loader image

This is Part II of our series on data residency. Read Part I on Data Residency: Are On-Premises Data Centers Really Secure?

An important and not to be ignored topic: data residency, also referred to as “data localization” or “data sovereignty”. If a company that works with sensitive data takes the topic of data security seriously, it has to carefully examine the data residency laws and their consequences for data security. These rules enforce data storage location requirements – across different jurisdictions and geographical areas – in order to protect them against unauthorized access. But is this protection really sufficient?

With the introduction of GDPR, European data protection law will apply across the borders of the European Union. Other states (e.g. the USA or China) are doing the same as the EU simply because they want to be treated on an equal footing, but also because they are big enough to assert their own interests (also in the area of data protection). It’s a fact: Regulatory requirements such as GDPR and others call for an increasingly strict handling of sensitive and personal data. However, companies must abide data localization or data residency laws, so that sensitive data does not leave a certain territory.

As we’ve already pointed out, privacy and data residency laws are difficult, if not impossible, to align. Therefore: can a local solution in the country of a company’s headquarters be compliant, when sensitive data of foreign citizens is processed in these local data centers? A local data management cannot ensure that data is treated in the country of origin of different citizens – this is neither technically feasible nor affordable or even operable.

Another aspect: There is a growing competition for data or insights resulting from this data (big data) between the large global economic blocs. The US is already facing the challenge that data of US citizens or companies is processed on Chinese IT infrastructure. One can assume that China, on the other hand, is not happy to see data of its own citizens being processed on US servers. Many other countries have introduced similar guidelines and are constantly tightening data protection and especially data localization laws.

Answer the following question for yourself, dear reader: Will China host the IT infrastructure of its Belt and Road Initiative (BRI) on Azure or AWS if, in the event of a conflict, the US would be able to bring this critical infrastructure under its control or even shut it down at the push of a button?

With 100% security, a global economic power will rely on technologies and IT infrastructures that it can (if necessary) bring under its control.

The growing list of countries that require localization means both for

  • internationally active companies as well as
  • locally active companies with foreign employees or customers as well as for
  • any institution with relevant global business relationships,

that they will hardly be able to comply with the relevant data protection and data residency laws. Therefore they live with a permanent risk of not being compliant, i.e. violating laws or regulations, or generally not taking sufficient account of data protection.

So what to do?

Companies have to weigh up the following three variants if they want to observe data privacy and data residency rules to the same extent:

1. It is possible that companies only seek compliance within the framework of data protection law in their most important markets. Since the future markets of many companies are located in Asia and especially in China, this is a virtually impossible task for European or American companies. Of course, this also applies to companies from the Southeast Asian economic area that want to establish themselves in the West (see our arguments in Part I).

2. Companies host their data regionally in order to comply with applicable regulations. This would mean hosting data from European employees and customers in Europe on Gaia, data of American citizens in the USA on AWS, Google or Azure, data of persons domiciled in China on Huawei or AliCloud, etc. However, this approach is rather theoretical. The technical hurdles for a secure data distribution are very high and the costs due to several completely separate environments can hardly be justified economically. In addition, smaller countries do not offer their own cloud ecosystem and therefore have to trust one or all of the other solutions mentioned above. In general, a doubling to quadrupling of today’s IT costs would be expected. Very few companies will be able to afford this.

3. Another alternative is to encrypt the data and base the keys on different jurisdictions. Data of American citizens is encrypted with keys from the USA, data of European citizens with “European keys”, data of Chinese citizens with Chinese keys, etc. Ultimately, this means local encryption (key, method, location) under the control of the respective company while complying with the applicable data protection laws, and without compromising the protection of the data and its localization.

Learn more about this third option in this series’ next blog and discover why it is actually the only sensible alternative to protect data globally while complying with regulations. Cheers.