Whose Data Is It Anyway?

Cloud-based data may have the power to leap international borders in a single bound, but that does not make it immune to international law. As governments around the world crack down on the free flow of data, the question of where data lives has become more than a matter of how quickly it can be accessed.

Data sovereignty, also known as data residency regulation, is a means of regulating information based on the country where it is used. Typically inspired by a combination of security and privacy as well as economic factors, new sovereignty laws are cropping up around the globe, according to JLL’s 2016 Data Center Outlook Report.

Already, these regulatory requirements are influencing location decisions, with major data center providers expanding internationally more rapidly than ever before. Fifteen years ago, cross-border data center traffic was minimal. Today, it has since grown 45 times — and is expected to grow another nine times in the next 15 years, according to research cited in the report. This increase is due in part to providers’ efforts to help their users maintain compliance in the face of more complicated conditions.

Even with such conditions, the case for sovereignty law is arguably easier for international governments looking to safeguard their nation’s data and potentially help stimulate local economies.

THE CASE FOR DATA SOVEREIGNTY

The explosive growth of cloud computing has helped make now the time for many governments to develop and refine their technology policy for two major reasons.

Security and privacy is a mounting concern. Cyber-threats may be at an all-time high, but in the complex field of international data law, securing data is often less about preventing hackers and more about protecting private data from a foreign government’s ability to seize it. In 2013, Edward Snowden’s dramatic disclosures of NSA surveillance served as an alarm bell for information technology leaders around the world.

The news helped inspire the development of sovereignty law, as well as new challenges to existing law. For example, Microsoft recently spent close to three years fighting the U.S. Government’s efforts to seize email data from a Microsoft user, whose email data was stored on a server in Dublin, Ireland. In July 2016, Microsoft won its appeal, but it prompted major questions. What nation gets the right to issue a search warrant: the host of the data, the organization’s host, or the customer’s location? How does a company know when to comply — and when not to? The conversation is continuing as new laws emerge.

National economies could benefit from retaining and localizing revenue from this hot sector. Demand for data center services is rampant, and growing fast — something that is appealing to countries passing strict data sovereignty laws to keep data center revenue inside their borders. Consider JLL’s research, which found that data center stocks surged an average of 50% in the second quarter of 2016, with demand pouring in from sectors as varied as retail, finance, and government. Meanwhile, the multi-tenant data center (MTDC) market is projected to rise at a compound annual growth rate (CAGR) of 12.1% between 2015 and to reach $76.73 billion in 2018. And top cloud providers are expected to pull in a collective $120 billion by 2020, representing a CAGR of 61.3%.

Such economic star power has not escaped the attention of international governments, who may see an opportunity to keep associated dollars within their own economies.

DATA SOVEREIGNTY LAW: HIGHLIGHTS FROM AROUND THE WORLD

Countries that have adopted various degrees of data residency or data sovereignty requirements can be found around the world, from Canada, Switzerland, China, and Australia, to name but a few. Indeed, the trend seems to be cutting across ideological lines, too. According to new academic research, data localization policies are proliferating in countries such as China, Vietnam, and Iran, too.

The move toward regulating storage may be picking up momentum around the world, but it looks different in every country — which can make it difficult for even the largest players to navigate. Here are a few hotspots for data sovereignty law around the world:

Russia boasts some of the most stringent data privacy laws, with national law dictating that personal data on Russian citizens must be stored in databases that are physically located within its borders. TechCrunch considers Russia a “warning bell” for the industry with more than 20 other countries currently considering similarly restrictive laws. India is also becoming an active data storage market with Amazon Web Services recently launching its first two data center locations in Mumbai.

The European Union has had data protection rules in place since 2012 with the intention to improve local digital economies and protect personal data. Recently it enacted a Privacy Shield, which eases data flow with the U.S. with the caveat that any stateside use, storage, and further transfer is conducted under a strong set of data protection safeguards, which are facilitated through the U.S. Department of Commerce. Enacted in April 2016, major players like Google and Dropbox have already signed up for the framework.
Within the EU, Germany offers an interesting example of a government that has its own national laws, too. According to Cloud Computing News, German law not only mandates that specific types of German corporate data can never cross German borders, but also that only German citizens can administer those types of data.
In Argentina, Mexico, and Chile, various sources including American University reveal that new data privacy and disclosure laws are currently shaping developing data storage markets.
The U.S. remains the global leader, but cloud providers are also flooding southeast Canada, as discussed in CPE. That’s in large part thanks to data sovereignty laws that require Canada-based organizations to store some types of sensitive data within Canada. Amazon announced its plans in early 2016 for a new Amazon Web Services data center in Montreal — the first of its kind to be located outside the U.S., and Microsoft Cloud has already opened data centers in Toronto and Quebec City.

Rapidly evolving data sovereignty laws will play an increasingly significant role in data center location strategy. As data storage centers continue to appear around the world, the industry is quickly becoming too large for any one nation to own.

THE RIPPLE EFFECT OF DATA PROTECTION LAW

It may be tricky for users and providers alike to navigate this changing map. For example, consider this VMWare blog conundrum: If an English organization is using a data center in England, but that data center is owned by an American entity, then that data would be subject to the U.S. Patriot Act. The U.S.-owned enterprise may boast top calculating speeds and robust security — but is it worth the potential risk of intrusion for a British company to use it?

That kind of debate is becoming increasingly prevalent. It’s also a key reason why strong local cloud service providers could become a compelling option in some countries in the future. A sophisticated, localized storage provider could theoretically simplify compliance. It could also potentially attract more customers by specializing in specific niche sectors, such as financial services and health care, which are especially vulnerable to privacy issues — in addition to being highly regulated.

But there’s still plenty of space for the large players, too. In fact, a current trend for many large data center providers is to move toward what could be called a “more-is-more approach.” Upon calculated study, it appears many industry owners are looking to meet rising consumer demand around the world by creating a scenario where more data centers are indeed located in more places.

HOW TO STAY AHEAD TO IMPROVE DATA CENTER LOCATION DECISIONS

For players of all sizes, the fact that comprehensive laws exist now does not make them any easier to comply with. According to academic research cited above, a 2014 report found that almost three quarters of cloud services did not meet European data residency requirements.

One reason is that wildly varying data laws can make it especially hard for users to determine which categories of data must be stored within the country where it’s used — and which can legally be moved across the border. For example, which pieces of a retail company’s consumer data constitute personal data under the law in Germany? How about in China?

Just as there is no such thing as one-size-fits-all data center strategy, there’s also no one right way to manage compliance and other sovereignty-related challenges. In some settings, large campuses will be best suited to accommodate intense server space demand, with optimal processing times. In other cases, locally owned options may streamline compliance and therefore make a better fit.

Data center users and providers can both find value in leveraging sophisticated analytics: For users, current legal data combined with market-specific industry insight can ensure they choose the locations that will work best for their specific needs. For providers, predictive data can be used to evaluate their customers’ true need, wherever they are. And by offering built-in flexibility to their contracts, providers can give users room to adjust quickly to market changes and evolving legal requirements — while staying ahead themselves.

Of course to untangle the legal complexities, while optimizing data strategy, it is also wise to combine human expertise with sophisticated technology. When considering location options in this changing landscape, look for partners who can make sense of sophisticated data. By comparing various data center locations with interactive dashboards, decision-makers can narrow down the options in any given market according to compliance issues — as well as all other elements needed to make the best decision, from demographic trends to infrastructure costs.

Every organization owns data — but, it may not entirely own the decision of where to house it. By knowing the laws, providers and users alike can stay ahead of their competition and within the law, while doing what is most important: assuring secure, agile information is available when and where consumers need it.