The General Data Protection Regulation (GDPR) established by the European Union in 2018 is considered the most far-reaching data privacy regulation and has inspired more than 100 countries (the counter stood at 145 in September 2021)1 to enact similar laws. New legislation around data sovereignty could impact your business even more, especially if effective data management strategies and tactics have not been implemented.
Data sovereignty is the legal concept that data is subject to the sovereign laws under which the data is collected and stored. Imagine, for example, that you buy a pair of running shoes from an online shop from the Netherlands called Rotterdam Runners. The collection, possession and use of the data generated by the online purchase falls under both Dutch and EU data sovereignty regulations. These rules protect privacy by preventing unauthorised entities from accessing the data.
Next, let us assume that Rotterdam Runners has an online shop on a Public Cloud infrastructure, where - like almost two-thirds of all European Public Cloud users - they use a Public Cloud from a US company. US data and communications companies are subject to the U.S. CLOUD Act of 2018, which states that companies must be able to deliver court-ordered stored data from their customers or subscribers, from any server they own or operate - regardless of the physical location of that server.2 So even if the server of the US Public Cloud provider on which Rotterdam Runners' website is hosted is located in Amsterdam, it no longer complies with EU data sovereignty rules, because of this U.S. CLOUD Act.
Public Cloud and data sovereignty rules therefore seem to be at odds. Yet it is not necessary for companies like Rotterdam Runners to drastically decide to stop using Public Cloud services.
Not all data is equal and some data is not covered by privacy laws. For this reason, it is a good thing to classify data to see which data needs which level of protection. According to the Carnegie Mellon University guidelines, data can be classified into three categories33:
- Public – public data for general use, not subject to privacy regulations.
- Secret – highly confidential data, administrative data, top and state secrets that require the highest level of security and are usually covered by strict regulations.
- Confidential – data covered by privacy rules, such as personally identifiable information (PII), corporate data and intellectual property. This is often the default choice for data that is not explicitly classified as public or restricted.
Based on these three data categories, the Public Cloud seems ideal for public data, such as the public part of the Rotterdam Runners website or stock data. It is only storing confidential data in the Public Cloud, such as your address and payment details, that causes problems for Rotterdam Runners in terms of data sovereignty and privacy.
How can organisations like Rotterdam Runners and yours collect and use confidential data while remaining compliant with local data sovereignty rules? One option is a Private Cloud. A Private Cloud is managed and owned by a single organisation where data is stored on local servers. But managing and owning several local data centres is costly and complex, especially for multinational organisations. And smaller companies, such as Rotterdam Runners, often do not have IT staff to maintain their own Private Cloud.
Another option is a sovereign Cloud. This can be seen as a semi-private Cloud, combining the best functionality of a Public and Private Cloud. Sovereign Clouds are smaller, multi-tenant environments managed by an experienced, local Cloud provider. They comply with local data storage and data sovereignty rules without the overhead and complexity of owning and managing one's own local data centres.
Because all data - including metadata - is stored locally in a sovereign Cloud, only local laws apply and foreign powers have no access. This way, your organisation has total control over the data. Moreover, a sovereign Cloud makes data migration to other countries easier, a topic covered later in this series.
This series consists of four blog articles: every week we will publish a new one.
- Global Data Privacy Laws 2021: Despite COVID Delays, 145 Laws Show GDPR Dominance – Pg3, SSRN, Graham Greenleaf, University of New South Wales, Faculty of Law, September 2021
- Wikipedia, Cloud Act, August 2022
- Carnegie Mellon University, Guidelines for Data Classification, February 2021
