Proton

What is data sovereignty and why does it matter for your business?

People and companies are generally subject to the laws of the country and city where they are located, and those laws can change when they move to a new place. However, the situation becomes more complicated when considering data, which can be subject to multiple jurisdictions depending on where it is collected, processed, and stored.

If you live in France, for example, and a US tech company stores your data in servers located in California, which laws are relevant to your most valuable information?

The answer to that question is becoming more important every day, as more and more people interact with products, apps, and programs from all over the globe. The central principle of data sovereignty is that data should be subject to the laws of the country where it was generated and collected

As the ongoing saga over how Meta processes Europeans’ data(nieuw venster) demonstrates, however, this concept is being challenged. How data sovereignty is applied — or not — to your data will have a lasting impact on the internet as a whole. 

This article will explain the concept, why it matters, and how it can be achieved so your business remains secure and compliant with the strictest of data sovereignty regulations.

What is data sovereignty?

Many people tend to think of data as an abstract concept, a nebulous collection of personal data points that exists in space that is ill-defined. In reality, however, there are concrete statements we can make about most data to better understand where it is being stored:

  • Your data comes with fairly exact metadata: This information can pinpoint when and where it was collected, which format it is encoded in, and an identifier linked to the person or device where it originated
  • Data is always stored somewhere in the physical world: This information occupies a well-defined physical space, measured in bytes on a computer or server. 
  • A large portion of data comes from your devices: It may be no surprise that there are more mobile phones in the world than people(nieuw venster). That’s why data generation and collection tend to start on your device before it is sent to another location — such as the cloud or remote servers — to be processed and stored.

All that data is often generated in one country and stored in another, which raises an important question.

Which laws apply to my data?

This is where data sovereignty enters the picture. Data sovereignty is the concept that it doesn’t matter where the data is stored — the laws that should govern data are the laws of the country where the data was generated and collected.  

This makes intuitive sense. These are the same laws that also govern, in most cases, the person who generated the data. Why would it be different for their data?

The immediate consequence of data sovereignty for a company that collects and stores people’s data, however, is that it must adopt data governance policies and technical measures to ensure the legal protections governing that data are respected and implemented.

Who opposes data sovereignty?

Some of the staunchest critics of data sovereignty are cloud storage providers. Their business model depends on selling cold storage, computing power, or whole backend infrastructures to companies. 

Their physical servers are often located in countries outside their client’s jurisdiction — or they might reside in the same country as the client company while the cloud provider is headquartered in a different country.

If data sovereignty is enforced, these companies must meet new obligations, which can increase their overhead and complicate their workflows.  

Why data sovereignty matters: The Meta case

Meta’s attempts to collect and process the data of people in the European Union and resulting lawsuits perfectly demonstrate the idea of data sovereignty. 

In 2023, the EU fined Meta a record $1.3 billion(nieuw venster) in a decadeslong court case(nieuw venster) and ordered it to cease sending users’ personal data across the Atlantic.

In a nutshell: Meta transferred all the data it collects from EU countries to its servers in the US so that it could process it and use it to sell ads. Thanks to data sovereignty protections in the GDPR(nieuw venster), all data that is collected from people in the EU must be processed and stored within the EU.

Max Schrems, founder of the European Center for Digital Rights(nieuw venster) (NOYB), argued that Meta and the US government do not meet the GDPR’s standard of protection(nieuw venster), as it implements mass surveillance programs and has the ability to force US companies to share information they’ve collected. 

The Court of Justice of the European Union agreed, and the litigation has shifted to finding an appropriate solution. None of this would be possible, however, if it weren’t for the principle of data sovereignty. If data collected in the EU no longer fell within the parameters of EU law, Schrems and NOYB would not have been able to make a strong case, much less win. 

Best practices for your business

If you run a small business, having all your storage and computation needs fulfilled by an on-premise infrastructure — and therefore not relying on any contractor servers — is a possible way of achieving data sovereignty.

This is hardly cost-effective and efficient, however, for many businesses, especially smaller ones. Here are some alternative solutions and other best practices to consider: 

  1. Conduct a data audit: Regularly assess where and how your data is stored and processed. This is a vital step that companies often overlook. Understanding the flow of data inside your organization can help identify potential compliance issues and areas where there is room for improvement.
  2. Use end-to-end encrypted email services: Ensure that all data communication methods and storage solutions use end-to-end encryption. This provides a robust layer of security, protecting data both at rest and in transit. Proton, for example, offers a comprehensive range of services that deploys both end-to-end encryption and zero-access encryption to allow you to remain compliant and secure. When you use Proton Mail, your messages are automatically end-to-end encrypted — you don’t need to do anything.
  3. Use a privacy-first cloud provider: Choose cloud service providers that prioritize privacy and comply with data sovereignty laws. Proton Drive, for example, can support businesses in meeting those requirements. End-to-end encryption and the protections of Swiss privacy laws will ensure your data is secure and shielded from unauthorized access.

Proton’s approach

When you team up with Proton, you are protecting your business data so that no one, not even Proton, can access it. The keys to your most valuable information will remain in your possession at all times, ensuring your data meets the strictest data sovereignty regulations.

Proton started as a crowdfunded project led by scientists who met at CERN (the European Organization for Nuclear Research). Our goal is to reshape the internet to put people and organizations in control of their data.

Switching to Proton Mail is simple with our Easy Switch feature, allowing you to seamlessly transition all your emails, contacts, and calendars from other services.

Proton Mail, our end-to-end encrypted email, and Proton Drive, our end-to-end encrypted cloud storage service, make it easy to meet data protection and privacy requirements. 

Discover how Proton can make compliance simple for your organization by signing up for Proton for Business or emailing our Partner Success team.

Gerelateerde artikelen

how to write a professional email
en
Easy steps and examples for writing a professional email. See how Proton Mail can make your emails stand out.
Email etiquette: What it is and why it matters |
en
Find out what email etiquette is with key rules and examples, why it is important, and how Proton Mail can help.
A cover image for a blog about how to create an incident response plan that shows a desktop computer and a laptop with warning signs on their screens
en
Do you have an incident response plan to protect your business from financial and reputational damage? Find out how Proton Pass for Business can help you stay safe.
Shared with me in Proton Drive for desktop user interface
en
  • Voor bedrijven
  • Productupdates
  • Proton Drive
We've improved Proton Drive for Windows to make it easier to securely collaborate with others from your desktop.
Smart glasses that have been modified for facial surveillance and dox you in real time, finding your personal information after seeing your face.
en
Students modified smart glasses to find someone’s personal data after just looking at them. This is why we must minimize data collection.
The cover image for a blog explaining what password encryption is and how Proton Pass helps users with no tech experience benefit from it
en
Password encryption sounds complicated, but anyone can benefit from it. We explain what it is and how it’s built into Proton Pass for everyone to use.