Data Sov­er­eignty

Data sov­er­eignty refers to the authority to dispose of data and serves as a col­lect­ive term for the many facets as­so­ci­ated with the pro­cessing of digital data – including data pro­tec­tion, en­cryp­tion, trans­mis­sion, and storage. Anyone who stores data in the cloud or uses IT services from external service providers must ensure ap­pro­pri­ate data pro­tec­tion measures and fa­mil­i­ar­ise them­selves with the legal reg­u­la­tions. What are the re­quire­ments for data sov­er­eignty and how do you maintain it?

Data sov­er­eignty is a legal term that refers to legal guidelines relating to data. It is closely linked to data pro­tec­tion, cloud computing, and tech­no­lo­gic­al sov­er­eignty. Data sov­er­eignty laws create rules for the authority of gov­ern­ments and companies to dispose of digital user and business data. Data sov­er­eignty thus refers spe­cific­ally to the following questions:

• Who owns the data?
• Who is allowed to store the data?
• How can data be stored?
• How can data be used?
• How is data protected?
• What happens in the event of data misuse?

Because a growing number of small and medium-sized companies ap­pre­ci­ate cloud computing, i.e. the out­sourcing of company data and tech­no­logy to external servers, the im­port­ance of data sov­er­eignty cannot be un­der­es­tim­ated. If servers are located in countries where data pro­tec­tion guidelines do not meet European standards, the question of data sov­er­eignty should be clearly clarified.

The ad­vant­ages of cloud computing are well known. However, as soon as sensitive data is not stored in-house but on external servers and possibly in other countries, questions over data security and data ownership arise.

Unless con­trac­tu­ally stip­u­lated, third-party providers may be allowed to analyse and sell data. In the EU, companies that process personal data are obliged to guarantee the highest level of data security. Therefore, veri­fi­able data pro­tec­tion and modern com­pli­ance guidelines are essential. Both for companies that outsource their IT and for companies that provide IT services. If a company loses or neglects data sov­er­eignty, this can have serious legal con­sequences.

Data can take on the following three stages online, in en­ter­prise networks, and in the cloud:

• Data-in-use: Data currently in use
• Data-in-motion: Data currently being trans­mit­ted
• Data-at-rest: Data stored locally or in the cloud

Data sov­er­eignty used to be discussed primarily in con­nec­tion with data-at-rest, i.e., stored data. Today, different standards apply: data security, revision security, and data sov­er­eignty apply re­gard­less of storage location, es­pe­cially when external providers process company data. Companies must retain data sov­er­eignty for all three stages. This high standard of data pro­tec­tion can be im­ple­men­ted using en­cryp­tion software that ensures only select companies can decode sensitive, encrypted data.

In times of di­git­al­isa­tion, public sector companies and those operating as part of the free economy must observe two basic rules to guarantee data security:

1. IT in­fra­struc­ture must be secure, flexible, and up to date at all times
2. Data sov­er­eignty over customer, user, and business data must be guar­an­teed.

Once ap­pro­pri­ate safe­guards and con­trac­tu­al ar­range­ments are in place, companies can protect trade secrets and process personal data in ac­cord­ance with EU data pro­tec­tion dir­ect­ives. Companies should always know how third-party service providers handle data and what rights of use they have. Since there are also legal un­cer­tain­ties and grey areas when it comes to data sov­er­eignty, it should be con­trac­tu­ally regulated what happens to data and how it is stored, processed, and trans­ferred.

An example:

If a pro­duc­tion company wants to increase its per­form­ance, it can use the cloud and web services of a managed service provider. Via data analysis, this provider could, for example, make forecasts on main­ten­ance tasks and determine the company's op­tim­isa­tion potential.

Although the com­mis­sion­ing company should have data sov­er­eignty in this case, this does not mean it ne­ces­sar­ily has access to all data analyses of the com­mis­sioned company. Unless otherwise con­trac­tu­ally agreed, parts of the data could also be reused or sold to third parties. Here, a lack of data sov­er­eignty creates a security risk and a com­pet­it­ive dis­ad­vant­age for companies.

Small online retailers or large-scale producers – the eval­u­ation of customer and business data is important to allow busi­nesses to quickly adapt pro­duc­tion and services to meet customer ex­pect­a­tions and behaviour. Since it has become near im­possible to her­met­ic­ally seal off data from third-party access, legal frame­works are required. In addition to in­di­vidu­al con­trac­tu­al ar­range­ments between clients and service providers, national and in­ter­na­tion­al data pro­tec­tion reg­u­la­tions such as the EU General Data Pro­tec­tion Reg­u­la­tion (GDPR) are guidelines for data sov­er­eignty.

A general data pro­tec­tion law that sets out basic guidelines for the pro­tec­tion of personal data does not exist in the USA. While there are specific data pro­tec­tion reg­u­la­tions for in­dus­tries in the EU, data pro­tec­tion here is based on the voluntary com­mit­ment of US companies. In addition, US au­thor­it­ies have extensive powers of disposal over data. If UK companies use the services of American cloud providers or web service providers, data pro­tec­tion gaps can arise.

According to the GDPR, companies that process personal data must take ‘ap­pro­pri­ate technical and or­gan­isa­tion­al measures to ensure a level of pro­tec­tion ap­pro­pri­ate to the risk’. Data pro­tec­tion and data sov­er­eignty present as complex tasks for companies. In par­tic­u­lar, balancing the pro­tec­tion of corporate data, personal data, and a strong market position can be difficult. Since the GDPR focuses primarily on personal data, companies must ensure that users are informed about and con­sciously consent to the pro­cessing of their personal data. At the same time, the analysis of user data is a crucial success factor for digital companies.

In order to harmonise data sov­er­eignty, data pro­tec­tion, and corporate success, it is advisable to hire data pro­tec­tion officers to oversee your company's data sov­er­eignty. In addition, it should be clarified which data pro­tec­tion and data use guidelines third-party companies and partner companies have. A privacy policy is ob­lig­at­ory and should trans­par­ently com­mu­nic­ate your measures to securely process data. Essential technical and or­gan­isa­tion­al measures include:

• Pseud­onymisa­tion and en­cryp­tion of data
• Con­fid­en­ti­al­ity and integrity of systems
• Technical re­si­li­ence of systems
• Recovery and avail­ab­il­ity of data after technical emer­gen­cies
• Regular review, as­sess­ment, and eval­u­ation of pro­tect­ive measures
• Com­pli­ance with and in­cor­por­a­tion of data pro­tec­tion measures by employees

UK data security measures are on par with European coun­ter­parts.

The European ini­ti­at­ive for high-security, privacy-compliant, and market-ready data in­fra­struc­tures is called Gaia-X. Gaia-X is part­ner­ing with IONOS Cloud and others to work on a data in­fra­struc­ture that will become Europe's al­tern­at­ive to cloud computing services provided by the likes of Amazon, IBM, Google, Alibaba, or Microsoft. This would allow companies to securely process data via intra-European computer centres, ensure data sov­er­eignty, and prevent the outflow of in­dus­tri­al and personal data to non-European actors. The in­fra­struc­ture aims to be based on trans­par­ent, freely se­lect­able network nodes and data centres whose at­trib­utes, cap­ab­il­it­ies and re­quire­ments are clearly com­mu­nic­ated. Customers should be able to switch providers ef­fort­lessly without becoming dependent on web service providers and managed service providers or through cloud and vendor lock-in.