Current Issues in Data Sovereignty and its Impact on Information Security

The U.S. file-hosting company Dropbox recently announced it would be opening new offices within the European Union, the first planned for Hamburg. This strategic move is intended to reassure the firm’s European customers, and to address concerns about data hosted outside the E.U. and not subject to E.U. regulations.
Such concerns are growing, among companies and individuals, and are related to worries about information privacy, cross data flows and data sovereignty. This last aspect can be defined as digital information being subject to the laws of the country where it is stored.
As cloud computing has become key in business information sharing and storage, the crux of the problem is ensuring compliance with regulations wherever data is stored. Companies may face significant data sovereignty challenges because some of their data can be accessed in foreign countries. Thus, they risk violating rules in some countries, even though they are compliant in their own jurisdiction. For example, following the June 2013 Snowden/WikiLeaks scandal, many E.U. countries passed new regulations to insist on data privacy and to secure data transfers outside the E.U.
This problem is all the more complex when talking about the financial services industry which must adhere to strict compliance and regulation requirements due to the confidential and sensitive nature of the data they hold. These companies must know where their data is located and who can access it because regulations in some countries are stricter than in others. For example, India adopted a strict privacy and security regulation a few years ago called ‘Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011’ where international information or sensitive data transfer “may be allowed only if it is necessary”. These rules also state that the same level of protection should be provided in a foreign country whenever sensitive personal data may be transferred.
A good example is the U.S. ‘Patriot Act’, passed in 2001, which is concerned with data privacy rights of U.S. citizens. Among its provisions, this law gives the U.S. government the ability to legally access, intercept and inspect “any tangible things (including books, records, papers, documents, and other items) for an investigation to protect against international terrorism or clandestine intelligence activities.”
For instance, if a non-U.S. firm (e.g., a Hong Kong company) uses a cloud application running outside the U.S., but the data is stored on servers in the U.S., it may fall under the U.S. Patriot Act regulations, which theoretically enables the U.S. government to access the data.
As a consequence, many Asian financial service firms no longer want to host their data in the U.S. and many common U.S.-based tools cannot be used by Asian-based institutions. This results in a loss of business and increased inconvenience for banks and insurance companies, and hampers the growth of the cloud industry, preventing the creation of a global information security environment.
Most countries have not passed strict data residency laws, which would require the retention of data within the country to protect their companies’ sensitive information. In contrast, the E.U. has a raft of regulations and Asia has started to increase enforcement of data security regulation in recent years – including the ‘Act on Real Name Financial Transactions and Guarantee of Secrecy’ in South Korea, which aims to protect data collected by financial services. Japan also imposes strong restrictions on the use and transfer of private data with the ‘Act on the Protection of Personal Information’. China, on the other hand, has no clear data privacy and residency laws.
Hence, there is a need to build a global framework that marries both national security interests with the practical realities of business and the movement of data.
One solution could be for a cloud service provider to set up a presence in multiple jurisdictions, to enable compliance with disparate data security regulations. While potentially solving the problem, this could prove costly and unscalable in the long run.
A better approach would be to take a data-centric approach, where the data itself is secured regardless of the jurisdiction or platform, thus enabling security throughout the entire data cycle. The permission policies around that piece of data would ensure it could be accessed only in certain countries and never in others. With the rapid proliferation of data and the rise of cloud services, the only scalable, secure and compliant approach could be a data-centric one, one which APrivacy’s patented technology enables.

About APrivacy

Digital Security Perfected – APrivacy Ltd. is an award-winning company which combines military-grade data security with a seamless user experience on any platform, any device, anywhere. APrivacy Ltd.’s enabling technology now allows the financial services industry to confidently communicate with clients using their favourite channels leading to increased revenues and reduced costs while meeting the strictest regulatory requirements.