Our Director of Public Sector, Eamonn Sheehy, discusses the issues of data sovereignty for government cloud environments, in the first of a 3-part blog series on data protection for the public sector.
As more CARICOM governments begin deploying applications and storing potentially sensitive data in public cloud infrastructure, the issue of data sovereignty, privacy, and the potential legal implications of the loss of such sovereignty or privacy can negatively impact their citizenries has become more of a priority. These risks are considerably magnified when applications and data are hosted in public clouds outside a government's jurisdiction, or with global cloud providers with no presence in the Caribbean or Latin America.
While data sovereignty challenges are rarely an issue in more “developed” countries the same cannot be said for countries across the Caribbean and Latin America. Cloud Providers servicing companies based in the US or Europe most likely have a physical cloud infrastructure presence in their country. In the case of European Union member states specifically, countries can insist that sensitive data reside only on cloud infrastructure located within their jurisdiction. This has helped mitigate the risks associated with data sovereignty and allowed organizations to maintain control of where their data resides. Even so, this does not always guarantee control over the data.
Global players, such as Google, Microsoft, or Amazon, typically store both their applications and data across many different data centres across multiple jurisdictions making the issue of jurisdictional sovereignty very complex. Consider a scenario where a Caribbean government hosts data in a public cloud environment with data being located on servers in several external jurisdictions. Which jurisdiction should be allowed to claim sovereignty over the data? Is it the jurisdiction where the government is located, or the jurisdiction where the servers are located?
According to Kristina Irion, Senior Researcher at the Institute for Information Law (IViR) at the University of Amsterdam, an additional legal factor should be considered whereby “certain countries’ legislation has extra-territorial reach and it suffices that the cloud service provider is under an obligation to turn over data in its custody.”
The European Union’s Cybercrime Convention Committee discussion paper on cybercrime recognized that independence of data location is a key characteristic of cloud computing, and therefore “it is often not obvious for criminal justice authorities in which jurisdiction the data is stored and/or which legal regime applies to data.” A service provider may have its headquarters in one jurisdiction and apply the legal regime of a second jurisdiction while the data is stored in a third jurisdiction. Data may be mirrored in several or move between jurisdictions. If the location of data determines the jurisdiction, it is conceivable that a cloud service provider systematically moves data to prevent criminal justice access.
According to a report by the United Nations Commission for Trade and Development (UNCTAD), “increased reliance on cloud-computing solutions also [raises] questions about what jurisdictions apply in specific cases. Such lack of clarity creates uncertainty for consumers and businesses, limits the scope for cross-border exchange, and stifles growth.”
The UNCTAD report goes on to state that “the issue of cloud computing and cross-border data transfers is closely linked to the issue of surveillance since cloud services provided by private sector organizations [has] become a mechanism for accessing personal data by national security agencies.”
It is clear and not surprising the issues of data location, jurisdictional control, and data sovereignty have emerged with the growth of cloud service deployments and are key fundamental policy considerations for both governments and commercial operators.
How Government can Combat Data Sovereignty Issues
CARICOM Governments can minimize the risks of data sovereignty loss by clearly understanding where their cloud-based applications and information reside. This means asking the right questions and partnering with a cloud services provider who can guarantee data will remain within a given jurisdiction. As with any project, the risks and consequences of outcomes must be fully understood, therefore a risk assessment should be conducted to identify any potential vulnerabilities prior to finalizing a decision on the approach to be adopted.
Working with local or regional commercial cloud service providers like Cloud Carib can help considerably in mitigating the risk or loss of data sovereignty.
In the case of CARICOM, the implementation of a common legal framework for data privacy which encompasses the use of a regional cloud computing environment, as part of the development of a single ICT space, could go a long way towards mitigating the risk to data sovereignty. This in turn could bolster confidence in the use of commercial cloud solutions, operating within that legal framework, which can bring significant cost savings and service improvements to governments in their pursuit of digital transformation.
For more information on how Cloud Carib can help your organization achieve data sovereignty, please contact us.