Data Sovereignty and whose jail do you prefer?

Like many things, there exists a conflict in international law over data, more specifically over which jurisdictions can have access to it.

Why does Data Sovereignty Matter and why should IT care about it?

And this is not just a problem we can leave to the lawyers, because IT controls where data resides- we’re right at the heart of the issue.

It used to be the case that when a US judge ordered you to hand over certain information and a French judge or Data Protection Authority (DPA) -or any other EU judge or DPA- ordered you not to, there was no roadmap to mutual compliance. In fact, the cliché was that you first decided which jurisdiction had the nicer jails; cute, but not really all that helpful.

So the US State Department set up the Safe Harbor Initiate to cope with this problem: to minimize conflicts between the liberal discovery regime in the US and the status as a fundamental human right that data privacy enjoys in the EU.

The Safe Harbor aims to provide guidance in maximizing the compliance curve, knowing that neither judge may be completely happy.

This got us to thinking about where information sits, or will sit in the future, and the importance of Data Sovereignty.  There does not yet exist (that I can find) a generally-accepted definition of Data Sovereignty, but we use it to mean the right of a nation to have its data treated the way it wants.  It is a relatively new notion but one that will undoubtedly be treated with a great amount of respect by everyone in the business of managing and using information, and the Safe Harbor framework is a good example of that deference.  (See these remarks by US CIO Vivek Kundra for another.)

As more and more organizations move to the Cloud, the issue of Data Sovereignty will only rise in importance, and you can see the beginnings of that change now.  Cloud clients are expecting more and more flexibility in the terms they negotiate with their providers.  eDiscovery and Information Governance have gotten publicity as some of these negotiation points, and data location is key to both of those concerns.

“Does the WHERE matter?” is a question we, as Cloud providers, always ask early when negotiating a contract with a new client, and the answer is increasingly yes.

And it should. Because you don’t want to be in a position of where you’re deciding which jail you like most. You need to be able to understand where your data needs to be and design its Data Sovereignty accordingly.

We at Mimecast have been very conscious of the importance of location in sovereignty for a long time, offering options for UK, US, SA and Offshore for a number of years. But recently we’re being asked for not just specific jurisdiction sovereignty, but cross jurisdiction sovereignty- which is why we are pleased to have been certified to the US-EU Safe Harbor.