Data sovereignty laws have become a top concern among IT, privacy, compliance, and security leaders. More than 100 countries have enacted laws aimed at protecting the privacy of their citizen’s personal information—and that’s a good thing. However, complying with these laws can pose serious challenges to global businesses.
The term “data sovereignty” has held a variety of meanings. Often it refers to a group’s or an individual's right to control and maintain their own data. In recent years, the term has been more specifically used to refer to the idea that data collected or stored in a particular geographic location—such as a specific country—should be subject to the laws of that location. Whether people are entering credit card information into an ecommerce website or posting comments on a social media platform, data sovereignty laws help ensure that this user data is regulated by the government of the state where those users are citizens.
Many jurisdictions have also enacted data protection laws that govern the conditions under which data generated within a jurisdiction’s borders can be transferred to other countries. For example, the EU’s General Data Protection Regulation (GDPR) allows cross-border data transfers to other jurisdictions only if certain transfer mechanisms have been put in place (like the new EU-U.S. Data Privacy Framework). Still, other jurisdictions, such as Russia, have enacted data localization laws mandating in certain circumstances that data generated within its country’s borders remain within its borders.
The momentum behind data sovereignty and data localization laws has increased significantly in the last decade as global businesses have collected more and more personal data. Governments are increasingly concerned about their citizens’ data being accessible to foreign countries’ governments. The governments trying to protect data do not want their adversaries—and sometimes even their allies—to access or control information about their citizens.
The TikTok app brought the issues of data sovereignty, data localization, and data privacy into mainstream public consciousness. U.S. lawmakers have been concerned that data from millions of U.S.-based TikTok users could be accessed by the Chinese government without the U.S. government’s awareness. They are concerned because TikTok’s parent company, ByteDance Ltd. is based in China, and Chinese law can require businesses to turn over data. As some lawmakers threatened to ban the app, ByteDance had to promise to store U.S. customer data in the United States.
Your company might not be operating at the same scale as TikTok, which has more than 1 billion users worldwide. However, data sovereignty laws and the push for more data localization could still have a major impact on your business.
Data sovereignty presents serious challenges for any company that wants to do business globally. If your company is based in France, but you decide to sell your products in Canada as well as Argentina, you may need to find ways to keep Canadian and Argentine customer data in their respective countries due to legal obligations, industry guidelines, or certification standards.
The more you expand, the more data sovereignty requirements you will likely encounter. You might have to identify ways to process and store your data in specific jurisdictions or face significant transaction costs to enable cross-border data transfers.
These challenges are particularly difficult to address for small companies. A startup, for example, might not have the resources to keep customer data in each of the countries where that company wants to do business. The startup’s leaders might have to make difficult decisions about global expansion if data localization is required and the company cannot afford to stand up data stores in multiple countries around the globe.
Not only do global businesses need to think about how to meet data transfer and localization requirements, but they also need to understand the challenges data sovereignty and data localization can create for data-driven decision-making. You might want to analyze aggregated data to make key business decisions. However, when your data is distributed to multiple countries, you might not be able to easily centralize data and conduct comprehensive analyses.
I encountered this challenge in a previous role as CISO of a large global company. We were doing business in dozens of countries and we needed to keep data in many of those countries to maintain compliance. But at the same time, we needed to make decisions about fraud and money laundering, which require an aggregate view of data.
To enable data aggregation while still complying with data sovereignty laws, we developed rules around data access and created a control environment to ensure rules around data storage and access were respected. We called this our “data visa” governance program. We developed a set of strict security, access, and data controls with 24x7 monitoring to ensure there were no breaches. This was almost like a confidential or high-side network in the government — we had highly secured networks where the data could not leave. We then brought that program to country regulators, explaining to them how vital this approach was for us to stay in business. We received the government approvals needed to move forward with this approach to data management. However, most smaller companies don’t have that influence with governments or the ability to develop innovative data governance programs in-house.
How can global companies adhere to data sovereignty and data localization requirements without standing up their own data centers in multiple countries? The cloud might seem like an obvious answer. But you’ll need to look beyond typical public cloud providers. Those companies were built on a centralized model for storing data. Yes, many cloud providers have multiple regional data centers around the world, but they might not have locations in every place where your company is doing business.
To satisfy data sovereignty and data localization requirements, working with technology companies that will enable you to store and process data everywhere you have customers is key. You’ll also need the flexibility to choose where to store data, decrypt data, store encryption keys, conduct data inspection, and maintain logs to ensure your control environment maps to data sovereignty legal obligations.
Depending on how you view your legal obligations, you might need to store data in a specific jurisdiction but still be able to aggregate data for analysis outside of that jurisdiction. At the same time, you might have a legal obligation that the data can never be accessible in a third jurisdiction. In light of such complicated legal obligations, you will also want to think about how you set up access controls for that data.
Complying with data sovereignty and data localization laws could also require you to rethink how apps are built and where they run. For example, building serverless apps and running them in specific geographic regions can help ensure that the data used by the app stays where it should. Taking this approach can also improve user experiences since apps will be running physically closer to where users are.
Establishing consistent security policies across all of your data stores will also be critical. Consistency will help ensure that there are no weak links in your global network, and it will enable you to avoid the complexity of managing numerous distinct environments with multiple tools.
If you haven’t been thinking about data sovereignty yet, it’s time to start planning. In the near future, you’ll likely face a growing number of laws that require you to store and process data inside particular geographic borders. If your company is expanding globally, you might encounter several data sovereignty and data localization requirements already in place.
The good news is that adhering to data sovereignty and data localization requirements does not have to mean standing up new data centers or curtailing your expansion plans. With the right strategy, you can securely store and process data in each of the countries where you are doing business—and still access that data centrally for analytics and decision-making—without adding excessive costs or complexity.
Learn how Cloudflare helps businesses comply with data sovereignty and data localization regulations with the Cloudflare Data Localization Suite.
This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.
Grant Bourzikas — @grantbourzikas
Chief Security Officer, Cloudflare
After reading this article you will be able to understand:
What challenges data sovereignty presents to global businesses
How your company can comply with laws without restricting your business
What you should look for in technology partners to streamline data sovereignty