Real estate isn’t the only kind of business where location matters. Since Edward Snowden revealed the extent of the U.S. government’s spying on private citizens, location has been a hot topic in data security and IT management, especially for global companies.
The location of data now matters a great deal to U.S. companies because of recent developments in data privacy and data sovereignty laws, particularly in the European Union (EU), Russia, and Canada. Citizens in these countries want their personal data to be private and safe from unauthorised collection.
Their governments recognise the right of their citizens’ privacy and also recognise the right of data sovereignty – the right of countries to hold data within their borders. In some cases, governments are passing new laws that require data localisation.
Privacy, sovereignty, localisation – for any global organisation with consumer data, it’s important to understand these concepts and the requirements they create for IT investments and operations. Here’s a quick primer on all these terms and why they matter.
Data Privacy vs. Data Sovereignty vs. Data Localisation
Data privacy refers to the confidentiality of data. Keeping data private means keeping it out of the hands of anyone unauthorised to read the data or change it. For example, the U.S. Health Information Protection and Availability Act (HIPAA) mandates that healthcare organisations and their business partners keep patient data confidential.
The only people authorised to see a patient’s data are the patient, his or her healthcare providers, and the relevant insurance payer. In this regard, HIPAA is a data privacy law.
Data sovereignty refers to who has power over data. Webster's Dictionary defines sovereignty as extreme power, especially over a political body, and freedom from external control.
When applied to data, sovereignty generally refers to the principle that data stored in a country is subject to the laws and regulations of that country. For example, data stored in the United States is subject to the laws of the United States, and data stored in Germany is subject to the laws of Germany.
There exists an additional layer of protection in the fact that Germany and 27 other European nations are members of the EU. As a result, the private data of EU citizens falls under the sovereignty of the EU as well as under the sovereignty of their individual nations.
Data localisation refers to where data can be located. Some data sovereignty laws, such as the On Personal Data (OPD) Law that recently passed in Russia, not only specify who has power over data but also mandate that any data pertaining to a country’s citizens must physically reside in that country.
In Russia’s case, as of September 1, 2015, if an organisation has personal data about Russian citizens, that data must reside in data centers or other facilities within the Russian Federation. The OPD Law is a data localisation law.
As a showdown between U.S. intelligence agencies and EU regulators looms over access and storage of data, precipitated by the recent invalidation of the Safe Harbour agreement by the European Court of Justice (ECJ), the role of 'location' in data security and privacy is coming to the forefront and it’s imperative for businesses to understand the implications for conducting business in Europe.
To learn more about data sovereignty and the ramifications of the decision about Safe Harbour, watch our webinar, 'Mayday! EU Safe Harbor Agreement Struck Down!' with Alan Pelz-Sharpe, Research Director for Social Business at 451 Research.