What is data sovereignty?

Data sovereignty is the idea that data is subject to the laws and regulations of the country or region where such data originates.

Learning Objectives

After reading this article you will be able to:

  • Learn the concept of data sovereignty
  • Compare data sovereignty, data residency, and data localization
  • Understand how data sovereignty and data residency can affect privacy compliance programs

Copy article link

What is data sovereignty?

The term “data sovereignty” refers to the idea that data — such as intellectual property, financial data, or personal information — collected or stored in a particular geographic location, such as a specific country or the European Union (EU), should be subject to the laws of that location. Whether people are entering credit card information into an ecommerce website or posting comments on a social media platform, data sovereignty rules aim to ensure that this user data is regulated by the legal framework in place where those users are citizens.

The broad concept of data sovereignty is often intertwined with questions of data privacy, government access to data, security, international business competition, and human rights. Some data sovereignty paradigms seek to make sure that data generated in one jurisdiction physically stays in that jurisdiction. Others seek to make sure that the legal protections guaranteed to data generated in a jurisdiction will follow the data even if it is processed or stored in another jurisdiction. Still others seek to make sure that data generated in a jurisdiction at a minimum remains available to law enforcement in that jurisdiction, regardless of whether it is also processed or stored elsewhere.

Almost every country has some kind of data protection law that provides certain protections to the personal information collected from its citizens. Relevant examples of data sovereignty rules include:

  1. The General Data Protection Regulation (GDPR) and the ePrivacy Directive
  2. The California Consumer Privacy Laws (CCPA and CPRA)
  3. The Australian Privacy Principles (APP)
  4. The Japan Act on the Protection of Personal Information (APPI)

For an example of a data sovereignty regulation in action, imagine an ecommerce store that sells to customers around the world, including the EU. In order to fulfill customer orders from the EU, the store collects and processes a variety of user data, including names, addresses, and billing information.

Regardless of where the ecommerce store may be based, the EU GDPR will apply to the data of EU customers. This means the store must do things like explicitly inform customers before collecting their data, and only collect personal information pertinent to the transaction (in this case, information related to order fulfillment). If the store wants to collect and use additional personal information for other reasons, such as sending marketing emails, the store will need to obtain the customer’s consent (which can be revoked at any time).

In addition, under the GDPR, customers can request access to their collected data and ask the company to rectify or delete their data (“data subject requests”), which means the ecommerce store must also build systems to accept and respond to such data subject requests.

How do data sovereignty and data localization affect privacy compliance programs?

Data sovereignty and data localization are closely related concepts. As noted above, data sovereignty is the idea that data is regulated by the laws of the country or region in which the data is processed. Data localization, meanwhile, is the practice of storing data within the physical boundaries of a country or region where it originated from. It is often used to ensure that highly sensitive information, such as banking details or medical information, remains compliant with local regulations, as transferring or processing that data in another region may put organizations at risk of compliance violations.

Referring back to the ecommerce business described above: From the moment it processes personal data, it needs to observe the different legal frameworks applicable to the consumer data that is being collected. Unless the business wants to take the most protective regulations and apply those to all customers’ data, the ecommerce business will need to map its data to ensure that the applicable data protection requirements follow that personal data.

In addition, data sovereignty rules can have a significant impact on decisions about where data is processed and stored. Some of these laws also have implications for cross-border data transfers, because the legal protections for the personal information follows the data regardless of where it is processed.

In the case of the ecommerce business, in order to transfer the data of EU citizens to a data center outside the EU, the business will need to consider what GDPR-approved legal mechanism it will use to transfer the data. Depending on where the business is located, it may need to put in place special contractual provisions in order to process EU personal data outside the EU or certify to an adequacy framework such as the EU-US Data Privacy Framework.

The kind of data sovereignty and localization requirements attached to the personal data that a business processes can also influence an organization’s decision about use of a cloud-based storage solution. Cloud storage offers increased flexibility and scalability, and many can offer data localization solutions as well. But to satisfy very conservative jurisdictions with strict localization requirements, an organization may need to seek on-premise storage in addition to — or instead of — cloud-based solutions.

How Cloudflare helps organizations ensure data sovereignty and localization

Cloudflare has a long history of providing data protection to its customers and end users before these protections were enshrined into law, and we believe it is important to not only say we comply with certain laws but to also demonstrate our compliance.

Cloudflare is certified to ISO/IEC 27701:2019 (which maps to the EU GDPR) and compliant with ISO 27001/27002, Payment Card Industry Data Security Standards (PCI DSS), and SSAE 18 SOC 2 Type II. Cloudflare is also certified under EU-US Data Privacy Framework, the Swiss-US Data Privacy Framework, and the UK extension to the EU Data Privacy Framework. In addition, Cloudflare is certified to the EU Cloud Code of Conduct. These validations and others we hold provide assurance to organizations who transfer their most sensitive data through Cloudflare, and help companies meet and maintain their own compliance obligations.

Cloudflare has long followed tenets that align to common data sovereignty regulations:

  • Cloudflare only collects the personal data we need to provide our services and to make our products better for customers
  • Cloudflare does not track our customers’ end users across Internet properties, and we do not profile our customers’ end users to sell advertisements
  • Cloudflare gives our customers the ability to access, correct, or delete their personal information
  • Cloudflare gives our customers control over the information that is processed by different services — for example, any data that is cached on the content delivery network (CDN), stored in Workers Key Value Store, or captured by the web application firewall (WAF)

In addition, Cloudflare can also support meeting any data localization requirements applicable. Our Data Localization suite makes it easy for businesses to set rules and controls at the Internet edge and to keep data locally stored and protected.

Learn more about using Cloudflare services while maintaining data sovereignty compliance.