This is part 2 of our series on data residency. Read part 1 here about Data residency: Are local data centers really secure?
Data residency, also known as "data localization" or "data sovereignty", is an important topic that should not be ignored. If a company that works with sensitive data takes data security seriously, it is important to carefully examine the data residency laws and their consequences for data security. These rules stipulate the location of data storage - across different jurisdictions and geographical areas - to protect against unauthorized access. But is this protection really sufficient?
With the introduction of GDPR, European data protection law becomes applicable beyond the borders of the European Union. Other countries (e.g. the USA or China) will do the same as the EU, - simply because they want to be treated as equals and are basically big enough to assert their own interests (including in the area of data protection). The fact is that regulatory requirements such as GDPR and others require increasingly strict handling of sensitive and personal data. However, data localization or data residency laws must also be observed by companies to ensure that sensitive data does not leave a certain territory despite data protection.
We have already explained this: Data protection and data residency laws are difficult, if not impossible, to reconcile. It is therefore questionable whether a local solution in the country of a company's headquarters is compliant if sensitive data of citizens of other countries is processed in these local data centers. Local data management, which ensures data management in the respective country of origin as soon as the data of corresponding citizens is affected, is only technically feasible in theory, but is not affordable in practice and is also not operationally feasible as things stand today.
Another aspect is the competition for data and the insights that arise from this data (big data), which is being fought out between the major global economic blocs. The USA already has problems today when its citizens' or companies' data is processed on Chinese IT infrastructure. It can be assumed that China will take the same view in reverse. Many other countries have introduced similar guidelines, are constantly tightening their data protection and especially data localization laws and are interpreting them ever more strictly.
Answer the following question for yourself, dear reader: Will China host the IT infrastructure of its Belt and Road Initiative (BRI) on Azure or AWS if there are fears that the USA could take control of this critical infrastructure in the event of a conflict, or even shut it down at the touch of a button?
With 100% security, a global economic power will rely on technologies and IT infrastructures that it can bring under its control (if necessary).
The growing list of countries that require localization means both for
- internationally active companies as well as
- locally active companies with foreign employees or customers as well as for
- any institution with relevant global business relationships,
that they will hardly be able to comply with the relevant data protection and data residency laws and are therefore always faced with a permanent risk of being non-compliant, i.e. violating laws or regulations or generally not taking sufficient account of data protection.
So what to do?
Companies must weigh up the following three options if they want to comply with data privacy and data residency rules to the same extent:
1. It is possible that companies will only strive for compliance with data protection laws in their most important markets. As the future markets of many companies are in Asia and especially in China, this is not an easy, if not impossible, task for European or American companies. Of course, this applies equally to companies from the Southeast Asian economic region that want to establish themselves in the West (see our arguments in the Part 1).
2. Companies host their data regionally in order to comply with the applicable regulations. For example, by hosting data from European employees and customers in Europe on Gaia, data from American citizens in the USA on AWS, Google or Azure, data from people domiciled in China on Huawei or AliCloud, etc. However, this approach seems rather theoretical. The technical hurdles for secure data distribution are very high and the costs can hardly be justified economically due to several completely separate environments. In addition, smaller countries do not offer their own cloud ecosystem and therefore have to rely on one or all of the other solutions mentioned above. In general, the current IT costs would double or quadruple. Very few companies will (be able to) afford this.
3. Another alternative is the Encryption of the data and to base the keys on different jurisdictions. Data of American citizens is encrypted with keys from the USA, data of European citizens is encrypted with "European keys", data of Chinese citizens is encrypted with Chinese keys and so on. Ultimately, this means Local encryption (key, method, location) under the control of the respective company while complying with the applicable data protection laws without compromising the protection of the data and its localization.
Find out more about this third option in the next blog in this series and why it is actually the only sensible alternative for securely protecting data globally while complying with regulations. Cheers.
DE 
EN 