- December 2, 2020
- Bill Tolson|
- Data Privacy|
- Regulatory Compliance|
- Information Security|
- Information Technology|
With the rising popularity of cloud computing and Software as a Service (SaaS) solutions, data sovereignty issues (where the data is stored) have become a greater risk and focus for Chief Regulatory Officers (CRO) and General Counsels (GC).
In this blog, we will answer the following questions:
By being better informed, you can make better solution choices and ensure future issues (and costs) are minimized.
Data sovereignty is a country-specific requirement that data is subject to the laws of the country in which it is collected or processed and must remain within its borders. Many countries have had these laws for decades, and new privacy laws, such as the GDPR, are only making them more prominent. For example, countries like Russia, China, Germany, France, Indonesia, and Vietnam (to name a few) require that their citizens’ data must be stored on physical servers within the country’s borders. They argue that it’s in the government’s and their citizens’ interest to protect personal information against any misuse, especially outside of the country’s jurisdiction.
To further complicate matters, there are two terms that are used interchangeably (but incorrectly) by many to mean the same thing – data residency and data sovereignty. In reality, they have slightly different legal meanings. When engaging with a SaaS cloud vendor, be sure to clarify whether their security protocols can support specific country residency or sovereignty:
Multinational corporations have been forced into following a complex environment of maintaining data sovereignty across many countries for decades. Archive360 has experienced this firsthand with a number of its international customers. For example, ten plus years ago, while assisting on an internal investigation at a Fortune 50 multinational, we requested old emails for several employees from a division in France. We were quickly told that they could not turn the data over, even to company representatives, to anyone outside the country without the “worker’s committee” approval. The reason – a long-standing French national data privacy law, the French Data Protection Act (DPA) of 1978 (revised in 2004), required that French citizen data must be stored locally and to be accessed, the citizen must be asked for permission.
That was over ten years ago. Today, with the arrival of the EU’s GDPR and the huge fines that go along with it, organizations that collect or sell the personal information of EU citizens are beginning to take a much more serious look at their data sovereignty requirements and capabilities. To date, there has been a total of € 359,205,300 of fines levied for GDPR non-compliance.
The three largest public cloud vendors, Microsoft, AWS, and Google, have built cloud data centers in countries around the globe, specifically to address these data sovereignty issues. However, many second and third-tier SaaS cloud vendors either offer only one or two data centers or, if relying on one of the big three public cloud vendors for their cloud infrastructure, have contracted to use only one of their data centers. To compete for the data sovereignty business, a SaaS cloud provider will need to offer multiple data center locations based on local regulatory requirements or specify which data sovereignty regulations they meet – based on data center locations. Additionally, the SaaS service provider would need to offer data orchestration, i.e., allow the company to either manually or programmatically choose where data is stored based on geographic location, as well as incorporate access and security controls based on local regulations.
Questions to ask a prospective cloud vendor include:
Besides the much-publicized “right to be forgotten” provision of the GDPR, the other obvious provision companies that collect EU citizen data are paying attention to is that of data sovereignty. The GDPR requires that all data collected on EU citizens must be either stored in the EU, so it is subject to European privacy laws, or within a jurisdiction that has similar levels of protection. Additionally, it applies to both data controllers and data processors. Whether your organization uses or provides a cloud service that processes EU residents’ data, your company is already directly affected and should have installed systems that meet data sovereignty and security requirements, created documented PI-handling processes, and begun employee training on GDPR readiness.
The UK’s Information Commissioner’s Office sets out seven key principles of the GDPR that should lie at the heart of an organization’s approach to processing personal data:
Litigation often spans country borders, but how is eDiscovery and data sovereignty handled when data is generated and stored outside the country where the litigation is initiated? Many countries have laws that stipulate data created in a particular country must also be stored in that same country. However, during litigation’s legal discovery phase, supporting content can be requested no matter where that data is stored.
A landmark case began in 2013, which collided head-on with country data sovereignty and corporate rights. American law enforcement sought data on a user of Microsoft services in relation to a drug trafficking case; Microsoft argued that the data in question was located exclusively in a data center in Ireland, and argued that the data held exclusively on Irish servers were not subject to U.S. jurisdiction. A federal court issued a warrant under the Stored Communications Act against Microsoft for both personal user data and email.
Microsoft challenged the warrant but lost. Microsoft appealed to the U.S. Second Circuit Court, who froze the warrant until a decision could be handed down. While the case was awaiting judgment by the U.S. Supreme Court, the U.S. Congress passed the Clarifying Lawful Overseas Use of Data Act or CLOUD Act.
The CLOUD Act states that companies must provide information properly requested by law enforcement, “regardless of whether such communication, record, or other information is located within or outside of the United States.” The passing of the Cloud Act finally decided the question of the federal courts and cross-border eDiscovery. In fact, Microsoft agreed with the Act and issued the following statement:
“We welcome the Supreme Court’s ruling ending our case in light of the CLOUD Act being signed into law. Our goal has always been a new law and international agreements with strong privacy protections that govern how law enforcement gathers digital evidence across borders. As the governments of the UK and Australia have recognized, the CLOUD Act encourages these types of agreements, and we urge the US government to move quickly to negotiate them.”
Many companies have begun to consider multi-cloud strategies to help protect against cloud vendor lock-in. However, this strategy carries with it higher cost in the form of more systems to purchase and manage along with the associated regulatory and legal complexity, including where the data is stored and whether it can be legally moved once stored in a specific country under local laws.
Multi-cloud is the use of multiple cloud computing and storage services in a single heterogeneous architecture. This definition also refers to the distribution of cloud assets, software, applications, etc. across several cloud-hosting environments. With a typical multi-cloud architecture consisting of two or more public clouds as well as potentially additional private clouds, a multi-cloud environment aims to eliminate the reliance on any single cloud provider. Also, in a multi-cloud environment, synchronization between different vendors is not crucial to complete a computation process. However, the company must be able to stipulate storage locations – data orchestration.
For example, if an organization was running applications and services within a multi-cloud infrastructure with data centers scattered across geographies, they could be in violation of multiple nations’ data sovereignty regulations at the same time due to data center locations.
Because of the distributed nature of the cloud, where data is stored may not be known to a customer or a Software as a Service (SaaS) provider may not be able to ensure storage in a specific geographic location. Furthermore, most SaaS cloud platforms are not designed with data sovereignty in mind. For example, many SaaS platforms are designed around a single data center - meaning SaaS cloud subscribers agree to store their data in the vendor’s cloud infrastructure – no matter where it is, usually in one or two countries.
To insure against misunderstandings, both the customer and SaaS provider must take extra precautions to ensure all data sovereignty requirements can be met. Potential SaaS customers should be aware of their data sovereignty requirements and ask the vendor for proof they support specific country laws. SaaS providers should limit their data sovereignty claims to only those countries where they have data centers, but it’s buyer-beware - misconceptions or down-right lies could expose your company to regulatory and legal liability.
To ensure you are getting exactly what you need for your data sovereignty requirements, ask SaaS cloud vendors the following basic data sovereignty questions:
SaaS cloud solutions can be a great cost-saving solution for many companies, but, depending on your data retention regulatory requirements, may fall short, putting you at risk. Remember, not all clouds are created equally.
Unlike SaaS cloud solutions, the Archive2Azure intelligent archiving and information management platform is:
Bill is the Vice President of Global Compliance for Archive360. Bill brings more than 29 years of experience with multinational corporations and technology start-ups, including 19-plus years in the archiving, information governance, and eDiscovery markets. Bill is a frequent speaker at legal and information governance industry events and has authored numerous eBooks, articles and blogs.