Proton
Suscríbase mediante RSS

What is data sovereignty and why does it matter for your business?

Edward Komenda

Compartir esta página

People and companies are generally subject to the laws of the country and city where they are located, and those laws can change when they move to a new place. However, the situation becomes more complicated when considering data, which can be subject to multiple jurisdictions depending on where it is collected, processed, and stored.

If you live in France, for example, and a US tech company stores your data in servers located in California, which laws are relevant to your most valuable information?

The answer to that question is becoming more important every day, as more and more people interact with products, apps, and programs from all over the globe. The central principle of data sovereignty is that data should be subject to the laws of the country where it was generated and collected

As the ongoing saga over how Meta processes Europeans’ data(new window) demonstrates, however, this concept is being challenged. How data sovereignty is applied — or not — to your data will have a lasting impact on the internet as a whole. 

This article will explain the concept, why it matters, and how it can be achieved so your business remains secure and compliant with the strictest of data sovereignty regulations.

What is data sovereignty?

Many people tend to think of data as an abstract concept, a nebulous collection of personal data points that exists in space that is ill-defined. In reality, however, there are concrete statements we can make about most data to better understand where it is being stored:

  • Your data comes with fairly exact metadata: This information can pinpoint when and where it was collected, which format it is encoded in, and an identifier linked to the person or device where it originated
  • Data is always stored somewhere in the physical world: This information occupies a well-defined physical space, measured in bytes on a computer or server. 
  • A large portion of data comes from your devices: It may be no surprise that there are more mobile phones in the world than people(new window). That’s why data generation and collection tend to start on your device before it is sent to another location — such as the cloud or remote servers — to be processed and stored.

All that data is often generated in one country and stored in another, which raises an important question.

Which laws apply to my data?

This is where data sovereignty enters the picture. Data sovereignty is the concept that it doesn’t matter where the data is stored — the laws that should govern data are the laws of the country where the data was generated and collected.  

This makes intuitive sense. These are the same laws that also govern, in most cases, the person who generated the data. Why would it be different for their data?

The immediate consequence of data sovereignty for a company that collects and stores people’s data, however, is that it must adopt data governance policies and technical measures to ensure the legal protections governing that data are respected and implemented.

Who opposes data sovereignty?

Some of the staunchest critics of data sovereignty are cloud storage providers. Their business model depends on selling cold storage, computing power, or whole backend infrastructures to companies. 

Their physical servers are often located in countries outside their client’s jurisdiction — or they might reside in the same country as the client company while the cloud provider is headquartered in a different country.

If data sovereignty is enforced, these companies must meet new obligations, which can increase their overhead and complicate their workflows.  

Why data sovereignty matters: The Meta case

Meta’s attempts to collect and process the data of people in the European Union and resulting lawsuits perfectly demonstrate the idea of data sovereignty. 

In 2023, the EU fined Meta a record $1.3 billion(new window) in a decadeslong court case(new window) and ordered it to cease sending users’ personal data across the Atlantic.

In a nutshell: Meta transferred all the data it collects from EU countries to its servers in the US so that it could process it and use it to sell ads. Thanks to data sovereignty protections in the GDPR(new window), all data that is collected from people in the EU must be processed and stored within the EU.

Max Schrems, founder of the European Center for Digital Rights(new window) (NOYB), argued that Meta and the US government do not meet the GDPR’s standard of protection(new window), as it implements mass surveillance programs and has the ability to force US companies to share information they’ve collected. 

The Court of Justice of the European Union agreed, and the litigation has shifted to finding an appropriate solution. None of this would be possible, however, if it weren’t for the principle of data sovereignty. If data collected in the EU no longer fell within the parameters of EU law, Schrems and NOYB would not have been able to make a strong case, much less win. 

Best practices for your business

If you run a small business, having all your storage and computation needs fulfilled by an on-premise infrastructure — and therefore not relying on any contractor servers — is a possible way of achieving data sovereignty.

This is hardly cost-effective and efficient, however, for many businesses, especially smaller ones. Here are some alternative solutions and other best practices to consider: 

  1. Conduct a data audit: Regularly assess where and how your data is stored and processed. This is a vital step that companies often overlook. Understanding the flow of data inside your organization can help identify potential compliance issues and areas where there is room for improvement.
  2. Use end-to-end encrypted email services: Ensure that all data communication methods and storage solutions use end-to-end encryption. This provides a robust layer of security, protecting data both at rest and in transit. Proton, for example, offers a comprehensive range of services that deploys both end-to-end encryption and zero-access encryption to allow you to remain compliant and secure. When you use Proton Mail, your messages are automatically end-to-end encrypted — you don’t need to do anything.
  3. Use a privacy-first cloud provider: Choose cloud service providers that prioritize privacy and comply with data sovereignty laws. Proton Drive, for example, can support businesses in meeting those requirements. End-to-end encryption and the protections of Swiss privacy laws will ensure your data is secure and shielded from unauthorized access.

Proton’s approach

When you team up with Proton, you are protecting your business data so that no one, not even Proton, can access it. The keys to your most valuable information will remain in your possession at all times, ensuring your data meets the strictest data sovereignty regulations.

Proton started as a crowdfunded project led by scientists who met at CERN (the European Organization for Nuclear Research). Our goal is to reshape the internet to put people and organizations in control of their data.

Switching to Proton Mail is simple with our Easy Switch feature, allowing you to seamlessly transition all your emails, contacts, and calendars from other services.

Proton Mail, our end-to-end encrypted email, and Proton Drive, our end-to-end encrypted cloud storage service, make it easy to meet data protection and privacy requirements. 

Discover how Proton can make compliance simple for your organization by signing up for Proton for Business or emailing our Partner Success team.

Proteja su privacidad con Proton
Crear una cuenta gratuita

Artículos relacionados

A Proton blog cover image showing a phone screen with an empty one time password code field
en
  • Guías de privacidad
What is a one time password?
One time passwords are a common method for authenticating your identity – are they safe? We explain what they are and how to use them safely.
en
In response to popular demand, our privacy-first AI writing assistant Proton Scribe is now available for free on our Duo and Family plans, in nine different languages.
en
  • Guías de privacidad
How does Bitcoin work?
It’s easy to understand Bitcoin if you know a few simple concepts. This article explains how Bitcoin works and how to start using it.
A collection of images demonstrating the in-product experience for Proton Drive cloud storage for Business
en
  • Para empresas
  • Actualizaciones del producto
  • Proton Drive
Proton Drive now offers secure cloud storage and docs editor for businesses
Proton Drive provides private and secure file sharing, document editing, and cloud storage for businesses of all sizes. Take control of your company's data.
An illustration of a meeting minutes document, a speech bubble, and the Docs in Proton Drive logo.
en
Download a free meeting minutes template to document and keep track of your team’s discussions, decisions, and action plans.
CJIS Compliance and how Proton secures your data
en
Learn about CJIS compliance, who needs to comply, and how you can access privacy-first tools and services to help meet these standards.