In part 2 of our 3-part blog series on data protection for CARICOM and the public sector, our Director of Public Sector, Eamonn Sheehy, discusses the implications of data sovereignty for government clouds.
Hosting sensitive data on cloud infrastructure located in another country or jurisdiction without a clear understanding of the laws governing both the enterprise contracted to host the data and the storage location of the data, poses a significant risk to government and the adoption of public cloud environments. This is particularly true when dealing with sensitive personal, economic, or strategic data, which may be subject to specific data privacy legislation in the country where the data originates from.
For the sake of simplicity, we have broken down the risk issues into two parts, namely:
- Jurisdiction over data
- Access to data & computing resources to process data
1. Jurisdiction over Data
When it comes to data jurisdiction, hosting sensitive information outside of your home country without clear legal agreements between the government of the country generating the data, and those storing it can make it difficult to determine who controls access to this data. This can have very serious implications, particularly in cases where governments seek to enforce data privacy legislation. Your organization could be left open to the possibility of lawsuits by citizens or local commercial entities due to “disclosure” of information to non-jurisdictional entities.
2. Access to Data & Computing Resources to Process Data
CARICOM countries with cloud-based data and applications residing outside of their home jurisdictions also need to be concerned about accessibility. For example, official trade embargoes or sanctions enforced by countries where data may reside, or be processed in, could impact an organization’s ability to access or manipulate that data.
In 2016, a publication from The Brookings Institute's Center for Technology Innovations noted that governments have been known to impact access to information and websites located in foreign jurisdictions for a variety of reasons, including economic and political. At the time, this ranged from commercial Internet restrictions, routing traffic to domestically-owned companies, blocking particular sites, or degrading Internet access enough that users turn to alternative and usually domestic websites.
In 2022, governments continue to restrict access to certain online information. An exploratory study conducted by Comparitech lists countries like North Korea, Australia, and others as the most restrictive in terms of online freedom of access to information.
While these examples of government “interference” in accessing internet resources generally apply to blocking access of citizens and entities within the jurisdiction from particular foreign internet resources, the same techniques can easily be used to prevent foreign entities from accessing resources within the jurisdiction. It is therefore easy to understand that jurisdictions in which cloud-based applications and data reside can interdict access by a foreign government or commercial entity to their own data or cloud-based applications that reside outside of that country’s jurisdiction.
In addition to the potential government interdiction, the recent US decision to revoke “net neutrality” could also have negative consequences for accessing remote cloud-based applications and data stored in the US via a multinational cloud service provider based there. This could lead to governments and commercial operators in the Caribbean paying higher costs to access cloud-based information and applications hosted in the USA or accessed via the USA.
How CARICOM can Combat Issues with Data Sovereignty
CARICOM countries need to consider ways to protect data sovereignty and privacy, especially ahead of the implementation of a “single ICT space”. Approaches like those of the EU, where sensitive data is required to stay within jurisdictional control, should be pursued regionally by CARICOM to maintain data integrity and privacy for citizens and commercial operators.
However, achieving this potential for a vibrant regionally based commercial cloud services environment is no easy feat. This sector is very much still in its infancy in the Caribbean, and unlike the larger and more developed markets of the EU, US, Canada, and China, none of the major international cloud services players have cloud infrastructure located within the CARICOM jurisdictional region. This leaves room for local and regional cloud providers to flourish, with dedicated infrastructure and cloud services to serve this gap in the market.
Private Government Cloud Environments for the Caribbean?
One might argue that CARICOM governments should just establish their own private cloud environments within their specific jurisdiction. However, as highlighted in the article “Why the Caribbean’s digital future depends upon the cloud”, this would be a very expensive and resource-intensive approach and would not solve the issues around disaster recovery and business continuity. It would also not improve the situation for commercial operators, particularly small and medium-sized companies (SMEs), which make up a substantial part of the Caribbean economic activity. A more sustainable approach involves encouraging growth in the commercial cloud services sector in the region. This could ensure all CARICOM countries can maintain data sovereignty throughout the region and have more control over their data and applications.