People and companies are generally subject to the laws of the country and city where they are located, and those laws can change when they move to a new place. However, the situation becomes more complicated when considering data, which can be subject to multiple jurisdictions depending on where it is collected, processed, and stored.
If you live in France, for example, and a US tech company stores your data in servers located in California, which laws are relevant to your most valuable information?
The answer to that question is becoming more important every day, as more and more people interact with products, apps, and programs from all over the globe. The central principle of data sovereignty is that data should be subject to the laws of the country where it was generated and collected.
As the ongoing saga over how Meta processes Europeans’ data(nueva ventana) demonstrates, however, this concept is being challenged. How data sovereignty is applied — or not — to your data will have a lasting impact on the internet as a whole.
This article will explain the concept, why it matters, and how it can be achieved so your business remains secure and compliant with the strictest of data sovereignty regulations.
- What is data sovereignty?
- Which laws apply to my data?
- Who opposes data sovereignty?
- Why data sovereignty matters: The Meta case
- Best practices for your business
- Proton’s approach
What is data sovereignty?
Many people tend to think of data as an abstract concept, a nebulous collection of personal data points that exists in space that is ill-defined. In reality, however, there are concrete statements we can make about most data to better understand where it is being stored:
- Your data comes with fairly exact metadata: This information can pinpoint when and where it was collected, which format it is encoded in, and an identifier linked to the person or device where it originated
- Data is always stored somewhere in the physical world: This information occupies a well-defined physical space, measured in bytes on a computer or server.
- A large portion of data comes from your devices: It may be no surprise that there are more mobile phones in the world than people(nueva ventana). That’s why data generation and collection tend to start on your device before it is sent to another location — such as the cloud or remote servers — to be processed and stored.
All that data is often generated in one country and stored in another, which raises an important question.
Which laws apply to my data?
This is where data sovereignty enters the picture. Data sovereignty is the concept that it doesn’t matter where the data is stored — the laws that should govern data are the laws of the country where the data was generated and collected.
This makes intuitive sense. These are the same laws that also govern, in most cases, the person who generated the data. Why would it be different for their data?
The immediate consequence of data sovereignty for a company that collects and stores people’s data, however, is that it must adopt data governance policies and technical measures to ensure the legal protections governing that data are respected and implemented.
Who opposes data sovereignty?
Some of the staunchest critics of data sovereignty are cloud storage providers. Their business model depends on selling cold storage, computing power, or whole backend infrastructures to companies.
Their physical servers are often located in countries outside their client’s jurisdiction — or they might reside in the same country as the client company while the cloud provider is headquartered in a different country.
If data sovereignty is enforced, these companies must meet new obligations, which can increase their overhead and complicate their workflows.
Why data sovereignty matters: The Meta case
Meta’s attempts to collect and process the data of people in the European Union and resulting lawsuits perfectly demonstrate the idea of data sovereignty.
In 2023, the EU fined Meta a record $1.3 billion(nueva ventana) in a decadeslong court case(nueva ventana) and ordered it to cease sending users’ personal data across the Atlantic.
In a nutshell: Meta transferred all the data it collects from EU countries to its servers in the US so that it could process it and use it to sell ads. Thanks to data sovereignty protections in the GDPR(nueva ventana), all data that is collected from people in the EU must be processed and stored within the EU.
Max Schrems, founder of the European Center for Digital Rights(nueva ventana) (NOYB), argued that Meta and the US government do not meet the GDPR’s standard of protection(nueva ventana), as it implements mass surveillance programs and has the ability to force US companies to share information they’ve collected.
The Court of Justice of the European Union agreed, and the litigation has shifted to finding an appropriate solution. None of this would be possible, however, if it weren’t for the principle of data sovereignty. If data collected in the EU no longer fell within the parameters of EU law, Schrems and NOYB would not have been able to make a strong case, much less win.
Best practices for your business
If you run a small business, having all your storage and computation needs fulfilled by an on-premise infrastructure — and therefore not relying on any contractor servers — is a possible way of achieving data sovereignty.
This is hardly cost-effective and efficient, however, for many businesses, especially smaller ones. Here are some alternative solutions and other best practices to consider:
- Conduct a data audit: Regularly assess where and how your data is stored and processed. This is a vital step that companies often overlook. Understanding the flow of data inside your organization can help identify potential compliance issues and areas where there is room for improvement.
- Use end-to-end encrypted email services: Ensure that all data communication methods and storage solutions use end-to-end encryption. This provides a robust layer of security, protecting data both at rest and in transit. Proton, for example, offers a comprehensive range of services that deploys both end-to-end encryption and zero-access encryption to allow you to remain compliant and secure. When you use Proton Mail, your messages are automatically end-to-end encrypted — you don’t need to do anything.
- Use a privacy-first cloud provider: Choose cloud service providers that prioritize privacy and comply with data sovereignty laws. Proton Drive, for example, can support businesses in meeting those requirements. End-to-end encryption and the protections of Swiss privacy laws will ensure your data is secure and shielded from unauthorized access.
Proton’s approach
When you team up with Proton, you are protecting your business data so that no one, not even Proton, can access it. The keys to your most valuable information will remain in your possession at all times, ensuring your data meets the strictest data sovereignty regulations.
Proton started as a crowdfunded project led by scientists who met at CERN (the European Organization for Nuclear Research). Our goal is to reshape the internet to put people and organizations in control of their data.
Switching to Proton Mail is simple with our Easy Switch feature, allowing you to seamlessly transition all your emails, contacts, and calendars from other services.
Proton Mail, our end-to-end encrypted email, and Proton Drive, our end-to-end encrypted cloud storage service, make it easy to meet data protection and privacy requirements.
Discover how Proton can make compliance simple for your organization by signing up for Proton for Business or emailing our Partner Success team.