Data Sovereignty: Do You Know Where Your Files Are?
Depending on your industry, it’s entirely possible that you haven’t previously had to consider the implications of data sovereignty, let alone its legal intricacies. However, the world’s data infrastructure is getting ever more intertwined, and laws like GDPR are starting to cross borders. It’s becoming essential to know how this complex issue will affect your organization. Failing to ensure you are following relevant privacy laws can lead to lost business, lawsuits, fines, or more severe government action. This post (and the accompanying expert interview) will explain this complicated subject and what it means for businesses in the era of the Cloud.
What is Data Sovereignty?
Data sovereignty can be thought of as another term for data jurisdiction – what laws apply to a given piece of information (and the organizations who hold it) at a given time. While previously this was a relatively simple question, it has grown progressively more complicated in recent years, largely due to the globally dispersed nature of most cloud platforms. Organizations need to be aware of the data laws that govern them and their partner organizations in order to keep themselves and their customers safe.
Why is Data Sovereignty Complicated?
Nations, states, and cities around the world have different laws dictating how various things work. Fireworks that are illegal in one city may be perfectly fine an inch outside the city limits. Medications that are commonly available over the counter in one country may be highly restricted and prescription-only in another. Trade, political, or safety considerations can limit or otherwise control the import and export of all manner of goods. So how is this any different?
What makes data sovereignty complicated is that it applies to an incredibly fluid resource: data. Shipping physical objects around the globe takes time, it requires them to go through physical checkpoints and have paperwork and inspections. Data can travel from one side of the planet to another in the blink of an eye, and because of the way the internet and the Cloud work, you may not even know that it has done so.
What Data Sovereignty Means for Your Organization: Cybersecurity Expert Interview
We sat down with XMedius Executive Vice President, Data Solutions General Manager, and cybersecurity geek, Sébastien Boire-Lavigne, to get his take how organizations can protect themselves in the midst of ever-more-complex data regulation and sovereignty issues.
The Cloud: Limitless Possibilities, A Few Complications
With distributed computing (such as in a Cloud environment), data sovereignty becomes even more complicated. We’re no longer talking about a computer or bank of computers in your organization’s facility, but instead a potentially globally dispersed IT environment. Data could be stored in one place, processed in another, but owned by an organization in yet another location.
If that data is associated with private citizens, does their country of origin have a say? What about their current country of residence?
“The vast majority of internet users hail from countries other than the United States. Yet American firms continue to operate the most popular websites and internet services around the world. This means that, for most state regulators, regulating the internet means regulating across borders. For example, criminal evidence was typically found in the same jurisdiction as the crime and the criminal. This is no longer true. Now law enforcement agents routinely seek access to evidence controlled by foreign internet companies—typically American firms—who store or control that evidence in another jurisdiction. Speech issues are similar. France once could control what speech was made within its territory and had in fact sought remedial action for impermissible domestic speech. No more. When the French government asks Twitter to remove offending material, it depends on the cooperation of an American company, which will often need to take action in another country.”
What Sorts of Data Sovereignty Disputes Are Occurring?
Most legal issues surrounding data sovereignty can be separated into three categories: Law Enforcement/Surveillance, Delisting, and Take Downs.
Taking Down (Censoring) Extremist Content
Inside the US, take down requests and legal fights surrounding them are less common as the first amendment protects citizens’ rights to free speech. In addition, Section 230 of the Communications Decency Act shields internet providers from most lawsuits and government legal actions regarding 3rd party content that they simply host on their servers. This further limits the American government’s ability to force take downs.
However, many other countries in the world have regulations covering the use of specific statements, images, or symbols in day to day life. Many countries have rules against disseminating extremist content, such as recruitment materials for terrorist organizations. Countries may also have laws against content that is critical of their leaders and/or government.
Prior to the global internet, this was a simpler issue. Speech targeted for censorship that occurred in the given country would be policed by that country. Now, however, such speech can be published anywhere in the world, then displayed to web browsers in that country, muddying the regulatory waters as countries try to control the contents of servers in other countries (including the US).
Delisting (Removing Sites from Search Results)
Rather than forcing service providers to remove offending material from their servers, delisting actions attempt to force search engine providers (such as Google, Yahoo, or Microsoft) to remove webpages from their indexes. That means that they won’t come up in the search results when a user enters a related query. The content still exists and may still be accessible from the country in question, but only if the user already knows the web address to go to directly.
What makes these actions particularly complicated is that the pages in question don’t need to be breaking the law to be delisted. In the EU, citizens have “the right to be forgotten,” and can request pages be delisted in the event they contain “inadequate, irrelevant, or … excessive” content (Bowcott, 2019).
While this is a persistent legal issue for organizations in the search engine business, it typically doesn’t affect other companies (unless pages on their sites are the target of such a request and they want to keep them in the index). After a prolonged fight between Google and the E.U., the European Court of Justice recently ruled that search engines are not responsible for takedowns on domains serving areas outside the EU, making compliance a bit simpler going forward.
Law Enforcement Investigations & Surveillance
The internet can be an incredibly powerful surveillance tool for countries looking to keep an eye on citizens, criminals, and each other. In many ways, this is data sovereignty at its most complicated. Organizations can get caught between their internal policies, the rights of the individual, and a web of possibly conflicting laws put in place by:
- The country where the organization is headquartered
- The country the target is from
- The country the target is currently in (if different)
- The countries where data is stored or processed
- International treaties
Some laws may require the target(s) be notified of government and law enforcement agency requests, others may require that they NOT be notified. Disclosures can seriously harm organizations’ reputation, even if they’re simply following the law. Boards have to decide what is good corporate citizenship, which fights are worth fighting, and how the organization is going to handle any news coverage if the release of information is publicized.
A prominent example of how thorny this issue can be can be seen in the case of Microsoft vs the United States, where the Justice Department sought information about an American citizen in a narcotics case. While the law was fairly clear about how this situation would be handled in the US, the servers were located in Ireland. The case made it all the way to the U.S. Supreme Court, where it was eventually dismissed due to the passage of the CLOUD Act (as part of the Consolidated Appropriations Act of 2018), which clarified U.S. organizations’ obligations when international laws conflict (Lerman, 2018).
How XMedius Handles Your Data
Security and regulatory compliance are at the heart of XMedius data products. XM Fax and XM SendSecure are both built to use three geographically distributed (and siloed) hosting centers: one in the US, one in Canada, and one in Europe. This means that when implementing an XMedius Cloud-hosted product, you can select hosting in any of these three areas.
All cloud hosting for the XMedius Unified Communications solution, CX-E, is located within the US.
Any processing and storage we do of your data will remain in the designated hosting area, greatly simplifying data sovereignty questions surrounding your Unified Communications, FoIP, and secure file exchange communications. If you want to make things even simpler (especially if your organization is not located in those areas and/or subject to additional laws), all solutions are also available as on-premises deployments.
Reach out to us to learn more about how XMedius solutions streamline workflows and aid compliance with major privacy regulations (including HIPAA, GDPR, FERPA, etc.).