A Data Sovereignty Primer for Meeting Management Users
Concern amongst organizations and individuals about data privacy and security is at an all-time high. Hardly a week goes by without new revelations of data breaches, malicious hacks, governments spying on citizens, or the secret tracking and sharing of personal information by consumer technology platforms.
While consumer-affecting activities get the most press, a significant concern of many organizations is the ability of government authorities to require service providers to disclose customers’ data as part of their national security and law enforcement initiatives.
Sensitivity around these issues is further heightened when data crosses international boundaries. Countries have varying standards and legislations for data privacy, security, and obligations for providers to share data with authorities outside the country of origin. Not only do these regulations differ between countries, but they often appear to directly conflict.
Data protection laws in European Union countries, for example, forbid the disclosure of personal data without the owner’s permission or knowledge; Canadian privacy legislation similarly prohibits disclosure without the owner’s consent. But the United States Patriot Act may require a provider to share such data with U.S. authorities without informing the subject of the investigation, leaving the courts to decide which set of regulations should take precedence when multiple countries are involved.
The rise of “the Cloud” brought such cross-jurisdictional concerns to the forefront. When organizations stored all of their data on their own servers, they had complete control of keeping their information within their own country, and they knew it would be bound by their native legislation.
Today, with companies’ data hosted by third-party service providers and potentially distributed across multiple locations, it’s more important than ever to understand where your cloud vendor is storing your information. Having your data stored in another country increases the chances of the foreign government gaining access to it. Keeping your data in your own country will help it follow the privacy, security and disclosure rules of your own nation.
An Evolving Landscape with No Guarantees
Of course, storing your data intranationally does not completely ensure that foreign governments won’t be able to access it. Authorities in multiple countries often cooperate on law enforcement and investigation, and legal mechanisms exist for mandating the exchange of information across borders.
Even without such collaboration, cloud service providers may be forced to share data stored in one country with the government of another nation they do business in. Companies with headquarters or other business operations in the U.S. are — subject to legal challenges — required to comply with government requests under the Patriot Act, even if the information requested is stored outside the United States.
It’s similarly important to recognize that the data sovereignty landscape is rapidly changing. New rules are being defined; existing regulations are being revised to keep up with advances in technology; and ambiguities and contradictions in current laws are being debated, interpreted and ruled upon in international courts.
Even with these uncertainties and loopholes, it is important to take data residency seriously and address these concerns to the best of your abilities today. Storing your data in your own country creates hurdles to unfettered foreign access and ensures that such requests undergo further checks, balances and scrutiny. It’s just like locking the door to your home — doing so doesn’t guarantee that nobody will break in, but you still wouldn’t make it easy for thieves by leaving the door unsecured.
Predating the Patriot Act
While the 2001 USA Patriot Act is the most commonly cited example of legislation that gives governments cross-border access to cloud-stored data, the fundamental legal tools to compel disclosure of such information existed long before it was enacted. In fact, a notable data sovereignty case recently before the courts — one that had been expected to have significant repercussions for future interpretations and enforcement of privacy legislation — had centered around a 1986 law, the Stored Communications Act (SCA). In United States v. Microsoft Corp., an appeal being heard by the U.S. Supreme Court, Microsoft had refused to provide data stored on servers in Ireland in response to a U.S. criminal investigation search warrant.
Case of United States v. Microsoft Corp.
Microsoft’s stance was that granting U.S. authorities access to information stored outside the country would violate international laws, and that this disclosure request needed to go through Irish law enforcement. In contrast, the U.S. Justice Department maintained that the U.S. warrant was enforceable, as Microsoft could fulfill the request and provide copies of the data from within the United States.
Underscoring the dynamically evolving legislative landscape, before the Supreme Court could rule on this appeal, the case was rendered moot by yet another new legislation. The Clarifying Lawful Overseas Use of Data Act — or “CLOUD Act” — was signed into law in March 2018.
In essence, it updates the SCA to better encompass modern cloud computing technologies — specifying that U.S. service providers must hand over requested data from any of their servers regardless of its location, but providing a framework for rejecting or challenging these requests if they violate the privacy laws of the country where the data is actually stored.
With the enactment of the CLOUD Act, the Microsoft Ireland case was remanded in April 2018 and the original warrant set aside in favor of a new one under the CLOUD Act.
Microsoft deserves further acknowledgement here for its approach to insulating Canadian customers from foreign reach. Ca