Data Sovereignty and GDPR

Data Sovereignty and GDPR [Understanding Data Security]

Data sovereignty can cause confusion for many security professionals, so we are going to cover what it is and how it relates to your company’s data security.

What Is Data Sovereignty?

Data sovereignty is the concept that information, and the protection and management of that information, belongs to the nation or individual in which it originates. It is the belief that data that belongs to a French citizen, for example, should not be subject to U.S. laws and regulations just because the data is stored or processed by an American company. The American company instead should store the data in France and that data should be subject to French laws or European Union (EU) laws. This concept is becoming increasingly important in the digital age, as cloud computing and other services require personal data and confidential information to be transferred across borders.

Why Is Data Sovereignty Important?

Data sovereignty is important because it regulates how data should be governed and secured, specific to the country where it was collected and not where the collector resides.

Individuals benefit from data sovereignty, as they are assured that their data is secure and safe from outside interference or access. Data sovereignty can protect the data from unauthorized access or use and ensures that the data is not used for purposes that are not in the business’s best interest. Additionally, data sovereignty can assure companies that their data, as well as their customers’ data, will be secure and remain in the jurisdiction where it originated. This can make businesses more confident in using cloud storage and other digital services that require data transfer across borders. Finally, it can assure companies that their data will remain protected even if they change providers, as the data will remain within the same jurisdiction.

A business that fails to adhere to data sovereignty laws may be liable for any monetary losses that result from the data being accessed or misused. Additionally, the company may face legal repercussions for failing to comply with the relevant privacy laws. Reputational risk is another consideration. A business may suffer in the court of public opinion if current and prospective customers become aware of the company’s failure to protect customers’ data.

Organizations face several problems in interpreting data sovereignty. Sovereignty is a state-specific regulation requiring that information collected and processed in a country must remain within the boundaries of that country and must adhere to the laws of that country.

This can provide complex, interconnected, and conflicting laws that companies must follow. For example, a country collecting information in the EU might use Microsoft Azure or Google cloud servers. Both are U.S. companies governed by U.S. law, which means that they could be subject to legal requests from the government to disclose, a violation of EU data privacy laws.

Data Sovereignty vs. Data Privacy vs. Data Localization vs. Data Residency

Data sovereignty, data privacy, data localization, and data residency are four interconnected concepts that play a significant role in the modern digital landscape. As the global flow of information rapidly expands, businesses, governments, and individuals must navigate these complex issues to ensure compliance with regulations and protect their privacy and intellectual property.

In a business world where international commerce and cloud storage are the norms, these types of situations can put organizations in incredibly challenging conditions.

Additionally, some terminology is often conflated with sovereignty:

  • Data residency: Residency often refers to instances where a business or other organization stores information in a specific geographical location to find favorable regulatory compliance. This could include shifting locations to show that most of their business operations are in another country for financial reasons.
  • Data localization: In the strictest of terms, localization refers to the requirement that data created in a specific location remains in that location. This can include compliance regulations, such as the European Union’s General Data Protection Regulation (GDPR), over personal data related to a country’s citizens that require organizations to keep that information in local servers and limit or forbid transmission outside of national borders.
  • Indigenous data sovereignty: A branch of sovereignty, indigenous sovereignty applies specifically to the rights of indigenous nations in the United States, Canada, and Australia (among other countries) to manage the privacy of their own information.

Key Considerations and Challenges Surrounding Data Sovereignty

Data sovereignty refers to the concept that digital data is subject to the laws and regulations of the country in which it is stored. This means that when data is physically located within a country’s borders, the government has jurisdiction over it and can enforce its data protection policies. This principle is particularly important for organizations operating across international borders, as they must comply with each jurisdiction’s rules where their data resides.

Legal and Regulatory Compliance for Data Sovereignty

One of the main challenges surrounding data sovereignty is the need for organizations to comply with diverse legal and regulatory requirements in different countries. This may include adhering to data protection laws, industry-specific regulations, and international agreements. Noncompliance can result in significant fines, legal actions, and reputational damage, making it crucial for businesses to plan their data management strategies carefully.

Landmark Cases Establishing Data Sovereignty

The emergence of sovereignty as a legal concept on a global scale can be traced to the PRISM program, an observation and clandestine information collection program operated by the National Security Agency that was exposed by Edward Snowden.

PRISM and the U.S. PATRIOT Act

The National Security Administration (NSA) observes and collects information, including texts, images, movies, phone calls, social network details, and video calls across various platforms and providers. Outside of its dubious legality, the U.S. was also collecting information from foreign nationals caught in the net.

Alongside the PRISM program, the U.S. PATRIOT Act gave the U.S. government the right to collect data from any server located physically within U.S. borders, which often included foreign information governed by different types of privacy and security laws.

Microsoft vs. The United States

While this case didn’t set any standards for data sovereignty into law, it did start the conversation. Another case, Microsoft Corp vs. The United States served as a landmark for the concept.

In 2013, the U.S. Department of Justice sought to collect information from Microsoft servers concerning drug trafficking cases under investigation. Microsoft refused because the information was stored in a center in Ireland, outside (according to Microsoft) U.S. jurisdiction and subject to Irish data laws.

Microsoft lost the initial legal challenge but appealed to the 2nd U.S. Circuit Court of Appeals, which disagreed with the findings and sent the case to the U.S. Supreme Court, during which Congress passed the CLOUD Act. This law stated, essentially, that a U.S. company must turn over information related to law enforcement regardless of where that information is stored. However, it added specific requirements for protecting the information of foreign nationals whose information exists in servers operated by U.S. companies in non-U.S. jurisdictions, specifically in cases where the U.S. has data-sharing laws in place with these countries.

The CLOUD Act also set standards for foreign countries seeking access to information housed in the U.S., pending oversight by U.S. courts and demonstration of legal and evidentiary merit.

How Does Data Sovereignty Relate to the GDPR?

The GDPR was enacted in participating EU countries in 2018, and set strict standards for protecting privacy and ownership of consumer information. These laws also covered sovereignty.

Under the GDPR, any information collected from citizens of the EU must reside in servers located in EU jurisdictions or in countries with a similar scope and rigor in their protection laws. This way, the information will fall under the strict security laws of the EU and citizens will remain under that protection.

Specifically, this law applies to both processors and controllers alike, which means that both companies collecting information and those offering services for data collection fall under this law.

What does that mean for providers and businesses outside of the EU? If you operate in the EU or serve businesses by collecting information from EU citizens, you fall under the GDPR. Violation of this regulation could result in fines of up to 4% of your total global annual revenue.

How to Approach Data Sovereignty With Cloud Service Providers

Needless to say, if you are working with an international customer base, or operating in foreign countries, then data sovereignty is an important aspect of your business.

With that in mind, there are several factors your organization should consider:

  • Locations of servers: There should be clear and agreed-upon locations for storage and processing. Some cloud providers will attempt to divide cloud coverage by “region” to maintain flexibility, so the more specific these providers can be, the better.
  • Local jurisdiction and privacy laws: Your organization should have a good understanding of the governing privacy and laws applicable to that information. These laws could impact how that information is governed going into or coming out of that country, and if those types of file transfers are even legal.
  • Map data ownership and consumer rights: Alongside privacy and security laws, you should have a good understanding of consumer rights. For example, information protected by the GDPR gives ownership to the consumer, which means that these individuals can demand their information be provided to them or deleted. Regulations like the GDPR—or more recently the California Consumer Privacy Act (CCPA)—place strict limits on how that information can be processed and used.
  • Determine information governance tools: Any cloud or service provider should also provide critical information governance features like comprehensive audit logs, retention, remediation tools, and advanced analytics.

Compliant and Secure Data Management With Kiteworks

The Kiteworks platform provides technology- and industry-agnostic security controls that meet the governance, compliance, and security requirements of almost any application. Features like immutable logs, secure file transfer, and business analytics support businesses juggling complex regulations while maintaining enterprise operations.

To support such operations, the Kiteworks platform has the following features:

  • Security and compliance: Kiteworks utilizes AES-256 encryption for data at rest and TLS 1.2+ for data in transit. The platform’s hardened virtual appliance, granular controls, authentication and other security stack integrations, and comprehensive logging and auditing enable organizations to protect sensitive data while ensuring efficient governance and compliance.
  • Secure file sharing: Kiteworks supports secure file sharing for third-party risk management (TPRM), enabling organizations to share confidential data, such as personally identifiable information (PII), protected health information (PHI), and intellectual property (IP), with third parties while remaining in compliance with industry and government regulations, such as the Health Insurance Portability and Accountability Act (HIPAA), Federal Information Processing Standards (FIPS), and Cybersecurity Maturity Model Certification (CMMC), among others.
  • SIEM integration: Organizations can keep their environments secure by integrating metadata from sensitive content communications with security information and event management (SIEM) data for single-pane-of-glass alerts, logging, and event response. Integrations include IBM QRadar, ArcSight, FireEye Helix, LogRhythm, among others. Kiteworks also has integration with the Splunk Forwarder and Splunk App.
  • Audit logging: Kiteworks enables immutable audit logging, enabling organizations to trust that they can detect attacks sooner while maintaining the correct chain of evidence to perform forensics. Since the platform merges and standardizes metadata from multiple sensitive content communication channels, its unified Syslog and alerts save security operations center (SOC) teams crucial time and helps compliance teams to prepare for audits.
  • Single-tenant cloud environment: File transfers, file storage, and access to files occurs on a dedicated Kiteworks instance, deployed on premises, on Logging-as-a-Service resources, or hosted in the cloud by the Kiteworks Cloud server. Tist means no shared runtime, databases or repositories, resources, or potential for cross-cloud breaches or attacks.
  • Data visibility and management: The CISO Dashboard in the Kiteworks platform gives organizations an overview of their data: where it is, who is accessing it, how it is being used, and if it complies. Help your business leaders make informed decisions, and your compliance leadership maintain regulatory requirements.

Get more details on how Kiteworks enables organizations to manage data sovereignty, centralizing metadata for all sensitive content communications in one pane of glass by scheduling a custom demo today.

Additional Resources