The surge in cloud computing and Software as a Service
(SaaS) solutions has elevated the significance and risk of data sovereignty
issues for regulators and businesses. Data sovereignty involves a
country-specific mandate stipulating that data is governed by the laws of the
nation where it is gathered or processed and must remain within its borders.
Many countries, including Russia, China, Germany, France, Indonesia, and
Vietnam, insist that their citizens' data be stored on servers physically
located within the country's boundaries. This requirement is grounded in the
belief that safeguarding personal information from misuse, particularly beyond
the country's jurisdiction, is in the government's and citizens' best
interests. The prominence of such laws has increased with the introduction of
new privacy regulations like the General Data Protection Regulation (GDPR).
اضافة اعلان
The concept of data sovereignty encompasses the collection,
ownership, and application of citizens' data. To add complexity to the
situation, there is a common misuse of two terms that are often used
interchangeably: data residency and data sovereignty. Despite their frequent
interchangeability, they possess slightly distinct legal meanings. Data
residency refers to a scenario where a business designates the storage of its
data in a specific geographic location of its preference. For instance, a
company might enforce a data residency requirement to benefit from a more
favorable tax regime. On the contrary, data sovereignty goes beyond data
residency by not only storing the data in a specified location, typically due
to regulatory mandates, but also subjecting it to the laws of the country where
it is physically housed. The privacy and security protections for data subjects
vary based on the location of the data centers. Some countries mandate local
storage to leverage specific privacy laws and tightly regulate the movement of
data out of the country.
For an extended period, individuals and their respective
countries' public sectors primarily held the majority of personal data.
Initially, data was a commodity that researchers had to formally request for
storage and analysis. However, contemporary daily activities serve as
continuous sources of data collection. The entities offering ostensibly
"free services" now gather our data for categorization and analysis,
with many users unaware that they themselves are the product of these
ostensibly free services. Complicating matters further, users may find their
data stored in one country, analyzed in another, and subsequently sold to
advertisers on a global scale. This underscores the need for users to advocate
for clear regulations governing cross-border data flows, emphasizing
interoperable approaches over nationalistic ones to safeguard personal data.
“Data sovereignty involves a country-specific mandate stipulating that data is governed by the laws of the nation where it is gathered or processed and must remain within its borders.”
Thus, in the realm of data-driven business models,
researchers and advocates for individual rights emphasize that companies often
exploit personal data to influence users, posing threats to autonomy,
individual rights, and governance systems. Users frequently lack knowledge
about the duration of data retention, the extent of data already in the
possession of these entities, and the specific purposes for which their data is
utilized. This information gap reinforces the importance of establishing
transparent regulations to govern data usage and ensure user protection.
Accordingly, data sovereignty is deemed non-negotiable and
should be under the purview of national policymakers. The European Union (EU)
emphasizes the utilization of European data for the benefit of European
companies and the creation of value within Europe. In Canada, officials express
concerns about the inability to ensure full sovereignty over data stored in the
cloud, particularly sensitive government data that might be subject to foreign
laws and disclosure to other governments. Policymakers in Canada propose
solutions such as limiting certain data categories stored in the cloud,
implementing data encryption, and utilizing contracts to restrict access to
sensitive data to Canadians only.
Therefore, the GDPR requires that all data collected on
citizens must be either stored in the EU, so it is subject to European privacy
laws, or within a jurisdiction that has similar levels of protection.
Additionally, it applies to both data controllers and data processors, so
whether your organization uses or provides a cloud service that processes EU
resident data, your company is directly affected.
“contemporary daily activities serve as continuous sources of data collection. The entities offering ostensibly "free services" now gather our data for categorization and analysis, with many users unaware that they themselves are the product of these ostensibly free services.”
Many companies are adopting multi-cloud strategies as a safeguard against
vendor lock-in. Major public cloud vendors, such as Microsoft, AWS, and Google,
have strategically established cloud data centers worldwide to address concerns
related to data sovereignty. However, numerous second and third-tier SaaS cloud
vendors may have limited data center options, relying on a single provider like
the big three public cloud vendors. To compete in the realm of data
sovereignty, a SaaS cloud provider must offer multiple data center locations in
adherence to local regulatory requirements or explicitly outline compliance
with specific data sovereignty regulations based on the geographic location of
data centers.
Nonetheless, various platform types exist, serving distinct
purposes. Transaction platforms, exemplified by Amazon, Alibaba, Airbnb, Uber,
and Baidu, facilitate the matching of supply and demand. Technology platforms,
such as Microsoft's software platform and the app stores of Google and Apple,
provide a foundational structure for others to build upon. Additionally,
platforms like Amazon's Alexa and Samsung SmartThings establish connections
between users and their devices. These platforms leverage network effects,
where increased user engagement enhances the platform's value for both users
and investors. Consequently, users often remain loyal to platforms due to the
desire to connect with like-minded individuals.
Hence, platform companies exploit information asymmetries,
gaining a competitive advantage when selling data by accumulating extensive
knowledge about market factors. The opacity of data markets, coupled with
researchers' limited understanding of supply and demand dynamics, enables firms
to hoard excessive data, leading to concerns about insufficient privacy for
users. The "freemium" model, widely adopted by many platforms, relies
on advertisements for revenue, offering free services in exchange for users' personal
data. Critics argue that this model, driven by tailored advertising and
content, may contribute to the spread of divisive content to keep users
engaged, attracting more advertisers and further data collection.
In conclusion, the surge in cloud computing and Software as
a Service (SaaS) solutions has propelled data sovereignty to the forefront,
posing challenges and opportunities for regulators and businesses globally. The
interplay between data residency and data sovereignty underscores the need for
precise regulations in an era where individuals, often unwittingly, become
commodities in the realm of ostensibly "free services." As data flows
across borders and business models evolve, the call for transparent regulations,
user protection, and interoperable approaches gains urgency. Whether through
multi-cloud strategies or diversified data center locations, the competitive
landscape demands adherence to local regulatory requirements and explicit
compliance with data sovereignty regulations. The evolving dynamics of platform
types further underscore the delicate balance between user engagement, market
factors, and privacy concerns, calling for continued scrutiny and regulatory
clarity.
Dr. Hamza Alakaleek is a corporate lawyer and tax attorney
with post-graduate degrees in International Political Economy, International
Business Law, and Law and Technology with focus on IoT, AI, DPA, and CSL.
Disclaimer:
Views expressed by writers in this section are their own and do not necessarily reflect Jordan News' point of view.
Read more Opinion and Analysis
Jordan News
.jpg)
.jpg)
