Is Data Sovereignty a Myth in the Age of the Cloud?
With the rising popularity of cloud computing and Software as a Service (SaaS) solutions, data sovereignty issues (where the data is stored) have become a greater risk and focus for Chief Regulatory Officers (CRO) and General Counsels (GC).
In this blog, we will answer the following questions:
- What is data sovereignty?
- Why is it important for companies to understand the regulatory risks associated with it?
- How can you ensure your company avoids the risk of non-compliance?
By being better informed, you can make better solution choices and ensure future issues (and costs) are minimized.
What is Data Sovereignty?
Data sovereignty is a country-specific requirement that data is subject to the laws of the country in which it is collected or processed and must remain within its borders. Many countries have had these laws for decades, and new privacy laws, such as the GDPR, are only making them more prominent. For example, countries like Russia, China, Germany, France, Indonesia, and Vietnam (to name a few) require that their citizens’ data must be stored on physical servers within the country’s borders. They argue that it’s in the government’s and their citizens’ interest to protect personal information against any misuse, especially outside of the country’s jurisdiction.
Data Residency versus Data Sovereignty
To further complicate matters, there are two terms that are used interchangeably (but incorrectly) by many to mean the same thing – data residency and data sovereignty. In reality, they have slightly different legal meanings. When engaging with a SaaS cloud vendor, be sure to clarify whether their security protocols can support specific country residency or sovereignty:
- Data residency is where a business specifies that their data is stored in a specific geographic location of their choice. An example of a data residency requirement in action is where a company wishes to take advantage of a better tax regime.
- Data sovereignty differs from data residency in that not only is the data required to be stored in a designated location – usually due to regulatory requirements – but is also subject to the laws of the country in which it is physically stored. Data subjects have different privacy and security protections according to where the data centers are physically located. To take advantage of the protections of a country’s specific privacy laws, some nations require local storage for their citizens and highly regulate how or why the data can be accessed or moved out of the country. For example, if a German business collects the personal data of French customers, it will have to comply not only with the GDPR requirements but also with the French specific rules around country-specific storage.
Data sovereignty, then and now
Multinational corporations have been forced into following a complex environment of maintaining data sovereignty across many countries for decades. Archive360 has experienced this firsthand with a number of its international customers. For example, ten plus years ago, while assisting on an internal investigation at a Fortune 50 multinational, we requested old emails for several employees from a division in France. We were quickly told that they could not turn the data over, even to company representatives, to anyone outside the country without the “worker’s committee” approval. The reason – a long-standing French national data privacy law, the French Data Protection Act (DPA) of 1978 (revised in 2004), required that French citizen data must be stored locally and to be accessed, the citizen must be asked for permission.
That was over ten years ago. Today, with the arrival of the EU’s GDPR and the huge fines that go along with it, organizations that collect or sell the personal information of EU citizens are beginning to take a much more serious look at their data sovereignty requirements and capabilities. To date, there has been a total of € 359,205,300 of fines levied for GDPR non-compliance.
Location, location, location
The three largest public cloud vendors, Microsoft, AWS, and Google, have built cloud data centers in countries around the globe, specifically to address these data sovereignty issues. However, many second and third-tier SaaS cloud vendors either offer only one or two data centers or, if relying on one of the big three public cloud vendors for their cloud infrastructure, have contracted to use only one of their data centers. To compete for the data sovereignty business, a SaaS cloud provider will need to offer multiple data center locations based on local regulatory requirements or specify which data sovereignty regulations they meet – based on data center locations. Additionally, the SaaS service provider would need to offer data orchestration, i.e., allow the company to either manually or programmatically choose where data is stored based on geographic location, as well as incorporate access and security controls based on local regulations.
Questions to ask a prospective cloud vendor include:
- In what geographies do you have data centers?
- Data sovereignty regulations include the requirement that local (country) data retention laws are rigorously followed. What resources do you have to ensure compliance with local data retention laws?
- Does your solution offer automated or manual data orchestration capabilities?
- Does your solution offer geographic access controls?
Data Sovereignty and the GDPR
Besides the much-publicized “right to be forgotten” provision of the GDPR, the other obvious provision companies that collect EU citizen data are paying attention to is that of data sovereignty. The GDPR requires that all data collected on EU citizens must be either stored in the EU, so it is subject to European privacy laws, or within a jurisdiction that has similar levels of protection. Additionally, it applies to both data controllers and data processors. Whether your organization uses or provides a cloud service that processes EU residents’ data, your company is already directly affected and should have installed systems that meet data sovereignty and security requirements, created documented PI-handling processes, and begun employee training on GDPR readiness.
The UK’s Information Commissioner’s Office sets out seven key principles of the GDPR that should lie at the heart of an organization’s approach to processing personal data:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimization
- Storage limitation
- Integrity and confidentiality (security)
Data sovereignty and the courts
Litigation often spans country borders, but how is eDiscovery and data sovereignty handled when data is generated and stored outside the country where the litigation is initiated? Many countries have laws that stipulate data created in a particular country must also be stored in that same country. However, during litigation’s legal discovery phase, supporting content can be requested no matter where that data is stored.
A landmark case began in 2013, which collided head-on with country data sovereignty and corporate rights. American law enforcement sought data on a user of Microsoft services in relation to a drug trafficking case; Microsoft argued that the data in question was located exclusively in a data center in Ireland, and argued that the data held exclusively on Irish servers were not subject to U.S. jurisdiction. A federal court issued a warrant under the Stored Communications Act against Microsoft for both personal user data and email.
Microsoft challenged the warrant but lost. Microsoft appealed to the U.S. Second Circuit Court, who froze the warrant until a decision could be handed down. While the case was awaiting judgment by the U.S. Supreme Court, the U.S. Congress passed the Clarifying Lawful Overseas Use of Data Act or CLOUD Act.
The CLOUD Act states that companies must provide information properly requested by law enforcement, “regardless of whether such communication, record, or other information is located within or outside of the United States.” The passing of the Cloud Act finally decided the question of the federal courts and cross-border eDiscovery. In fact, Microsoft agreed with the Act and issued the following statement:
“We welcome the Supreme Court’s ruling ending our case in light of the CLOUD Act being signed into law. Our goal has always been a new law and international agreements with strong privacy protections that govern how law enforcement gathers digital evidence across borders. As the governments of the UK and Australia have recognized, the CLOUD Act encourages these types of agreements, and we urge the US government to move quickly to negotiate them.”
Multi-Cloud strategies and data sovereignty
Many companies have begun to consider multi-cloud strategies to help protect against cloud vendor lock-in. However, this strategy carries with it higher cost in the form of more systems to purchase and manage along with the associated regulatory and legal complexity, including where the data is stored and whether it can be legally moved once stored in a specific country under local laws.
Multi-cloud is the use of multiple cloud computing and storage services in a single heterogeneous architecture. This definition also refers to the distribution of cloud assets, software, applications, etc. across several cloud-hosting environments. With a typical multi-cloud architecture consisting of two or more public clouds as well as potentially additional private clouds, a multi-cloud environment aims to eliminate the reliance on any single cloud provider. Also, in a multi-cloud environment, synchronization between different vendors is not crucial to complete a computation process. However, the company must be able to stipulate storage locations – data orchestration.
For example, if an organization was running applications and services within a multi-cloud infrastructure with data centers scattered across geographies, they could be in violation of multiple nations’ data sovereignty regulations at the same time due to data center locations.
Data Sovereignty and SaaS usually don’t mix
Because of the distributed nature of the cloud, where data is stored may not be known to a customer or a Software as a Service (SaaS) provider may not be able to ensure storage in a specific geographic location. Furthermore, most SaaS cloud platforms are not designed with data sovereignty in mind. For example, many SaaS platforms are designed around a single data center - meaning SaaS cloud subscribers agree to store their data in the vendor’s cloud infrastructure – no matter where it is, usually in one or two countries.
To insure against misunderstandings, both the customer and SaaS provider must take extra precautions to ensure all data sovereignty requirements can be met. Potential SaaS customers should be aware of their data sovereignty requirements and ask the vendor for proof they support specific country laws. SaaS providers should limit their data sovereignty claims to only those countries where they have data centers, but it’s buyer-beware - misconceptions or down-right lies could expose your company to regulatory and legal liability.
To ensure you are getting exactly what you need for your data sovereignty requirements, ask SaaS cloud vendors the following basic data sovereignty questions:
- Where will my data be stored? Finding out where data is stored is not always obvious for the current generation of cloud and SaaS hosted services. Who decides on the geographical location of your data? Does your service provider have a mandate to request your consent to move your data interstate or even internationally? The world of distributed infrastructure running cloud services means that it is difficult to be sure as to the sovereignty of your data when it resides in the hands of a third party. Additionally, have backup copies been made, and where are they stored?
- Which local laws apply? With the distributed computing nature of the cloud, data hosted by SaaS applications can land in not-so-obvious places. While this practice may keep costs down for the customer (as well as the SaaS vendor), and make access to the data faster, it leaves the company’s data vulnerable to the foreign governments and their associated laws.
- Is my data subject to data privacy mandates? Do local country laws stipulate data retention and management and security mandates? When you move your data off the hosted service, can it be moved without violating data residency laws? Is there a secure destruction policy or process? What security controls are in place to protect your data from breach, etc.?
- Who owns the data? Organizations may not be aware of the ownership rights over data stored in different countries. Data that was protected by strong privacy laws in the EU may well not be protected in a different foreign jurisdiction. This can make legal challenges to data access hard to defend.
- How will my data be secured? When dealing with third-party SaaS providers, it can be difficult to know and be comfortable with the security of the data and services they control. The industry best practice is to ask the SaaS provider if they conduct annual security audits with external third-party security specialists and if yes, can they provide the last three years’ worth.
Archive2Azure plus Azure ensures your data sovereignty requirements are met
SaaS cloud solutions can be a great cost-saving solution for many companies, but, depending on your data retention regulatory requirements, may fall short, putting you at risk. Remember, not all clouds are created equally.
Unlike SaaS cloud solutions, the Archive2Azure intelligent archiving and information management platform is:
- Installed and managed within your Azure tenancy under your full control.
- Compatible with your security processes and protocols.
- Capable of harnessing Microsoft’s Azure data centers in (currently) forty-four geographies around the world.
- Able to allow you to designate the best compliant geographies to archive your data.
About Bill Tolson
Bill is the Vice President of Global Compliance for Archive360. Bill brings more than 29 years of experience with multinational corporations and technology start-ups, including 19-plus years in the archiving, information governance, and eDiscovery markets. Bill is a frequent speaker at legal and information governance industry events and has authored numerous eBooks, articles and blogs.