Data Sovereignty in A Regulated World

Under the more frequent use of the term, data sovereignty is the concept that data is under the jurisdiction of the country where it physically resides.

3 February 2016

Data sovereignty can mean different things to different people. Some take data sovereignty to mean that nations can have its data treated under its laws. However, what constitutes “its data?” Though many people may contract around and talk about ownership of data, there is no clear consensus on who “owns” data unless you’re talking about copyrighted works, to which the label of “copyright owner” applies. Nations can claim their citizenry and thus may attempt to claim ownership to information about their citizenry. At least in the United States for example, the state of Massachusetts claims jurisdiction over data breaches involving its citizens’ information, regardless of the company’s locale. Russia’s new data protection law takes a similar view that covers services that deliberately collect or process the personal data of Russian citizens.

Under the more frequent use of the term, data sovereignty is the concept that data is under the jurisdiction of the country where it physically resides. This does not preclude a sufficient nexus for another country to assert jurisdiction, but it does make for a much more practical jurisdictional claim because the country’s law enforcement can physically seize servers in their country.

Data localization

Many countries are attempting to bridge the gap between these definitions by restricting the cross-border flow of information outside of their borders. European countries that subscribe to the Data Protection Directive prevent trans-border information flow about individuals, unless the recipient country has laws with similar characteristics to the European model. This memetic characteristic ensures a form of jurisdictional control over the post transferred information. Australian firms were aflutter in 2014 over changes to the Australian Privacy Principles, which required recipient firms receiving data (even though outside Australia) to be compliant with the principles. Binding Corporate Rules, one mechanism for accepting data of Europeans under a ruling of the Article 29 Working Party of the Data Protection Directive, requires that a recipient firm subject itself specifically to a data protection authority in Europe.

Some countries are taking it a step further, requiring that data on their citizenry must be stored and processed in their country or in the most restrictive model, and must never leave the country. Russia has taken the former approach with their recently enacted Federal Law 242-FZ. That law requires for information on citizens must be processed in country (in a so called primary database) though transfers to other countries (secondary databases) are permitted. Brazil considered going even a step further with its Marco Civil da Internet (Internet Civil Rights law). That law would require that personal information of Brazilian citizens remain in the country and would prohibit export to other countries. Other countries have similar laws but only around much more narrow categories of persons and industries, such as China’s requirement that data on government personnel remain in country.

Either approach could be called data localization, a requirement for data to be housed locally in country. The justifications for such a requirement are often portrayed as meant to protect the data privacy of citizens. This was especially true after the Snowden revelations documented widespread surveillance and data collection by the U.S. National Security Agency around the world. However, the underlying reasons are much less noble. Countries want data sovereignty. In other words, they want jurisdictional control over information about their citizens. They don’t want to have to rely on foreign entities complying with government demands and requests. In an information age, control over one’s populace requires knowledge about them. Another unstated justification is pure economic protectionism. By requiring data to be stored and processed in country, the host country necessitates the growth of its domestic information technology industry.

Technological mitigations of data sovereignty issues

There are a couple methods of avoiding a nation claiming ownership over data. The most obvious approach is to resist storing, transmitting or processing information in that nation. Except for the United States’ extraterritoriality claims in the Microsoft case, few nations seek to control information outside of its borders and not involving its citizenry. Thus, keeping data off a country’s soil, reduces their efforts to obtain the data, at least through legal and judicial channels. Keeping data in the country of origin also complies with any data localization requirements. However, this approach can be difficult for countries with multi-national operations. Maintaining separate infrastructures to comply with localization requirements and avoiding territorial claims over information can be costly and runs counter to centralization of activities in an effort to gain economies of scale. Some of the larger cloud providers, though, do offer regionalized versions in an effort to support compliance obligations.

Encryption can also serve as a potential mitigating technology. However, care must be taken such that encryption keys are not accessible from the country where the encrypted data is to be held. Using format preserving encryption can allow software expecting certain structured data types to process data absent the actual information. Encryption can be problematic as many countries restrict its use, so care must be taken not to run afoul of local laws. It remains to be seen if data encrypted in one country and stored in another would be illegal, since it’s often the encryption technology and use that is restricted, not the data itself. Another open question is whether encrypted data that leaves a country would sidestep localization requirements. Consultation with local counsel is imperative in these cases.

Ultimately, there is no magic bullet solution. Companies must be aware of the local nuances in laws where they operate. Failure to do so could result in fines and penalties. As with many things in business, a risk-based approach is often the only approach. You need to properly identify those risks and mitigate them to the extent you can. In regard to data sovereignty and privacy requirements, companies must educate their workforce, modify their processes to meet new demands, and implement technology solutions that cover the whole content lifecycle — data at rest, in motion, and in use.

R. Jason Cronk

R. Jason Cronk

Privacy Engineering Consultant

R. Jason Cronk is a privacy engineering consultant with Enterprivacy Consulting Group, a boutique privacy consulting firm, where his current focus is on helping companies overcome the socio-technical challenges of privacy through privacy engineering and Privacy by Design. He is a CIPP/US, a Privacy by Design ambassador, a licensed attorney in Florida, an author, blogger, speaker and passionate advocate for understanding privacy.