In the early 2000s, the dawning of the internet promised to break down information-sharing barriers between nations. That optimism ended up being short-lived. Fast forward to 2020 and we’re seeing increasingly protectionist behaviour internationally and data legislation proliferates around the world. That shift has thrust data sovereignty front and centre.
Recent events point to this. In July we saw the European Court of Justice’s decision strike down the EU-US Privacy Shield mechanism for data sharing, due to fears of US government overreach. Meanwhile, the data privacy stand-off between the US and Chinese governments over TikTok user data persists. These developments could be perceived as the start of something of a privacy trade war between economic powers, which naturally throws up questions for international businesses who are looking to keep their data safe and comply with the latest regulations.
Now with the Brexit transition period drawing to a close at the end of the year, concerns are being raised around how the flow of data between the UK and the EU will be affected, whether businesses need to adapt their data practices and if this will have a prohibitive effect on business.
Global data sovereignty debates
Beyond the implementation of regional legislation like the EU’s GDPR, there is also a layer of ‘data nationalism’ that has surfaced, whereby there aren’t necessarily legal obstacles to data moving across borders, but there are historical prejudices against doing so and growing mistrust that laws in other countries are strictly enforced – the current poster child for this being the US government’s attack on TikTok.
Data protectionism has extended to this side of the pond too. The EU-US Privacy Shield Framework, a legal mechanism protecting data transfers between the US and EU (in addition to Switzerland) from unauthorised access, was struck down in July by the European Court of Justice on the grounds that it was not effective in its original remit of protecting EU citizens from US government oversight. Instead, organisations transferring data from the EU to the US must now rely on Standard Contractual Clauses (SCCs), non-negotiable legal contracts drawn up by Europe which are already used for other continents besides the US.
Now with the end of the Brexit transition period looming, some are anticipating new UK regulations that will bring added complexities for businesses around where their data sits and how it gets stored. As it stands, Britain has laid out no plans to restrict the flow of personal data to the EU. It will have “third country” status at the end of the Brexit transition period, which means that the European Commission must perform an adequacy assessment on the suitability of Britain’s data protection law to allow personal data to be transferred to Britain, which if successful, would create a “UK GDPR” of sorts, aligned with the EU’s own.
Building sovereignty into your storage strategy
Data is increasingly the lifeblood of any company. The pandemic and shift to remote working mean we’re storing more of it than ever. In fact, an IDC report from May predicted that the next three years of data creation and consumption will eclipse that of the previous 30 years put together. So it’s no surprise data sovereignty is a growing concern for businesses around the world and one that needs to be considered when developing a storage strategy.
SCC agreements, which are now the only legally sanctioned mechanism to transfer data between the EU and “third countries”, mean that the data protection afforded to companies is only as good as a particular cloud vendor is willing to offer. For example, companies with European operations that want to guarantee that their cloud strategy consistently reflects EU standards should ensure that their storage provider offers the capability for their data to be stored in cloud buckets within a European data centre, which by necessity will comply with GDPR.
On top of this, a hybrid cloud strategy makes a huge amount of sense for most companies from a performance point of view. “Hot” data that is currently in use can be stored locally, while data that is not in regular use can be pushed to a cloud where it can be stored inexpensively and more conveniently. Any serious cloud vendor will show that it’s committed to the values reflected by a jurisdiction’s privacy laws, and in response to changing laws, most will be prepared to build storage in every major market where data privacy laws come into play.
There’s no doubt we’re seeing a fracturing of international cooperation on data storage, as trust breaks down between countries stewarding one another’s data. In response, companies should be mindful of storing their data as close to their customers as possible, and working with a vendor that can facilitate this and demonstrate a commitment to the data privacy standards according to each jurisdiction.
Navigating data sovereignty rules isn’t always simple. But by working with a cloud storage provider you can completely trust to comply with evolving regulation and safeguard your data, you can get to focus on other things, like growing your business.
David Friend is the CEO and co-founder of Wasabi, a cloud storage provider.