Proton
Subscribe by RSS

What is data sovereignty and why does it matter for your business?

Edward Komenda

Share this page

People and companies are generally subject to the laws of the country and city where they are located, and those laws can change when they move to a new place. However, the situation becomes more complicated when considering data, which can be subject to multiple jurisdictions depending on where it is collected, processed, and stored.

If you live in France, for example, and a US tech company stores your data in servers located in California, which laws are relevant to your most valuable information?

The answer to that question is becoming more important every day, as more and more people interact with products, apps, and programs from all over the globe. The central principle of data sovereignty is that data should be subject to the laws of the country where it was generated and collected

As the ongoing saga over how Meta processes Europeans’ data(new window) demonstrates, however, this concept is being challenged. How data sovereignty is applied — or not — to your data will have a lasting impact on the internet as a whole. 

This article will explain the concept, why it matters, and how it can be achieved so your business remains secure and compliant with the strictest of data sovereignty regulations.

What is data sovereignty?

Many people tend to think of data as an abstract concept, a nebulous collection of personal data points that exists in space that is ill-defined. In reality, however, there are concrete statements we can make about most data to better understand where it is being stored:

  • Your data comes with fairly exact metadata: This information can pinpoint when and where it was collected, which format it is encoded in, and an identifier linked to the person or device where it originated
  • Data is always stored somewhere in the physical world: This information occupies a well-defined physical space, measured in bytes on a computer or server. 
  • A large portion of data comes from your devices: It may be no surprise that there are more mobile phones in the world than people(new window). That’s why data generation and collection tend to start on your device before it is sent to another location — such as the cloud or remote servers — to be processed and stored.

All that data is often generated in one country and stored in another, which raises an important question.

Which laws apply to my data?

This is where data sovereignty enters the picture. Data sovereignty is the concept that it doesn’t matter where the data is stored — the laws that should govern data are the laws of the country where the data was generated and collected.  

This makes intuitive sense. These are the same laws that also govern, in most cases, the person who generated the data. Why would it be different for their data?

The immediate consequence of data sovereignty for a company that collects and stores people’s data, however, is that it must adopt data governance policies and technical measures to ensure the legal protections governing that data are respected and implemented.

Who opposes data sovereignty?

Some of the staunchest critics of data sovereignty are cloud storage providers. Their business model depends on selling cold storage, computing power, or whole backend infrastructures to companies. 

Their physical servers are often located in countries outside their client’s jurisdiction — or they might reside in the same country as the client company while the cloud provider is headquartered in a different country.

If data sovereignty is enforced, these companies must meet new obligations, which can increase their overhead and complicate their workflows.  

Why data sovereignty matters: The Meta case

Meta’s attempts to collect and process the data of people in the European Union and resulting lawsuits perfectly demonstrate the idea of data sovereignty. 

In 2023, the EU fined Meta a record $1.3 billion(new window) in a decadeslong court case(new window) and ordered it to cease sending users’ personal data across the Atlantic.

In a nutshell: Meta transferred all the data it collects from EU countries to its servers in the US so that it could process it and use it to sell ads. Thanks to data sovereignty protections in the GDPR(new window), all data that is collected from people in the EU must be processed and stored within the EU.

Max Schrems, founder of the European Center for Digital Rights(new window) (NOYB), argued that Meta and the US government do not meet the GDPR’s standard of protection(new window), as it implements mass surveillance programs and has the ability to force US companies to share information they’ve collected. 

The Court of Justice of the European Union agreed, and the litigation has shifted to finding an appropriate solution. None of this would be possible, however, if it weren’t for the principle of data sovereignty. If data collected in the EU no longer fell within the parameters of EU law, Schrems and NOYB would not have been able to make a strong case, much less win. 

Best practices for your business

If you run a small business, having all your storage and computation needs fulfilled by an on-premise infrastructure — and therefore not relying on any contractor servers — is a possible way of achieving data sovereignty.

This is hardly cost-effective and efficient, however, for many businesses, especially smaller ones. Here are some alternative solutions and other best practices to consider: 

  1. Conduct a data audit: Regularly assess where and how your data is stored and processed. This is a vital step that companies often overlook. Understanding the flow of data inside your organization can help identify potential compliance issues and areas where there is room for improvement.
  2. Use end-to-end encrypted email services: Ensure that all data communication methods and storage solutions use end-to-end encryption. This provides a robust layer of security, protecting data both at rest and in transit. Proton, for example, offers a comprehensive range of services that deploys both end-to-end encryption and zero-access encryption to allow you to remain compliant and secure. When you use Proton Mail, your messages are automatically end-to-end encrypted — you don’t need to do anything.
  3. Use a privacy-first cloud provider: Choose cloud service providers that prioritize privacy and comply with data sovereignty laws. Proton Drive, for example, can support businesses in meeting those requirements. End-to-end encryption and the protections of Swiss privacy laws will ensure your data is secure and shielded from unauthorized access.

Proton’s approach

When you team up with Proton, you are protecting your business data so that no one, not even Proton, can access it. The keys to your most valuable information will remain in your possession at all times, ensuring your data meets the strictest data sovereignty regulations.

Proton started as a crowdfunded project led by scientists who met at CERN (the European Organization for Nuclear Research). Our goal is to reshape the internet to put people and organizations in control of their data.

Switching to Proton Mail is simple with our Easy Switch feature, allowing you to seamlessly transition all your emails, contacts, and calendars from other services.

Proton Mail, our end-to-end encrypted email, and Proton Drive, our end-to-end encrypted cloud storage service, make it easy to meet data protection and privacy requirements. 

Discover how Proton can make compliance simple for your organization by signing up for Proton for Business or emailing our Partner Success team.

Protect your privacy with Proton
Create a free account

Related articles

Cover image for a Proton Pass blog about safe password sharing featuring a browser window with a password field and a share icon
Learn about the risks of password sharing and how you can safely share your passwords with family and coworkers from any device with Proton Pass.
5 reasons you need a business password manager: Proton explores the benefits of using a password manager and the features you need. Image shows a purple laptop screen with multiple password fields filled with dots
A password manager for business can prevent data breaches and mitigate security risks. Find out how Proton Pass protects your organization.
The Proton Duo plan makes it easy for two people to protect their privacy. Get encrypted email, 1 TB of storage, and more.
What to do if you get a 'compromised passwords' iPhone notification: Proton explains how to find and change your compromised passwords, and protect yourself against data leaks. image shows a phone screen with a notification saying 'Compromised password - The password for your account has appeared in a data leak, putting your acc...'
Gotten a 'compromised passwords' iPhone notification? We explain how to change compromised passwords and prevent your data being leaked online.
The Kaspersky ban raises security and privacy concerns, but you can protect your data by switching to the Proton ecosystem.
How to free up storage space on iPhone.
Need to free up space on iPhone? Read this article and learn how to manage apps and use cloud backups to clear storage on iPhone.