Skip links

Just how critical is data sovereignty?

Sponsored Feature We hear the term data sovereignty more and more these days. That’s strange in some ways because the rules for flinging data around the world have been a challenge for decades – particularly since the internet hit critical mass in the late 1990s and early 2000s and international data transfers went from being a rarity to the norm.

Before we explore the reasons for this, let’s just define the term in the interests of clarity. One of the better definitions describes it as “the concept that information which has been converted and stored in binary digital form is subject to the laws of the country in which it is located”. But what does that actually mean? Simple: if I’m a British firm that collects data here in the UK, and stores it on a server in a different country, the laws of that country may entitle someone (such as the country’s government or law enforcement agencies) to access that data, possibly to a greater extent than UK law would have allowed had I stored it in (say) a London data centre.

And taking it a step further, say I decide to collect private data pertaining to UK citizens and store it on a US-based cloud provider’s architecture in Amsterdam. From a data protection point of view (noting that data protection and data sovereignty are different things) this is fairly straightforward, as the UK and EU regard each other’s data protection legislation as “adequate” for the safe processing of personal data. But what if a US court demands the cloud provider – an American company – provide it with a copy of your data from its Netherlands-based servers? Surely their hands are tied, and they have to do so?

That’s a trickier question to answer than you might imagine so we’ll come back and address it in a moment. But for now let’s go back to why this whole concept of sovereignty is a problem all of a sudden. And just like the old pre-Brexit days, we get to blame the EU for something it did on 14 April 2016: it passed Regulation 2016/679, which we now know as the General Data Protection Regulation, or GDPR.

In the two-and-a-bit years between that date and GDPR coming into effect in May 2018, the people of Europe – and the world, for that matter – were educated rapidly and loudly, and became far more aware of, and knowledgeable about, the risks associated with the misuse of personal data. Despite data protection legislation having been around for years previously, the watershed had been crossed.

Yet if you read the text of the GDPR you won’t find the word “sovereignty” in there at all. So how come so many people are worried about the question we posed a paragraph or so ago? Easy: because the internet chat and press coverage around GDPR and its implications soon got readers thinking. And it didn’t take long for people (particularly those that watch US crime dramas where Feds subpoena data centre companies for access to stuff) to realise that the data being requested might be theirs. Oh, and it also didn’t help when Safe Harbor and Privacy Shield, which were all about safe data sharing between the EU and US, both collapsed into separate heaps.

There is, however, some light at the end of the tunnel. For example, if you strongly encrypt your data on your US provider’s Amsterdam cloud installation, all the provider has to dish up to the US authorities is the encrypted version, as there’s no tangible way for them to decrypt it. And if the US court wants to chase you for the plain-text version, then short of an extradition order you can tell them where to go.

We’re wondering, then, how significant data sovereignty is to our readers’ organisations. And to this end, we’d love you to take just a moment to answer the two questions above. We’ll give it a few weeks to get a critical mass of answers, and will then summarise what you’ve told us.

Thanks, and we look forward to your insight.

Sponsored by Intel.