Data Sovereignty, Residency, and Localisation: What's the Deal?

These three terms confuse businesses and individuals alike, and often their very mention is akin to being challenged to a duel between those seeking a service and those wishing to fill that requirement.  Unfortunately, unlike olden times, a winner rarely emerges from the inevitable verbal sparring that ensues.  The global, always-on economy underpinned by many "as a service" (or XaaS) offerings that traverse traditional air, sea, and land borders further fuel this debate, leading to some heated exchanges.

I think it is fair to say that the three terms become interchanged so much that their individual and true meanings are lost.  The COVID-19 pandemic forced all of us to rethink the way we earn and learn remotely, driving the adoption of virtualised services to keep the lights on.  One could make a valid argument this digital transformation is the silver lining of the dark cloud called coronavirus, but not without its challenges.

Our economy rides on data and applications, and that often highly-sensitive information travels to more places, more people, and more systems than ever before.  Protection of this data keeps many of us awake at night, and the prospect of what happens when it falls into the wrong hands causes nightmares when we do fall asleep.  We fool ourselves into believing that we are better at protecting our data than anyone else and dread what could happen when we entrust it to anyone else.

We convince ourselves that anyone outside of our country can't do a better job protecting our information, yet we lack the tools and talent to do it ourselves adequately.  We lack the understanding, awareness, and ability to protect our systems and lack the trust to let anyone else do it – when we can't be bothered to do it ourselves.  Strange days, indeed!

So when an offer arrives to perform these very same services and provide that desired level of assurance, we quickly knock it on the head and smugly declare matters of "data sovereignty" or similar to justify that our data remains on our soil.  We seek out these services on home turf only to find they don't exist, don't meet expectations, or will break the bank. 

And then there is the possibility that it's not even the best out there.  We don't know that because we're refusing to see the rest of the world for the opportunities it provides.  So, before you go hammering a square peg into a round hole, perhaps you should understand the differences between data sovereignty, residency, and localisation and where they apply in your case.

What is Data Sovereignty, Data Residency, and Data Localisation?

If these supposedly mean the same thing, why should we have three terms?  What are the practical differences, and why should they matter?  Why should we and our businesses care?  How do they relate to each other?  The common factor between the three terms is how data privacy impacts international data transmission, but that is where the similarities end.  Untold volumes of data enter and leave our countries every day, so why should it matter if the concept is the same?

I'm glad you asked.  This matter wasn't as much of an issue many years ago, but our obligation to protect that data multiplied exponentially as more data moved into the digital realm. Laws such as the Notifiable Data Breach amendment to the Privacy Act here in Australia and the General Data Protection Regulation (GDPR) in the European Union (EU) have gone all-in towards making the virtual world a safer place for your data.  Since these laws passed in 2018, many more countries have followed suit with laws and regulations to protect the data of their citizens and businesses against unauthorised and unlawful use.

While perceived as a step in the right direction, it's muddied the very same waters it intends to protect by way of misunderstanding by those accountable to the laws. We've arrived at this weird place where we think our data needs to stay at home to protect it from the big, bad internet and all the nefarious (love that word) entities that inhabit dimly-lit rooms, clad in hoodies.

At the core, organisations that gather, process, store, and transmit international data must ensure that data privacy is not at risk when shared beyond borders. Also, understanding the legal requirements and consequences of storing data in certain countries is essential in meeting data privacy and security standards. 

First Up, Data Sovereignty

"Data Sovereignty" is the first expression thrown back at us when we mention using overseas XaaS offerings of any stripe.  The term becomes a stick used to beat us back with our ludicrous ideas of entrusting a foreign entity with our precious data.  Perish the thought!  Far too often, the very mention of using overseas resources and services receives a flippant "data sovereignty" response.  The person making that false claim sits back, smug and content in how they just shot down "the security guy" and is now in the driver's seat. 

Well, my smirking friend, to paraphrase Inigo Montoya in "The Princess Bride", You Keep Using That phrase, I Do Not Think It Means What You Think It Means.

"Data Sovereignty" differs from "Data Residency" in that not only is the data stored in a designated location but is also subject to the laws of the country in which it resides. This difference is crucial, as data subjects (like anyone whose Personally Identifiable Information (PII) is collected, held or processed) will have different privacy and security protections according to where the data centres housing their data physically sits.  So, suppose a Canadian entity's information resides in a data centre located in France. In that case, it falls under French laws and not Canadian laws despite being the data of a Canadian entity.

The inherent problem here is distrust, and we firmly believe that only we, and we alone, can protect our data to the highest standards.  Just because it's ours doesn't mean we're the best to look after it.  When it comes to cybersecurity, the expression, "if you want something done right, do it yourself", doesn't hold water.  There are jurisdictions around the world with far more stringent laws protecting data than we have.  Are there worse?  Of course!  We should realise that just because we can doesn't mean we should.

So, when we throw around the term "Data Sovereignty", we probably mean "Australian Data Remains on Australian Soil". 

Instead, we should be stating "Data Residency", subject to the policy or regulatory matters.  And may I also suggest that if you're going to throw around either term liberally, you understand your business policies regarding each?  Far too many organisations I speak with preach data sovereignty, er, data residency. Still, their organisation lacks the policy to enforce this and does not fall under the regulation they believe.  Sure, it makes more enemies than friends, but you deserve to be told straight up in the interest of protecting your information.

Let's get back to the difference between data sovereignty and data residency because this difference is crucial for businesses.  A government's rights of access to data found within its borders differ widely from country to country.  I watched people's horrified reaction when the United States of America introduced amendments to the Patriot Act in the name of fighting terrorism, and the "woke" crowd decided that the Americans were after everyone's data.  This perception led to an understandable yet misinformed exodus of entities using USA-based services because they didn't want their data poked and prodded by Uncle Sam.  Again, we need to understand that data sovereignty means that the data is governed by the laws of where it resides, regardless of who owns it.

This belief is where Data Sovereignty and Data Residency munge together.  Ensuring your data resides within a specific geographical location (for whatever reason) may be supported by an intention to avoiding/take advantage of laws, regulations, tax regimes, or - imagine- pure preference and comfort is a matter of Data Residency.

The principle that data is subject to the legal protections and punishments of that specific country is a matter of Data Sovereignty.  Got it?  Good!

They are related and are two sides of the same coin, but one is a matter of national legal rights and obligations, while the other is a matter of geography and, often, personal preference. Recognising this distinction will help professionals better prepare for compliant data management and exchange. I'm pretty sure nobody has taken the time to explain this to you before but has been quite comfortable taking your money just the same.

Next, Data Residency

Data residency refers to where a business, industry body or government specifies that their data resides in a geographical location of their choice, usually for regulatory or policy reasons.  But, based on how much time I spent banging on about how it differs from Data Sovereignty above, you already knew that, right?

An example of a Data Residency requirement applies when a business wishes to take advantage of a better tax regime. We know of many companies that do exactly that and then take a beating for not paying "their fair share", which is a subjective battle, but I digress.  So, back to the point at hand. 

Imposing a Data Residency policy will require proof from the business they aren't conducting too much of their core business activities outside that country's borders, including data processing.  They will then impose data residency that requires their use of specific infrastructure and set restrictive data management workflows on their operations (and their cloud service providers) to protect their taxation rights.  As you can see, this gets pretty messy at times with the proliferation of cloud services consumption, use of offshore service providers, and even hosted operations that may replicate elsewhere.

The key takeaway here is that if you are unsure, get people involved that can help untangle it and explain everything to you to make an informed decision.

Finally, Data Localization?

Data Localisation is the most rigorous and restrictive concept of the three, and like data sovereignty, it is another version of data residency based on legal obligations. Interestingly, it's also one of the three growing fastest globally. Let's try to make this as simple as possible because I'm sure the previous two have been nebulous so far.

Data Localization requires data created within specific, defined borders stays explicitly within them. Unlike the two other terms, it's nearly always applied to producing, processing, and storing personal data.  There are exceptions, of course, such as many countries' regulations over taxation, accounting, and gambling, for starters.

In some instances, Data Localisation laws only require that a copy of relevant data remains within the country's borders, often guaranteeing the appropriate government can audit data on its citizens.  Only with due cause to do so, naturally.  This provision allows auditing to occur without contending with foreign privacy and data protection laws, which can get very sticky. India, for example, has a Personal Data Protection Bill, a perfect example.  Over the past few years, many countries like Australia, my homeland of Canada, the European Union, and even individual states within countries like the USA created, improved, and revised their laws in kind.

That said, there are countries where the laws are strict and prevent data from crossing their borders at all.   One country, for example, is Russia's "On Personal Data Law" (OPD Law), which requires storage, processing, updating, and retrieval of data about its citizens is limited to data centre resources within the Russian Federation only.  Many people I speak with believe that is the case here or in their respective countries, and while that may be the case, I encourage people to find out for sure before assuming so.

A common criticism of these laws is that the country uses the guise of "enhanced cybersecurity", "combatting terrorism/law enforcement", or "privacy of their citizens" to conceal the real reason for this protectionism.  Some views I read indicate it inhibits businesses' competitive advantage and limits the influence and growth of government on an international stage.  The result is isolation, silos, and digital factions, sometimes referred to as "splinternet", a term from around 20 years ago.

So, where to from here?

Debates aside, businesses, government, and their respective stakeholders should understand the difference between the three terms. The current misunderstanding is more than simple grammar but a fundamental difference with data management.  Rather than changing the world, start small and start in-house to ensure that your business understands the key differences and how they do (or do not) apply. 

I've found it immensely frustrating to develop solutions when options are limited due mainly to organisations not understanding where Data Sovereignty, Data Residency, and Data Localisation applies, and the requirements to support each.  I will often hear someone state, "we have a data sovereignty policy", when they mean they have a Data Residency Policy or thinking any laws to that effect apply when they're exempt. 

Quite frankly, if your business doesn't have a position, one should be defined as we move more towards virtualised cloud offerings.  Imagine having a conversation with a group that waxes poetic about their cloud-first policy but also about their "Data Sovereignty" policy, and when pressed, can't clearly define the boundaries.

Ask the following questions

What types of data do you possess (personal, financial, medical, etc.), where is it stored/transmitted/used, who or what does it belong to, and what are your obligations towards safeguarding it?

In terms of where the data resides, who owns the facilities, and where are they located?  This vital piece of information matters because there are some fuzzy lines when it comes to Data Sovereignty.  Your data may sit in a data centre in Canada. Still, if an American company owns it, they may have access via the CLOUD act despite the facilities being on Canadian soil.

Have you considered Disaster Recovery and Data Backup implications?  Where is your secondary data centre, and where are your backups held?  This matter has become particularly relevant because cloud-based backups are increasingly common, just like overseas datacentres due to cost or service availability.

How well do your service providers understand the difference between the three terms, how well versed are they in applicable privacy regulations and have they asked themselves the same questions?  Imagine using what you believe is a local company to meet your Data Residency policy only to discover that they consume overseas resources contrary to your requirements?

The first place to start is getting the right people involved and asking the right questions. It's your data at stake, and in many cases, you are responsible for the data of others.  Reach out to me any time to have a chat.

Stay safe out there

Disclaimer: The thoughts and opinions presented on this blog are my own and not those of any associated third party.  The content is provided for general information, educational, and entertainment purposes and does not constitute legal advice or recommendations; do not rely upon it as such.  Obtain appropriate legal advice in actual situations.