Why data sovereignty matters

Why does data sovereignty matter? Data sovereignty is the concept that information which has been stored in binary digital form is subject to the laws of the country in which it is located.

Data sovereignty is not a new issue. It has been around since the first off-shore data centres were established. It is Edward Snowden’s recent revelations of NSA’s PRISM snooping, among other reasons, which have made data sovereignty so topical. Jurisdictional issues cannot be ignored, regardless of how complex they may seem.

If all of your data resides in New Zealand, does this mean that you are safely protected by New Zealand law? The answer is that it depends on who owns the data centre. Subsidiaries of U.S.-owned corporations are subject to U.S. laws. This means that data stored in a New Zealand data centre, which is ultimately owned by a U.S. corporation, is equivalent to data residing in a U.S.-based data centre, in terms of the US PATRIOT Act.

The USA PATRIOT Act of 2001, and the US PATRIOT Improvement and Reauthorization Act of 2005, permits U.S. government agencies to access any information stored within the U.S. legal jurisdiction without your permission or notification to you.

The acronym USA PATRIOT stands for Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism.
U.S. Congress passed the legislation on October 26, 2001, in response to the terrorist acts of September 11, 2001. It provides seemingly unlimited powers for the U.S. Justice Department in terms of surveillance of American citizens and others within its jurisdiction. Essentially, it was intended to help detect terrorists within U.S. borders.

As a practical matter, however, the U.S. government is usually only interested in information relating to tax evasion, criminal acts and threats to national security.

When data is sent from one location to another, the data is split up into fragments, or packets, and sent all over the planet before arriving at its final destination. That is how the Internet works. This is not an issue. It is where the data finally rests that matters.

A key recommendation is to make a risk assessment of data being stored. Once high and low risk data is identified, appropriate data storage policy criteria can be applied.

The development of data storage policies is a task that the CIO should share with the firm’s CFO and advisors on corporate security, risk management and legal matters.

Verifying that data is only located in the country specified by the cloud service provider is obviously difficult. Reliance must be placed upon the service provider’s integrity and its compliance with their service level agreement.

It is important to understand that data sovereignty does not relate to who owns the data or the security of the data. These are separate and vital matters which must also be addressed.  Another reason to worry about data sovereignty is civil litigation. If you have a commercial conflict, your opponent’s access to your digital data will depend upon the discovery rules applicable to the country in which your data is held.

If you do not know where your data resides, you should find out for your own protection. If you use software provided as a service, your service provider will hold your operational data to enable the function of the software being used.

You will also need to understand how many parties hold your data. For example, a New Zealand-based cloud service provider may appear to hold your data in New Zealand. However, the provider’s services may have been “white labeled” with the service actually performed by others, who may be located in other legal jurisdictions.

If a service provider allows another company to rebrand their service, as if it were the cloud vendor’s own service, it is called “white labeling”.

There may be multiple parties involved in delivering the service. Each link in the supply chain may have different legal jurisdictions to consider. The opaqueness of the legal relationships must be clarified if you expect to sleep well at night. If you do not know what parties hold your data and where it resides, you may be holding a loaded gun.

If you use a local New Zealand-owned cloud service provider, who performs the service within New Zealand, from a New Zealand-owned data centre, your legal jurisdiction is likely to be New Zealand.

Currently, intense global interest in government access to business and personal data has generated a new focus on data sovereignty. It would be prudent to pay attention.

– Dr Michael Snowden, Managing Director

Download PDF, as featured in NBR, November 1, 2013