What is Data Sovereignty?

Data​‍​‌‍​‍‌​‍​‌‍​‍‌ sovereignty is the principle that data is subject to the laws and governance structures of the country or jurisdiction where it is collected or stored. This may influence a government’s ability to implement legal authority over data physically residing within its borders, regardless of where the organization primarily stores the data.

This is important because the set of rules that governs your data doesn’t depend on where your company is located. It’s determined by where the data is stored. By way of example, a USA company housing customer records on Frankfurt-based servers is subject to EU law for those records, as well as American law.

These three terms are interlinked but not identical. Compliance adherence may be affected by variations in its application.

•     Data sovereignty is a legal concept. A nation’s right to regulate data within its territory. It addresses “Who has jurisdiction?”
•     Data residency is a legal or contractual requirement stipulating where data must be geographically located. It addresses “Where does the data live?”
•     Data localization has the most stringent form. A legal requirement that data be both stored and processed inside a country, with cross-border transfer restrictions. It addresses “Can the data be moved out at all?”

A sovereign cloud is a cloud service designed based on a country’s data sovereignty needs. To be confident that foreign governments, courts, and corporations cannot obtain data without the host country’s permission, sovereign clouds are operated by local entities (or through tightly controlled partnerships), unlike standard public clouds run by global hyperscalers.

•     Locally Managed and Owned: Run by a local company or a joint venture where the locals hold the majority.
•     Jurisdictional Isolation: National or regional regulations where data resides can influence the process of cross-border data transfers.
•     Regulatory Fit: They are made in accordance with national laws, such as GDPR, France’s SecNumCloud, or Germany’s C5 standard.

Business risks involve:

Data​‍​‌‍​‍‌​‍​‌‍​‍‌ sovereignty is not just about meeting legal requirements; it also entails having the appropriate technical systems. To truly enforce sovereignty, several technologies must be combined:

1.   Sovereign cloud platforms refer to local infrastructures operated within defined legal and geographic boundaries, thereby avoiding dependence on systems controlled by foreign powers.
2.   Customer-Managed Encryption Keys (CMEK) provide the organization with control over encryption keys, potentially restricting the cloud provider’s ability to decrypt data, even in response to legal requests.
3.   Bring Your Own Key (BYOK) / Hold Your Own Key (HYOK) are two different levels of offering the customer to keep the key. The cloud typically facilitates cryptographic operations but generally does not decrypt the data.
4.   Data residency controls are configurations that limit data replication or backup to specific regions.
5.   Confidential computing provides hardware support (e.g., through Intel SGX or AMD SEV) for protecting data while it is being processed, in addition to data at rest or in transit.
6.   Zero-trust architecture relies on always verifying identity and the principle of least privilege for access.

The practical application of data sovereignty may involve complex considerations. The primary concerns are categorized into three key areas:

1.   Cost. The cost associated with building sovereign infraestrutura de nuvem is distinct from that of a standard public cloud.
2.   Management. Organizations operating in multiple jurisdictions have to follow different sets of rules in each country.
3.   Laws. Sovereign legal systems can accommodate divergent interpretations, and technical solutions may not constitute a universally applicable response.

Other areas of consideration include:

•     In contrast to global hyperscalers, the quantity of smaller sovereign-compliant providers may be associated with their feature offerings.
•     Differences in standards development across countries can influence the creation of a consistent global compliance posture.