Confused About Data Sovereignty? You Certainly Aren't Alone
Research by Ovum (sponsored by Intralinks) indicates there is confusion about data sovereignty, particularly around the simple concept of "where data is”.
3 March 2016
In continuing our look at the results of the Intralinks-sponsored Ovum research report Data Privacy Laws: Cutting the Red Tape, we turn our attention to the contentious issue of data sovereignty (sometimes called data residency). The research indicates there is considerable uncertainty and confusion over the seemingly simple concept of "where data is”.
The first point of contention is that there is no universally accepted definition of "data sovereignty" that provides enough clarity for organizations to act upon in a legal context. For example, consider this definition: Data sovereignty is the concept that digital data and information is subject to the laws of the country in which it is located and/or created. The problem is, data can be created in one geographic location and located (i.e., stored) in another. So under this definition, which condition takes precedence in order to apply jurisdiction over treatment of the data? Where the data is located, or where it was created? There's no simple answer.
The Ovum research report points out that data location is the critical point of control in terms of access to the data, but even that is hard to define. As the report says, "The ability to exert sovereignty over corporate data (to control access to the data) and achieve compliance is heavily dependent on the data's location, because its location is a factor in determining what legislation the data is affected by, and the level of access that should be available. Exerting control over data location is a considerable difficulty for many organizations, because most systems do not support the concept of data location being a business-related decision, and especially not cloud-based systems."
I'm going to muddy the waters even further by bringing in the notion of the location of where data is controlled, which can be different from where the data is actually located (stored). For example, data can be encrypted and stored in the cloud. The cloud provider typically determines where the data is physically stored; in other words, where the data center(s) that hold the data is/are. But it's possible for the owner of the data — the cloud provider's end customer — to completely control the encryption keys in its own preferred location, either on premise or in the cloud. The data can't be decrypted where it is stored (call it location A) without access to the keys which may be stored in location B. Therefore, access to the data is controlled from location B, where the customer has stored the keys. If locations A and B are different countries that both have data residency requirements, which country's law has jurisdiction over the data?
Now let me throw one more twist into the discussion. The recently finalized text of the European General Data Protection Regulation provides strong protections for an individual person (called a data subject) to have rights to what happens to his or her personal data. If that data is collected from the individual and put under another entity's control, that data controller must provide a means for the data subject to request access to their data, rectification, erasure and the right to withdraw consent for the data's use. Furthermore, data subjects should have the right to have their data erased and no longer processed by withdrawing their consent for processing. With these kinds of requirements in place, any entity that controls personal data has to know precisely where that data is in the event that a data subject requests access to it or to have it erased.
All of these considerations make it exceedingly difficult for companies to develop a comprehensive approach to how and where data is accessed and stored.
The Ovum survey asked respondents about their current and possible approaches to tackling data privacy and sovereignty. The results in the table below show what companies do today and what approaches they are considering. You can see there's a subtle shift toward making the data privacy decisions based on the logical rather than physical location of the data; i.e., where control over the data is exerted, such as where encryption keys are stored.
These results indicate there is currently no clear-cut approach of how companies think about and implement data privacy decisions where data residency is concerned. However, there seems to be a growing interest in thinking about the logical location of data as opposed to the physical location. This speaks to an increasing focus on defining the location where data can actually be accessed as the place where customer-managed encryption keys are stored.
Coming up in a future post, we'll talk about Intralinks' multi-faceted approach to data sovereignty — one that is not dependent on regional legislation that can force enterprises to rethink their whole data privacy strategy. Intralinks is taking a flexible approach that provides customers with choices that don't have to be reconsidered every time a regulation is issued or updated.
Deema Freij is SVP, Deputy General Counsel and Global Privacy Officer, based in Intralinks’ London office. Deema oversees global data governance within the company and is responsible for further strengthening the company’s worldwide focus on data privacy and the regulatory demands placed on its customers. Deema brings almost two decades of experience in the legal profession. Prior to joining Intralinks in 2011 as Legal Counsel, EMEA & APAC, she spent seven years as a legal consultant.