What is Data Sovereignty?

If you deal with customer data, and likely even if you don't, you hear the term "data sovereignty" thrown around a lot. But what does it mean? How can data be sovereign? Isn't the sovereign the ruling authority of the country, perhaps the king or queen, maybe the Parliament, maybe the people themselves?

Perhaps more importantly, when and why does it matter to you?

NOTE: Of course, this article is not legal guidance.

A History of Data

What is data? Data, the plural of datum, are simply pieces of information.

For the vast majority of human history, data was expensive. It either was stored in someone's head, or on physical media. Your local baker wrote down how many loaves of bread he sold last week on paper; the barkeep kept your tab on a little notebook under the counter. Even the government tracked all of your taxes in filing cabinets in their local headquarters nearest your home or, at most, in the national capital.

Because data was expensive, it was also local. It's expensive to take the baker's books and send them to the next town, let alone across the country or across the world. Perhaps more importantly, sending them there made it impossible for the baker to use them without spending all of the money to bring them back when he needed them.

Essentially, data was largely expensive to produce and stayed very local.

All of this changed with two related inventions: computers and the internet.

First, computers made the creation and storage of data cheap. A single computer, even from the early days, could store the equivalent of a room full of books. Modern computers can store can store buildings full of data.

About ten years ago, the US Library of Congress said that all of its data would fit into 15 Terabytes.

This modern solid state drive (SSD) from Crucial costs $250, fits in your pocket easily, and holds 4TB of data. The entire library in Congress fits into your two front and two back pockets.

In addition to making date cheap to store, it also makes data cheap to copy. How many times have you written a document in Microsoft Word and then made multiple copies of it in seconds?

Second, the internet made it cheap to move data. It is now possible to send data from New York to San Francisco, London to Liverpool, Sydney to Melbourne, in seconds.

Perhaps more relevant to our conversation, it is equally simple to send data across national borders, from New York to London, Sydney to Singapore, and Tokyo to Beijing.

As the amount of data grew, and especially data that is personal to companies and especially individuals, many countries began putting in place rules and regulations for how to handle that data. The most famous of these is the European Union's General Data Protection Regulation (GDPR), which went into effect in May 2018. Many other countries or even regions have their own rules.

These rules govern how you may or may not collect data, and what you need to do to protect that data once you collect it. Some of these regulations apply only to the largest of organizations; others apply to any organization that collects end-user data. Interestingly, many of these apply not only to digital data but physical as well.

Data Localization

Before we can discuss data sovereignty, we need to understand the concept of data localization.

Data localization is the idea that some data should be collected, stored and processed in the country in which the user resides. Thus, if you are providing digital health care services in Brazil, you may be required to process and store the data of your Brazilian customers on servers in Brazil.

Data localization serves several purposes. First, it makes it easier for the government of the country to access the data if they need to, depending on local privacy laws. Second, it makes it easier for the government to apply their law to how the data of their citizens are stored and used. Third, there are commercial reasons for governments to prefer service providers in their own countries.

What happens, however, if you remove the data? Perhaps the country does not have strict data localization regulations, or perhaps you are not subject to them. Some countries recognize that it is very expensive to build data centers, not every cloud provider has local services, and small companies either must use services in larger locations, like the US and the EU, or stop offering services. Maybe you moved the data out before localization laws took effect.

Once the data has left the country, are you now subject solely to the laws of the country hosting them, for example, the United States if you process and store the data in AWS us-east-1 or Equinix Metal Atlanta Metro?

Enter data sovereignty.

Data Sovereignty

Data sovereignty is the idea that data is subject to the laws of the country in which it was collected, regardless of where they are stored or processed.

If you are providing ecommerce services to stores in Germany, and you collect data on German citizens, you are subject to the laws of Germany and the EU, even if you have legitimate allowance to process and store that data in North America.

The EU in general and Germany specifically retain their "sovereignty" over the data collected from their citizens, even if it has been moved to another locale outside of their jurisdiction.

Of course, the EU and Germany would prefer if you just kept the data in their jurisdiction, but even if you did move it, legitimately or otherwise, Data Sovereignty regulations may make you continue to be subject to their regulations even though the data is overseas.

Conflicts

What happens if there is a conflict?

What happens if you collect data in Brazil or the EU and store it in the US, but the US has legitimate requests for access to that data under US law, but in a way that runs afoul of those regulations?

The answer here is, get good legal advice.

Our best advice to you is, anytime you plan to deal with end-user data, create a good data processing and storage strategy in concert with good legal advice. Do not wait until you have a conflict of regulations.

Data Sovereignty and Equinix Metal

Equinix Metal is a global provider of bare metal servers. Further, because it really is bare metal, and not various forms of managed services, Equinix has no access to your data. This may simplify your data access and compliance strategy.

Of course, Equinix Metal has locations around the world, further simplifying your compliance with keeping data near your users, whether for performance purposes or data localization and sovereignty compliance.