If your data is distributed internationally or even globally across several locations, a targeted analysis of the applicable laws and regulations with regard to these locations is essential. Then you are also in the middle of a new challenge: data residency. And the situation is, in short, confusing. GDPR, CloudAct, Privacy Shield, Schrems II, etc.: A clear statement as to whether pragmatism or paranoia is the order of the day is largely a matter of opinion. Is this really the case or can a more general view of likely future scenarios be gained with a little more distance? With the following explanations, we want to contribute to a better overview and thus hopefully also to better decisions. Decisions that still involve a margin of discretion that each company must fill in for itself.
Digitalization leads to lower transaction costs and higher productivity. And as companies (finally) strive for better data protection in this context, they are already confronted with a new challenge: Data residency. Because despite better data protection, the data may not be much more secure. Or, conversely, companies can fulfill applicable data residency requirements, but at the same time violate data protection regulations. To make matters worse, the situation is anything but clear. For example, there are currently many discussions about how GDPR should be applied to large technology companies from the USA. Is a data center in Europe enough to satisfy the data hunger of these companies and the US government? Is that even the right question?
Protection against whom?
Referring the discussion only to providers from the USA does not do justice to the problem. What about China, Russia, etc.? Will we also accept their solutions if they have their data centers in Europe? Huawei sends its regards! In my opinion, the likelihood of mutual, global acceptance of the equivalence of all data protection efforts is tending towards zero.
With 100% security, politics, business and civil society will not be able to enforce compliance regulations globally in order to harmonize data privacy and data residency.
In view of the growing extraterritorial scope of the privacy rules and soon also of regulations relating to AI, for example, purely local solutions are also potentially problematic. Every country has residents and visitors from other countries (usually between 10-30%). Rules from their home countries may apply to them: one example is business travelers with confidential information on their laptops or cell phones.
With 100% security, a conflict in connection with data privacy and/or data residency regulations in the extraterritorial scope will affect us in any way and reduce the protection of our data.
Protection from what?
Privately, we primarily want to protect our freedom of choice. A company wants to protect its assets (IP, competitive position, customer data, etc.). It is therefore primarily about data and the protection of its use if this use is not in our interests. Everyone (natural and legal persons) has data that they consider worth protecting and whose use they want to control.
It is in the nature of things: private individuals (people) and companies always have data worth protecting - the more personal, the more important this data is, the more imperative it is to protect it.
So we want to protect ourselves against criminal use (cybercrime), against influencing use (marketing) and against unjustified government use (privacy). It is no coincidence that these are currently the most powerful drivers trying to grab this data by all means (legal and illegal).
It's a fact: data octopuses (including in the public sector) and criminals want our data, which is worth protecting. This is at the expense of our freedom, our security and our economic prosperity.
Protection by what means?
Protection against criminals, unscrupulous companies and overreaching state institutions requires well-controlled access to data worthy of protection. This protection, in turn, requires answers to two key questions:
- How are the protected objects to be protected (from whom, with what measures)?
- How well can the actuators (man & machine) accessing the protected objects be identified (who can) and authorized (what can)?
In the pursuit of efficiency and competitiveness, security and freedom, people and companies are now forced to find answers to data residency and data privacy.
As a result, there is very little room for compromise or trust when it comes to data protection. Every company and every private individual must proactively assess the data locations and the associated data privacy and data residency risks for themselves. Another conclusion that I, at least, draw from the above is that effective measures are needed to counter these unpleasant realities. Finally, we must seriously ask ourselves whether the data residency solutions that are currently being praised as a panacea are actually a solution option in our globalized world, and whether data privacy and data residency can even be reconciled in a meaningful way. I am very skeptical about this and would like to explore this aspect in more depth in future installments of this blog. So stay tuned, because solutions will also be explained. Cheers.
DE 
EN 