The 3 New Rules for Data Sovereignty: Location, location, location
Real estate isn’t the only kind of business where location matters. Since Edward Snowden revealed the extent of the U.S. government’s spying on private citizens, data localization or data sovereignty has been a hot topic in data security and IT management, especially for global companies.
The ability to locate and segregate customer data now matters a great deal to U.S. companies because of recent developments in data privacy and data sovereignty laws, particularly in the European Union (EU), Russia, and Canada. Citizens in these countries want their personal data to be private and safe from unauthorized collection. Their governments recognize the right of their citizens’ privacy and also recognize the right of data sovereignty—the right of countries to hold data within their borders. In some cases, governments are passing new laws that require data localization.
Data privacy, data sovereignty, data localization – for any global organization with consumer data, it’s important to understand these concepts and the requirements they create for IT investments and operations. Here’s a quick primer on all these terms and why they matter.
Data Privacy vs. Data Sovereignty vs. Data Localization
Data privacy refers to the confidentiality of data. Keeping data private means keeping it out of the hands of anyone unauthorized to read the data or change it. For example, the U.S. Health Information Protection and Availability Act (HIPAA) mandates that healthcare organizations and their business partners keep patient data confidential. The only people authorized to see a patient’s data are the patient, his or her healthcare providers, and the relevant insurance payer. In this regard, HIPAA is a data privacy law.
Data sovereignty refers to who has power over data. Webster’s Dictionary defines sovereignty as extreme power, especially over a political body, and freedom from external control. When applied to data, sovereignty generally refers to the principle that data stored in a country is subject to the laws and regulations of that country. For example, data stored in the United States is subject to the laws of the United States, and data stored in Germany is subject to the laws of Germany. There exists an additional layer of protection in the fact that Germany and 27 other European nations are members of the EU. As a result, the private data of EU citizens falls under the sovereignty of the EU as well as under the sovereignty of their individual nations.
Data localization refers to where data can be located. Some data sovereignty laws, such as the On Personal Data (OPD) Law that recently passed in Russia, not only specify who has power over data but also mandate that any data pertaining to a country’s citizens must physically reside in that country. In Russia’s case, as of September 1, 2015, if an organization has personal data about Russian citizens, that data must reside in data centers or other facilities within the Russian Federation. The OPD Law is a data localization law.
As a showdown between U.S. intelligence agencies and EU regulators looms over access and storage of data, precipitated by the recent invalidation of the Safe Harbor agreement by the European Court of Justice (ECJ), the role of “location” in data security and privacy is coming to the forefront and it’s imperative for businesses to understand the implications for conducting business in Europe.
With the Kiteworks secure file sharing and governance platform, organizations leverage the highest levels of security and control to comply with data sovereignty regulations. To learn more, schedule a custom demo of Kiteworks today.