Data sovereignty inherently refers to digitally stored data being subject to the jurisdiction of the country and/or the authority of law where it is geographically located. In other words, it is more important to decide which legislature is applicable rather than what law applies to the data in question. Data sovereignty has always been a bone of contention but has come into the limelight recently due to an increase in offshoring of data centers and the popularity of cloud computing. Technology advents led to rapid globalization with diminishing political borders with respect to business transaction and procurement strategies. Moreover, enterprise confidence on cross-borders IT services is consistently on the rise. This is driven by multiple factors like cost benefits, better skill accessibility, etc. It is important to delve into the following factors in order to understand the challenges imposed by the change to the business environment and to comprehend the legal dimension associated with data sovereignty.
- Client: The entity where the requirement originates and the consumer of the IT services. A prerequisite is that the data should be located outside the jurisdiction that the client is subject to.
- Service Provider: The IT service provider (i.e., Offshore Data Center for services, Cloud Computing vendor, etc.)
- Client Country: The client (organization) is subject to country jurisdiction and laws.
- Host Country: This is where the data is physically located. The data is subject to the host country jurisdiction and laws.
- Data: This is information stored in a digital format and geographically stored outside the client jurisdiction.
How Data Sovereignty Came About
Offshoring and globalization have blurred the traditional geopolitical borders more than ever. However, challenges are felt more on the ITO and OBP as sensitive and valuable information, business knowledge, intellectual property, and security are at stake. Data sovereignty applies when the client’s data is located outside the jurisdiction that applies to the client. Data sovereignty drivers are mainly data centers services and cloud computing.
Data Centers Offshoring
Acquiring the services of a third party to complement and facilitate business activities is not a new phenomenon. In fact, IT outsourcing dates back to the early sixties. Despite the economic decline in the U.S. and Europe over recent years, the growth in IT offshoring has been steady over the last five years, with global growth currently at 12.95%. Data Centres Offshoring constitutes 10.67% of the global IT services being offshored.
Software development and testing were some of the earliest functions to be offshored. However, IT offshoring trends are changing, with new services such as requirements analysis and cloud computing appearing among the top seven offshored IT services. Cloud computing represents 14.58% of the global IT services being offshored.
Cloud computing has put emphasis on data sovereignty. When a client uses a software-as-a-service (SaaS) cloud, the service provider owns the infrastructure utilized to host and manage the data. The service provider infrastructure could be located anywhere. However, in some instances, the client may have mandated the service provider to store and manage the data in a specified jurisdiction.
Concerns and Challenges of Data Sovereignty
In essence, the concerns are (1) which jurisdiction applies to the data, (2) security, and (3) privacy law.
Which Jurisdiction Applies? Technically, the jurisdiction of the host country is applicable. However, the answer to data sovereignty is very subjective and can only be decided on a case-to-case basis. Even though contractual agreements exist between the client and the vendor that cover data privacy and security, they are not necessarily an effective protection and might fail to deliver the desired result in a legal battle. The contractual arrangement becomes obsolete vis-à-vis the law of the sovereign of the data. The authority of the jurisdiction overrides the validity of the agreement.
The client and the vendor could be caught in the middle of a legal wrangle if one of their respective country’s authorities claims their right to access the data for a legitimate reason (i.e., national interest, criminal investigation, etc.). If the host and the client countries have conflicting data laws, then it can even get theatrical.
The backdrop setting of this case is the revelation in 2006 of a secret program launched by the U.S. Treasury, which involved an analysis of worldwide financial transactions. This was intended through the data sourced from Worldwide Interbank Financial Telecommunication (SWIFT), which is a consortium headquartered in Belgium. SWIFT operates through two data centers, one located in the United States and the other in Netherlands. Europe expressed its unhappiness over the violation of the data privacy laws applicable to its jurisdiction and compelled SWIFT to segregate the data storage facility for the European records.
The United States Treasury gained access to the data center on its soil as a consequence of data sovereignty upheld based upon the location of requisite information. This consequently led to new legislatures being formed by various nations to safeguard their privacy and sensitive information. In March 2014 Australia introduced new laws to govern the ‘disclosure’ by Australian organisations of personal information to overseas recipients. However, this does not imply the data must stay in Australia. The law in most cases does not mandate that the data must remain where the end customer is. Arguably, access to data is subject to the host country law.
This can well be quoted as a deciding case that defines the absolute rights and jurisdiction of the sovereign client vis-à-vis the third party jurisdiction where the data is eventually hosted. This has also helped define the fundamentals of data sovereignty.
It Is Complicated!
Once in the cloud or in a data center offshore, the client has no or little control over the data. However, they are accountable vis-à-vis the jurisdiction that applies to them for the purpose of security and privacy.
Data sovereignty has been around since the first bits and bytes of data were transferred to offshore data storage facilities. But the transition to the cloud service model has greatly exacerbated the potential of problems faced in the changed business environment. Moreover, when the customer is a government (for instance, the federal government), the difficult sovereignty issues become even more complex with the infusion of political concerns.
The client’s main challenge is to meet the jurisdiction compliance while it has no direct control over the data. The client and vendor agreement is absolute vis-à-vis each party with respect to the applicable law and authority. However, conflicting data privacy laws between the client and provider country lead to complexity in determining the applicability of which law should be upheld. This is where sovereignty of data is instrumental in deciding the jurisdiction that should apply on a case-to-case basis.