill is a frequent speaker at legal and information governance industry events and has authored numerous eBooks, articles and blogs.