Data Sovereignty and International Law Gets Complicated

As a business owner, you may well feel that you are the rightful owner of your data. While true in some sense, you should be aware of international laws that exist now and take a look at the tangled web of international regulations still to come which promise to make the situation far more complicated.

Data sovereignty laws govern all digital information that has been stored which in a specific country. Where your data is stored determines the regulations your data and the storage company are ultimately subject to. The concern now centers on privacy regulations that hope to prevent data stored in a foreign country from becoming accessible by the government of the host country. In other words, data sovereignty prevents the local government from subpoena powers over digital information.

A Threat to Cloud Storage?

DDOS attack map July 11 data
DDOS incident map courtesy of Digital Attack Map

The power of cloud storage lies in its potential to offer people a standardized and simplified process that eliminates geographic and physical borders. Innovation prompted by the freedom of cloud storage relies on its capability to provide three extremely streamlined fundamentals: anytime access, any device capable and any physical location. Flexibility continues to be the driving force for its rapid implementation and adoption.

The threat of regulatory control essentially binds cloud services and computing technologies across the globe, including object-storage, because of data access regulation. There is also a domino effect played out in countries as a response to one country’s security measures and privacy actions. For example, after the U.S. enacted the Patriot Act which empowers governmental anti-terrorism agencies with access to company data stored in the U.S. brings, other countries began introducing their own compliance regulations and prerequisites with incentives to move data back to storage providers within their own borders. Today, a number of country policies demand that customer data must absolutely be kept within the country of the customer and not the company incorporation location.

These regulations then mandate companies must duplicate data just to comply with each country’s laws. Ensuring and verifying that the digitized data is present in all ‘legal’ locations can be something extremely daunting and costly. Besides the data mining complications, this scenario adds risk as company data is now stored across more cloud storage providers, each with their own security and process requirements. To further complicate matters not all cloud storage providers adhere to data sovereignty compliance regulation and SLAs (Service Legal Agreements) which could affect performance and security.

The Safe Harbor Agreement

Safer Harbor was a data sovereignty agreement signed in 2000 between the European Union and the United States Department of Commerce. The agreement emphasized on the regulation of data between the two bodies allowing U.S. organizations and companies to legally export and manage personal data for European citizens.

The agreement outlines a singular process of protecting data requirements for exporting and importing data across countries, specifying that the countries managing the data must inform citizens that their data was being collected, the usage of their data and the surety that the information gathered will be secured and become powerful element in establishing compliance.

This compromise legislation responded to the European Commission Directive on Data Protection (ECDDP). The agreement ran smoothly until the European Court of Justice (ECJ) abolished Safe Harbor in 2015, declaring that all 28 countries in the EU should have the right to recognize the proper usage of their citizen’s data and how it is collected. While this overturn does not inhibit the US to transfer data from Europe, it does give the right of suspending information gathered from all countries participating in it if these countries suspected the US was not adequately providing the security promised.

The Bottom Line

Since the Safe Harbor Act was abolished, there are even more jurisdiction questions complicated by a likeliness of data sovereignty regulations will be implemented with even stronger frequency. If you handle and protect data out of the legislative boundaries and parameters of the act, you may subject to sovereign stated penalties for a certain length of time, making the cost of a data breach that must more costly.

While you do own your data and are ultimately responsible for data security, it becomes that much more vital to conduct periodic reviews with your network security teams as well as your storage provider. You need to be aware of current county regulations where your customers reside and ensure your cloud storage partner is well ahead of security and regulatory considerations. There are no easy answers on the horizon and with current political changes in the EU, it may be some time before we see the likes of a Safe Harbor Act II any time soon.