Understanding data sovereignty in the internet age
The concept of data sovereignty refers to the idea that the data stored in a data center is subject to the laws of the country in which the center is physically located. Such laws control how the data to which they pertain is collected, stored, accessed, and shared.
Although research from Harvard University's Kennedy School of Government characterizes data sovereignty as "the way that nation states assert control over data on behalf of their citizens and inhabitants," it is not solely a matter of political power. Businesses and individuals can benefit from the concept as well—the former through more thorough control of a lucrative resource; the latter via increased privacy protections.
Data sovereignty laws cover two notable concerns that are sometimes confused for their parent category:
- Data residency: This term refers strictly to the literal physical location of data, based on the location of the hardware—servers, external drives, and so on—that stores it. Taking advantage of less restrictive tax laws is a common reason for organizations to establish data residency in nations beyond their home countries.
- Data localization: Regulations of this kind stipulate that data generated within the borders of a particular country must remain there in some form. Often, retaining a copy of the data in question within that country will satisfy these local data storage requirements, though not always. Most information governed by data localization regulations is personal data, but some countries apply them to accounting, tax, and gambling data as well.
As organizations continue to move more and more data to the cloud, data sovereignty's importance has steadily increased. In a survey of IT leaders conducted by Insights for Professionals, nearly 50% of respondents cited "data sovereignty, residency, and control" as a major cloud security concern, behind only internal cybersecurity incident response and regulatory compliance.
Major data protection and sovereignty regulations
Many national and regional governments already have data sovereignty laws in place, and more will likely follow suit in the years to come. The following are some recent and notable sovereignty regulations:
General Data Protection Regulation (GDPR)
The GDPR is arguably the best-known data sovereignty and protection regulation, adopted by the European Union (EU) in 2016 and enforced since 2018. It establishes strict data security and privacy standards for all data related to people residing in the region. It affects nearly all enterprises: Even those that don't have EU branches must process EU-based individuals' or organizations' data in the course of doing business.
GDPR compliance violations can be crippling. The maximum fine for a breach or other form of unauthorized data access is €20 million—about $22 million USD—or 4% of annual global revenue, whichever is higher. The latter provision leads to massive numbers like the 2021 fines for Amazon and WhatsApp: €744 million (approximately $841 million) and €225 million (about $253 million), respectively.
California Consumer Privacy Act (CCPA)
The CCPA gives considerable sovereignty to California residents over their personal information and its commercial use. It applies to any organization that conducts data collection related to California residents, does business in the state, and earns more than $25 million in annual gross revenue. Given that the state is the world's fifth-largest economy and headquarters some of its biggest companies, that umbrella covers a great deal of enterprises. The associated fines are much smaller than the GDPR—$2,500 for each unintentional violation, $7,500 per intentional violation—but can add up quickly.
An update to the Stored Communications Act (SCA), this U.S. legislation allows the Justice Department to subpoena American-based companies for data stored in foreign infrastructure. Foreign governments can also use it to request access to data stored by tech companies in the U.S. However, the CLOUD Act doesn't supersede the local laws of other countries, according to IDC analysis. Thus, its effectiveness in asserting data sovereignty remains largely untested.
Russian Federal Law on Personal Data (OPD-Law)
The OPD-Law is most notable for its incredibly strict localization requirements. Any personal data of Russian citizens can only be collected, recorded, stored, cataloged, updated, modified, retrieved, and extracted in databases physically located within the Russian Federation. Violations can incur fines ranging between $13,000 and $80,000, and repeat offenses max out at $240,000.
Balancing consumer data and business concerns
The simple answer to the question "Why does data sovereignty matter?" might be "to stay compliant and avoid penalties." And compliance is certainly among the major reasons why this concept is important, but it certainly isn't the only reason.
Enterprises operate in a world where any technical failure they experience—e.g., a data breach, or a simple configuration error leading to a service outage, as befell Facebook late last year—almost instantly makes headlines and angers consumers. These issues have massive financial ramifications—like Facebook losing $6 billion in a week. But perhaps more importantly, they can lead to a loss of customer trust, even if they're not attributable to corporate irresponsibility or deliberate data misuse.
Organizations absolutely must take customer satisfaction and retention into account when devising data management and protection strategies. At the same time, initiatives devised to establish compliant sovereignty of data should benefit the business in tangible ways if this is at all possible: increased cost efficiency, lower costs, more efficient storage, better performance for business-critical apps, and so on.
How to ensure data sovereignty from the cloud to the data center
Devising a data sovereignty strategy that addresses compliance requirements, consumer needs, and business priorities will require collaboration—between data teams, information security personnel, legal counsel, and key C-level stakeholders, among others.
Start by having a data protection officer inventory all data across cloud and on-premises infrastructure and identify any assets that may be stored in a noncompliant manner. Anything that isn't where it ought to be—e.g., a database of EU customers' financial information hosted in legacy on-premise infrastructure that lacks sufficient protection—must be migrated promptly.
For cloud-based data, the onus of ensuring proper data sovereignty falls not only on enterprises themselves but also cloud service providers. The "Big Three" of public cloud—AWS, Microsoft Azure, and Google Cloud—all have data centers flung across the globe, but plenty of organizations also work with smaller vendors for specific needs. Maintaining relationships with those third parties will require renegotiation of the service-level agreement (SLA) to ensure sovereignty regulations are observed, or shopping for a new cloud provider if compliance can't be guaranteed.
Multi-cloud and hybrid multi-cloud deployments are ideal for data management in an age where sovereignty is a major concern. With the former, you can restrict sensitive data to the most secure of your various clouds. Meanwhile, the latter allows you to hold the data in need of greatest protection within physically and digitally secure on-premises infrastructure, while using cloud resources to store less sensitive data at scale.
The visibility into your organization's data that a cloud-ready data analytics platform like Teradata Vantage can offer will greatly benefit the implementation of data sovereignty measures. To learn more about our platform capabilities, read Gartner's Magic Quadrant and Critical Capabilities reports, both of which identify Teradata as a cloud analytics leader.