It’s no secret that we live in a data-driven world. But what happens when our data is stored in a country that isn’t our own? This is an increasingly important question as more and more businesses store their data in the cloud.
Data sovereignty is the term used to describe the legal jurisdiction over data and its associated activities. In other words, it determines which country has control over data generated by individuals or organizations within its borders.
So what are the implications of data sovereignty for businesses and consumers alike? And how can we make sure our data is safely stored and managed under these complex laws and regulations?
The need for data sovereignty
The European Union (EU) is a great example of how the issue of data sovereignty can play out on a large scale. As part of its Digital Single Market, the EU has a stated goal of allowing citizens access to “their” data across borders, with the aim of promoting free flow and portability. However, this is only possible if the data involved is stored within the borders of the single market, or at least subject to EU legal jurisdiction.
EU law already determines which country has rights over any piece of data associated with an individual citizen—so technically, it’s possible for an EU resident’s data to be “belonging” to several countries at once. At present, its legal status is essentially undefined, but it may become easier to resolve in future thanks to the General Data Protection Regulation (GDPR) .
Under GDPR , there are two main categories of data: “anonymous data” that cannot be connected back to a specific individual, and “personal data” that can be. The former will not fall under the law, so data stored in a foreign country may be outside of its jurisdiction. However, any personal data stored within the EU must be protected to standards that meet GDPR requirements.
Even though this means it is subject to stricter regulation from one continent to another, this isn’t much consolation when you consider how many businesses are themselves multinational conglomerates. Google , for example, has data centers located the world over, with some even operating under their own laws due to special ‘free trade zones’ exempting them from local regulations.
At this time it’s unclear how virtual private networks (VPNs) and other tools used to secure your data will be affected by GDPR, but it’s safe to assume that the issue of data sovereignty will only become more complex as businesses combine technologies to meet the demands of an increasingly data-driven world.
What are the implications for corporations?
The obvious implication is legal—if your company stores or processes any personal data belonging to EU citizens, you need to ensure that it is not only compliant with GDPR, but also the laws of any country in which it operates.
In some cases, this can lead to genuine difficulties for corporations trying to comply with conflicting regulations. In other cases, multinational companies find loopholes that allow them to circumvent data protection rules as they see fit—Apple , for example, uses a subsidiary company to store data for its iCloud service.
This is another area where GDPR will have an impact. As well as making it easier to hold companies accountable, it should also encourage them to build data protection into their business strategies so they are fully prepared to protect customers’ privacy.
What are the implications for consumers?
For many people, the most important implication is security.
Google Drive, iCloud, Dropbox, and other cloud storage services are very useful tools, but they’re only safe if your data remains within your own country’s borders. If it doesn’t, then there’s no telling who might be able to access it or use it for their own ends.