The control over our data has become increasingly important.
With multiple recent high-profile data breaches and scandals, governments are taking extra measures to prevent their citizens’ personal information from falling into the wrong hands.
Data sovereignty, which has become a hot topic nowadays, is one of the concepts governments are using to protect citizens’ data.
But what is data sovereignty, why is it important, and how does it affect businesses and consumers?
Bear with us as we explore this important topic.
What Is Data Sovereignty?
Data sovereignty refers to the concept that the data an organization collects, stores, and processes is subject to the nation’s laws and general best practices where it is physically located.
In layman terms, this means that a business has to store the personal information of its customers in a way that complies with all the data privacy regulations, best practices, and guidelines of the host country.
If the business fails or refuses to comply with the host’s data privacy laws, the country’s government can impose a fine or force the company in another way to fulfill its requirements.
As part of data sovereignty measures, multiple countries have regulated how businesses can handle citizens’ data, including the locations and jurisdictions where organizations are allowed to store citizen data.
When a business transfers data of a citizen outside of the country, the third nation’s government can use measures (e.g., subpoenas) to access the user’s data, even though the citizen is a foreign national.
Since governments seek to prevent other nations from acquiring the data of their citizens, they have introduced data sovereignty measures that restrict how businesses can transfer personal information outside of the country.
Furthermore, the recent data protection law of the European Union, the GDPR, has implemented strict rules on how organizations handle the personal information of their citizens, even when the company processes data outside the region.
As a side note, data sovereignty is sometimes used in the context of indigenous societies.
Indigenous data sovereignty refers to the decolonization of the personal information of indigenous people that could play a key role in achieving autonomy for these societies.
Data Sovereignty vs. Data Residency
While data sovereignty and data residency are two terms that have similar meanings, it’s very easy to confuse them.
Data residency is when a business or government specifies the geographical location where its data should be stored.
Data residency requirements are often the result of policy- or regulation-related reasons.
Let’s see an example to understand this.
A nation has favorable data privacy laws that help enterprises in handling data-related processes in a convenient, predictable way.
Due to the favorable regulatory environment, businesses would choose this country to store their data.
A company may also include the location where its users’ personal information is kept in its data sovereignty policy.
An excellent example of a regulation-related data residency requirement is when a business chooses to store the data in a specific country due to its favorable tax environment.
To receive the tax benefits, the business needs to ensure that it does most of its operations within the nation’s borders. Therefore, it decides to store its data in a geographical location somewhere in the country.
On the other hand, data sovereignty refers to designating the geographical location where the data is physically stored AND being the subject of that nation’s laws.
While data residency ensures that the data stays in the specified geographical location, data sovereignty makes sure that the information is subject to the legal punishments and protections of the country where it is physically stored.
The History of Data Sovereignty
To understand our topic, it’s essential to take a look at the most important events leading to data sovereignty’s rising popularity.
Where It All Started
Many credit the popularity of data sovereignty and the rise of related discussions to Edward Snowden’s leaks that exposed the US National Security Agency’s (NSA) PRISM spying program.
As part of the program, the US agency was collecting sensitive personal information – including photos, emails, social media login credentials, video calls, and other data – from tech companies in the United States (e.g., Facebook, Apple, Google, and Twitter).
The problem with the spying program was that the NSA did not only collect the sensitive personal information of US citizens but also from foreign nationals.
In addition to the NSA’s spying program, as per the US Patriot Act, the American government has the authority to access data that is physically stored within the country, regardless of its origins.
This means that, for example, German citizens’ data are exposed to the US government if the information is physically stored within the North American country.
Amid concerns that their citizens’ data could fall in the hands of a foreign government, nations all over the world have introduced data sovereignty measures.
Microsoft’s Data Privacy Case vs. the DoJ
Microsoft’s case against the US Department of Justice (DoJ) was also a high-profile event that further highlighted the importance of data sovereignty.
After the DoJ ordered the tech company to grant access to emails stored in Ireland-based servers related to a narcotics investigation in 2013, Microsoft had refused to comply with the Department of Justice’s request.
Despite that Microsoft stated that complying with the request would break the data privacy laws of the European Union, the initial ruling ordered the company to fulfill the DoJ’s request.
However, later on, after Microsoft won the appeal and the DoJ changed its data-related policies.
Why Is Data Sovereignty Important?
Protecting Your Money or Your Data: Is There Really a Difference?
Let us show an example to understand why data sovereignty is crucial.
You open a bank account in the United States, where you regularly deposit your funds.
While you were of the belief that the financial institution would store your funds in the US, you get a call from the bank’s manager that your money has been moved to a third country as the regulatory environment is more beneficial there.
Later on, that nation’s government decides to close your bank’s local branch. For a reason, it confiscates all the funds that the bank’s customers held there, including yours.
Fortunately, due to the different financial regulations in place, the above-mentioned example could not happen with your money.
However, without laws that ensure adequate data sovereignty compliance, your personal information – which is as valuable as your money – could be as easily abused as your funds in the example.
Facebook’s Cambridge Analytica Scandal
Before data sovereignty and privacy were important, businesses could (more or less) use the personal information of their users as they liked.
This means that tech companies could sell your personal data without your consent to a third-party for advertisement purposes.
A great example of the above-mentioned is Facebook’s scandal with Cambridge Analytica.
With an app called This Is Your Digital Life, Cambridge Analytica collected personal data from Facebook users who agreed to participate in surveys.
However, Facebook allowed the firm to collect the data of the survey takers’ friends on the social media platform, harvesting the data of millions of Facebook users without their consent, using the information predominantly for political advertising.
After the scandal was revealed in 2018 by a former Cambridge Analytica employee, the event sparked outrage among consumers and governments alike.
Furthermore, the infamous data leak emphasized the importance of data sovereignty, and governments all over the world have been turning an increased focus on this matter to protect their citizens against information leaks.
Which Countries Have Data Sovereignty Laws?
Now let’s take a look at some nations that already have data sovereignty laws in place.
Canada has 28 data privacy laws, which include federal, provincial, and territorial statutes.
Regarding Canada’s data sovereignty, we should mainly focus on the Personal Information Protection and Electronic Documents Act (PIPEDA) regulation.
Based on Canada’s data sovereignty laws, an organization remains responsible for the protection of the data it transfers to a third-party (even though the service provider is the one processing or handling the information).
Furthermore, Canadian businesses have to reference in their privacy policies and procedures whether they transfer data to third parties outside of the nation’s borders.
The Quebec Privacy Act is more strict with local organizations as they have to ensure that personal information transferred to third parties outside the state would be used only for the intended purposes of the company.
At the same time, the state’s data sovereignty regulation prevents service providers from transferring data to third parties without consent.
If an organization cannot ensure that the third-party service provider outside of Quebec has proper data protection measures, it must refuse the transfer.
California, United States (CCPA)
It’s also important to mention the California Consumer Privacy Act (CCPA), one of the most prominent data privacy laws in the United States.
After becoming effective on January 1, 2020, the CCPA introduced a set of privacy laws for organizations doing business in California that fit one of the following criteria:
- Have an annual gross revenue of over $25 million
- Buy, receive, or sell the personal data of at least 50,000 households or consumers
- Gain over 50% of their annual revenue from selling the personal data of consumers
As per the CCPA, organizations have to disclose the personal data they collect, the purpose of the collection, as well as the third parties they share the information with.
Consumers can demand the deletion of their data from businesses, and they are also able to opt-out of their personal information being sold.
In the latter case, the CCPA prohibits organizations from raising the price or changing the level of the service for consumers who don’t want companies to sell their data. However, the data privacy law does allow businesses to offer financial incentives to their customers in exchange for data collection or the ability to sell their personal information.
Furthermore, if the CCPA’s privacy guidelines are violated by an organization, consumers can sue the company.
When California authorities discover a violation of the CCPA’s guidelines, businesses have 30 days to comply with the privacy laws after the regulator’s official notice.
If an organization fails to resolve its issues within that time frame, California regulators can impose a fine of up to $7,500 per record. As there is no upper limit for the fine, a business that processes the data of millions of consumers could pay billions for violating the CCPA.
Unlike the EU’s GDPR, the CCPA does not restrict international data transfers.
European Union (GDPR)
When it comes to data privacy laws, the European Union’s General Data Protection Regulation (GDPR) is what comes to most people’s minds.
After its approval in 2016 by the EU Parliament, the GDPR requires all organizations – within and outside of the European Union – to comply with strict data privacy rules if and when they collect, process, or store the personal information of EU citizens.
We will discuss data sovereignty and GDPR more thoroughly later in this article.
Germany has been amongst the leaders of data privacy and protection.
Apart from the EU’s GDPR, the European country has implemented the new German Privacy Act (BDSG-new) that restricts data transfers to third countries.
According to Germany’s data sovereignty laws, companies that process the nation’s citizens’ personal information have to fulfill the German government’s data protection requirements, even if they are located outside the country’s borders.
As per the BDSG-new, those who infringe the data protection laws of Germany – for example, illegally transferring data to third parties – could face criminal charges with up to three years in prison.
Like Germany, in addition to the GDPR’s rules, France has implemented its own data sovereignty laws to protect its citizens.
Based on France’s Data Protection Act 2, when an organization interacts with the personal information of its citizens – even if it processes the data outside the nation’s borders – it must comply with French regulations in addition to fulfilling the GDPR’s requirements.
In Australia, data sovereignty laws come in the form of the Federal Privacy Act of 1988 and its Australian Privacy Principles (APPs).
Similarly to Canada’s data sovereignty measures, the organization that transfers the data to a third-party is responsible for how that service provider handles the information and whether it complies with the APPs.
Also, Australian organizations have to ensure that the third-party does not breach the APPs while it processes the data.
Data Sovereignty and the GDPR
The GDPR is one of the most prominent data privacy laws that governments have implemented to protect their citizens’ personal information.
For breaching the GDPR, organizations can be fined by as high as 20 million EUR or by the equivalent of 4% of their global turnover.
After becoming active in 2018, EU authorities have imposed fines of nearly 500 million EUR on organizations that have breached the GDPR’s data protection requirements.
In addition to rules like the right to be forgotten, the GDPR also includes data sovereignty measures.
According to the GDPR, organizations that collect or process the personal information of EU citizens have to store the data within the region or in a jurisdiction that offers similar data protection levels.
Furthermore, no matter where the company stores, collects or processes the data, it has to comply with the GDPR’s rules in case it handles the personal information of European Union citizens.
What Does Data Sovereignty Mean for Consumers?
From the consumer’s point of view, data sovereignty requirements regulate how businesses interact with their customers’ personal information while preventing third-party service providers from abusing the data.
While data sovereignty requirements are not introduced in every nation and can’t fully protect user data, proper regulations discourage organizations from abusing their users’ personal information.
What Does Data Sovereignty Mean for Businesses?
While consumers are often those who benefit from data sovereignty requirements, businesses must find ways to comply with the relevant data privacy and security laws of each nation.
Therefore, in addition to knowing local, regional, and international data privacy laws, organizations have to develop a new or use existing infrastructure for data collection, processing, and storage that aligns with all the relevant data sovereignty requirements.
Data sovereignty measures could also make things complicated for companies that store their data in the cloud.
For example, an Australian organization has two options to comply with its nations’ data sovereignty laws.
- The business can choose a cloud service provider to store and process its data, but it has to ensure that the third-party is complying with all the relevant laws and requirements; OR
- The business can choose a cloud service that operates as well as stores and processes data exclusively within the national borders of Australia to prevent sensitive personal information from leaving the country.
It’s clear that whichever option the business chooses, it requires some extra legwork from the company’s side.
However, doing so helps ensure that the data of the nation’s citizens remains safe(r) with data sovereignty.
Data Sovereignty: A Crucial Concept That Requires Immediate Attention
It’s good to see that multiple governments are implementing data sovereignty measures to ensure that organizations treat their citizens’ personal information appropriately.
However, despite the strict laws, we are still very far from reaching true data sovereignty.
Businesses can still take advantage of our personal information and use it to increase their profits by selling our info to data vendors while we receive nothing in return.
Permission.io is determined to end this by creating a next-generation, blockchain-based advertising platform where users have full control over their data.
If a user gives permission to an advertiser to use his data or leverages his time to engage with the advertiser’s campaigns, he gets rewarded in Permission.io’s ASK cryptocurrency. The user can hold, exchange, or spend the currency in the Permission.io Store.
On the other hand, by only targeting consumers with ads they’ve granted permission for, businesses earn the trust and loyalty of their users while building long-term relationships and achieving a holistic view of their customers’ needs in real-time.
Take a look at Permission.io’s official website to learn more about the win-win advertising model that is changing who controls and profits from our data.