February 14, 2023

Data sovereignty in the cloud: How to protect your data

Data sovereignty in the cloud: How to protect your data

The world has become so digital and is generating so much data that many countries have enacted specific legislation to regulate how data is managed within their borders. Data sovereignty is local legislation that ensures all stages of collecting, storing, and processing data. Several of these laws inhibit data sharing outside the country, promoting localization within the country.

Over a hundred countries have some type of legislation regulating data. The regulatory hodgepodge makes the global terrain of data protection somewhat incongruous and challenging to navigate.

This guide introduces data sovereignty, examines some of the most prominent laws in key jurisdictions, and provides helpful solutions to stay on top of cloud data sovereignty laws from your location.

What is data sovereignty?

Countries use the term ‘sovereignty’ to mean that their government is in absolute control over what happens within their borders and is not subject to outside influence. In the same way, data sovereignty means that a country has powers over what happens to data within its territory. This includes how it is to be processed, stored, and protected.

Two related terms to data sovereignty are:

  1. Data residency, which relates to the geographic location of data, where it is processed and stored, and;
  2. Data localization requires that data be processed and stored locally and consent obtained from individuals, the government, or both before data is transferred.

A country can have sovereignty over data, not only within its borders but outside them as well if the data pertains to its citizens or residents.

A person’s data is like a digital picture of them, and just as individuals are regulated by the laws, their personal information is also subject to data laws within the country.

Entities that manage data must obey data sovereignty requirements to avoid inadvertent violation.

What is data sovereignty in cloud?

When data is processed with local infrastructure, sovereignty clearly belongs to the country in which that takes place. However, the cloud makes it possible to process and store data in many different regions, not minding where the processor is located physically. Although that may pose some challenges, there is no doubt that such data still comes under the regulation of the country of its origin and which owns the infrastructure. This is known as cloud data sovereignty.

Key considerations related to data sovereignty

There are specific considerations that controllers and processors must take note of while navigating data sovereignty compliance.

Some of them are: 

  •  Constant law reviews 

Data sovereignty is a modern and evolving concern. Many countries are still in the process of getting it right. As such, policies are in a state of flux as countries work towards creating the perfect legislation to establish data sovereignty.

  • Expansion 

Entering new global regions is always a positive thing, but growth comes with new challenges. Even taking on expatriate clients in your local country increases the stack of data sovereignty requirements that your business must comply with.

  • Transparency

While compliance is internal work, it must be subject to external measurement and review. This will require that companies capture their process flows and subject themselves to inspection by regulatory bodies from time to time.

  • The cloud

The cloud has limitless benefits for software technology, but its decentralized infrastructure can make compliance quite complicated. Companies must stay within the deployments of the cloud infrastructure in their country of operation. The downside, however, is that these local infrastructures may constrain how much these companies can utilize cloud services.

  • Cost

Complying with data laws can result in increased operational expenses for the company. For example, costs are often incurred during upskill training, procurement of new equipment, infrastructural upgrade, etc.

Storage and transfer of data according to data sovereignty in the cloud

Data sovereignty in the cloud requires that certain practices be adopted during storage and transfer.

For the storage of data (Data at rest), one of the first steps in compliance is deciding where data will be stored, whether onsite or in the cloud. Of course, the use of the cloud is more challenging, but complying with a few best practices can greatly reduce the burden. Companies that use the cloud often replicate this data by storing it across multiple locations. This should be guided by accurate information from cloud service providers to help companies choose the most favorable regions for storage according to the regulatory requirements in each.

For data transfer (Data in transit), companies must ensure compliance with data sovereignty on both ends — the country of origin and the destination. It helps to carefully review the laws in each region and adjust the process accordingly.

Because data in transit is susceptible to attack, security protocols such as encryption and access control should be deployed during the process.

There is an essential link between cloud providers and data sovereignty because they are most familiar with regional laws and can help companies comply.

Cloud data sovereignty by country

In this section, we will examine some key data residency requirements by country:

China: The Personal Information Protection Law (PIPL) is the supreme data legislation in China. It makes general provisions on data protection — how sensitive information is to be processed, and transferred across the border, the obligations of processors, and liability for defaulting. The PIPL is also known to provide a broad spectrum of rights to data subjects to know and understand how their personal information is being used.

Other major Chinese data legislations are the Data Security Law and the Cybersecurity Law. The former governs data processing, security, and localization, restricting transfers beyond China to fulfill certain conditions. On the other hand, the Cybersecurity Law regulates the country’s cyberspace by providing security measures such as critical information infrastructure (CII) and certification of network equipment. The aim is to provide the citizens and residents of the UAE with a greater sense of control, security, and trust in online activities.

Europe: The General Data Protection Regulation has radically changed the scope of data sovereignty in the European Union countries. In making their laws, other countries have also borrowed heavily from some features of the Regulation. Currently, by the provisions of the GDPR, it is very difficult to export data from any member of the EU to another country outside of the Union.

The GDPR has some form of extraterritorial influence. It applies to persons handling the personal information of European residents, whether or not they are outside Europe. GDPR is arguably the strictest protection law in the world and the most widely used since it enjoys a continental application.

Indonesia: The Personal Data Protection Law (Law of the Republic of Indonesia Number 27 the Year 2022) came into force on October 17, 2022. Like other data protection laws, the PDPL applies to operations within Indonesia and outside if they affect the country or its citizens.

The PDPL was drafted according to the general principles of data privacy, such as consent, purpose limitation, necessity, and lawfulness. It clearly outlines measures to secure personal information from illegitimate access, the rights of data subjects, and conditions for transferring personal data outside Indonesia.

Other protection laws in Indonesia are the Electronic Transmission Law No. 11 of 2008, the Minister of Communications & Informatics Regulation No. 20 of 2016, and others.

UAE: The UAE Federal Law No. 45 of 2021 on the Protection of Personal Data is extensive. It regulates data collection, privacy, usage, retention, consent, transfer, etc., by providing technical and organizational measures to adopt in each case. The legislation offers clear and comprehensive rules for a safe and secure digital environment. 

Another protection law is Federal Law No. 2 of 2019, specifically enacted to protect health information. It gives individuals the right to choose how theirs is handled.

States within the UAE also have their respective laws for data protection. The Dubai International Financial Centre (DIFC) Data Protection Law, DIFC Law No. 5 of 2020, is the legislation that regulates the data of individuals and organizations in the Dubai International Financial Centre (DIFC).

Also, the Abu Dhabi Global Market (ADGM) Data Protection Regulation No. 2 of 2018: regulates data processing within the ADGM, similar to the DIFC Law, with complementary guidelines to help with compliance.

Japan: Japan’s current data sovereignty law was a response to constant data breaches happening at the time. The first data protection laws were set up in 2003, but it was in 2015 that the Protection of Personal Information (APPI) was created to address new issues in digital data transfer. That law has been subsequently reviewed to cover gray areas like transfer and monitoring, use of anonymized data, and leakage management, among others.

InCountry approach: How you can comply with data sovereignty

Data sovereignty issues in the cloud can pose real challenges for data-handling companies, especially those operating in multiple jurisdictions.

InCountry provides data residency-as-a-service worldwide. This solution means instant compliance with all protection laws in each respective country.

Here are a few listed ways InCountry can help you with data compliance:

  • Quick Implementation in Multiple Countries: InCountry maintains a presence in 90+ countries worldwide and counting.

This means you can use InCountry as a one-for-all solution in any country you decide to set up shop in.

  • Localization: InCountry is ever in step with data residency and localization requirements in each country. Our certified cloud infrastructure helps to keep regulated data localized in existing top-tier data centers.
  • Security: InCountry uses and offers only the best security standards and protection measures in the industry, such as high-level data encryption (SHA-256 and AES-256), firewalling, network isolation, and intrusion detection. 
  • Compliant Cloud Providers: InCountry works with attested and trusted security-compliant cloud service providers to cater to your company’s needs.

Check out the full array of our compliance and security standards. Schedule a call with our experts to learn how InCountry can help your business stay compliant.