Data Sovereignty

In part 2 of our 3-part blog series on data protection for CARICOM and the public sector, our Director of Public Sector, Eamonn Sheehy, discusses the implications around data sovereignty for government clouds.

Hosting sensitive data on cloud infrastructure located in another country or jurisdiction without a clear understanding of the laws governing both the enterprise contracted to host the data and the storage location of the data, poses a significant risk to government and the adoption of public cloud environments. This is particularly true when dealing with sensitive personal, economic or strategic data, which may be subject to specific data privacy legislation in the country where the data originates from.

For the sake of simplicity, we have broken down the risk issues into two parts, namely:

  1. Jurisdiction over data
  2. Access to the data and computing resources to process the data

Jurisdiction over Data

When it comes to data jurisdiction, hosting sensitive information outside of your home jurisdiction without clear legal agreements between the government of the country generating the data, and those storing it, opens the possibility of losing control over who can have access to this data. Although this may sound far fetched or perceived as a relatively minor risk, it is a risk with very real implications. This risk is increased when national governments enforce data privacy legislation, with the possibility of lawsuits by citizens or local commercial entities due to “disclosure” of information to non-jurisdictional entities.

According to a 2016 report by the BBC, “concerns around data privacy, particularly in Europe following the rescinding of the Safe Harbour data sharing agreement and the Edward Snowden leaks, mean providers are increasingly offering the option to host data in customers’ own regions”.

Access to the Data and Computing Resources to Process Data

CARICOM countries with cloud-based data and applications residing outside of their jurisdiction also need to be concerned with accessibility. For example, official trade embargoes or sanctions enforced by countries where data may reside in or, be processed in, could affect an organization’s ability to access or manipulate that data.

In a publication from The Brookings Institute's Center for Technology Innovations, it was noted governments have been known to impact access to information and websites located in foreign jurisdictions for a variety of reasons, including economic and political. According to the publication,

“These commercial Internet restrictions include routing traffic to domestically-owned companies, blocking particular sites, or degrading Internet access enough that users turn to alternative and usually domestic websites.

These Internet restrictions are also frequently vague, not easily understood and are administered in an arbitrary and non-transparent manner. For instance, the foreign company may not be aware that access to its website has been blocked”

While these examples of government “interference” in accessing internet resources generally apply to blocking access of citizens and entities within the jurisdiction from particular foreign internet resources, the same techniques can easily be used to prevent foreign entitles from accessing resources within the jurisdiction. It is therefore easy to understand that jurisdictions in which cloud-based applications and data reside can interdict access by a foreign government or commercial entity to their own data or cloud-based applications that reside outside of that country’s jurisdiction.

In addition to the potential government interdiction, the recent US decision to revoke “net neutrality” could also have negative consequences for accessing remote cloud-based applications and data stored in the US via a multinational cloud service provider based there. This could lead to governments and commercial operators in the Caribbean paying higher costs to access cloud-based information and applications hosted in the USA or accessed via the USA.

How CARICOM can Combat Issues with Data Sovereignty

CARICOM countries need to consider ways to protect data sovereignty and privacy, especially ahead of the implementation of a “single ICT space”. Approaches like those of the EU, where sensitive data is required to stay within jurisdictional control, should be pursued regionally by CARICOM to maintain data integrity and privacy for citizens and commercial operators.

However, achieving this potential for a vibrant regionally based commercial cloud services environment is no easy feat. This sector is very much still in its infancy in the Caribbean, and unlike the larger and more developed markets of the EU, US, Canada, and China, none of the major international cloud services players have cloud infrastructure located within the CARICOM jurisdictional region. This leaves room for local and regional cloud providers to flourish, with dedicated infrastructure and cloud services to serve this gap in the market.

How about Private Government Cloud Environments for the Caribbean? 

One might argue that CARICOM governments should just establish their own private cloud environments within their specific jurisdiction. However, as highlighted in the article Why the Caribbean’s digital future depends upon the cloud, this would be a very expensive and resource intensive approach and would not solve the issues around disaster recovery and business continuity. It would also not improve the situation for commercial operators, particularly small and medium-sized companies (SMEs), which make up a substantial part of the Caribbean economic activity. A more sustainable approach involves encouraging growth among the commercial cloud services sector in the region. This could ensure all CARICOM countries can maintain data sovereignty throughout the region, and have more control over their data and applications.