Back in 2013, a New York state judge served Microsoft with a warrant during an investigation into drug trafficking. The issue was not whether Microsoft was in any way connected with drugs, but rather that the judge wanted access to emails stored in its data centers. Had they been stored in a US-based location, that may have been the end of the issue. However, they were not. They were held in Dublin, Ireland. Herein lay the problem, or at least as Microsoft saw it. The emails were in another country and, therefore, they and their author were subject to its regulations. Legal battles ensued with Microsoft and other tech giants arguing the pros and cons of existing legislation that was underprepared for cloud computing and existing technology trends. Ultimately, Microsoft won, and so the US government could not force Microsoft or any other company to turn over customer emails stored outside the US.
So, what is data sovereignty?
As the Microsoft case illustrates, when we talk about data sovereignty, we are referring to the concept that stored data should be subject to the laws and general practices of the country where it is held. For example, that means that data stored in the EU, regardless of where it originated, is bound by EU data laws and specifically the General Data Protection Regulation (GDPR). Therefore, again, regardless of where it is located, if a company is not adhering to GDPR, they face harsh consequences, including hefty fines.
- Google Inc. €50,000,000
- H&M – €35,200,000
- TIM- Telecom Provider – €27,800,000
- British Airways – €21,900,000
- Marriott International – €20,450,000
While one of the better known, GDPR is not only the only data privacy legislation that exists. California introduced the California Consumer Privacy Act (CCPA), which covers similar terrain. Japan’s The Act Protection of Personal Information (APPI) also is an expansive list of rights and obligations for companies to follow.
Even with the European Economic Area (EEA), covered by the GDPR, Spain has other laws to help support and protect the population’s digital rights beyond GDPR. These include provisions on the right to internet access, the right to digital education, the right to correction on the internet, and the right to digital disconnection in the workplace.
The war for data sovereignty
While this may sound like a title for a new Netflix movie, the truth is it is not hysteric to speak of the fight for data rights in this way. Other examples, including the Cambridge Analytica scandal and Max Schrem’s case against the Irish Data Protection Commissioner, show us time and again that the war for ownership of data is far from over. This worries me. What also worries me is that I am not sure how many of us are as concerned as we should be. Yes, Netflix’s recent The Social Dilemma did stir up some controversy and public opinion. So much so that Facebook has issued a public response taking pains to enumerate What ‘The Social Dilemma’ Gets Wrong. But what happened then? Was there a mass exodus from the various social media channels?
And just as you thought well, maybe it is the media blowing it out of proportion, along comes the news about H&M. Not only was the retail giant at fault for allowing access to personal data to their entire organization, but it was soon revealed just what data they were gathering.
Here’s what the Data Protection Authority of Hamburg said H&M said:
“After absences such as vacations and sick leave, the supervising team leaders conducted so-called Welcome Back Talks with their employees. After these talks, in many cases, not only the employees’ concrete vacation experiences were recorded, but also symptoms of illness and diagnoses”. “In addition, some supervisors acquired a broad knowledge of their employees’ private lives through personal and floor talks, ranging from rather harmless details to family issues and religious beliefs.”
Why the subject of data sovereignty should matter to each of us
While much of the talk about data privacy and security involves large corporations and governments, the fact is that people are at the heart of it. If anything, the H&M case illustrates that the fight for data sovereignty is a very personal fight to ensure our data is protected, and we are entitled to know who is accessing it and what they are doing with it.
Consider the following:
- Worldwide, people are already generating 5 quintillion bytes of data each day
- Worldwide data is expected to hit 175 zettabytes by 2025, representing a 61% CAGR. That’s 175,000,000,000,000,000,000,000 bytes. To put this in perspective (as a physicist and data lover at heart), it is 175x larger than the number of stars in the entire universe – this is obviously estimated as no one has counted them
- 51% of the data will be in data centers, and 49% will be in the public cloud
- 90 ZB of this data will be from IoT devices in 2025
- In 2025, IDC predicts that 46% of the world’s stored data will reside in public cloud environments
I wonder though, how many of us give much thought to all this data we are producing? Or what happens to that data? Studies show that people increasingly feel a loss of control over their data and their ability to prevent companies from collecting information on them. Most UK consumers agree that businesses benefit disproportionally from data exchange, and in fact, many feel that our data is almost our last bargaining chip against big corporations.
Another survey that examined consumer attitudes towards data security found that almost a third did not care only about their privacy but were willing to switch companies over data or data-sharing policies.
The definition of privacy is not the same in every country, and the rights appointed to individuals varies. In fact, not everyone even shares the same definition of privacy. 2019 Pew research found that people interpreted digital privacy differently:
When asked, what does digital privacy mean to you?
- Themselves, their personal information and possessions, the desire to keep things to themselves -17%
- Control over information, possessions, self; deciding what aspects of their lives are accessible to others – 14%
- Other people and organizations not being able to access their possessions or private life – 3%
- Privacy is a myth/means nothing/doesn’t exist -9%
- Having their information sold, third party involvement – 6%
- Crime, hacking fraud, any means of illicit activity – 5%
- General security references, i.e.”secure,” “guarded,” “protective” – 4%
- Tracking, surveillance, monitoring, spying – 3%
- Company measures, how websites/companies should secure data, terms of service, privacy settings – 2%
- Personal information is only accessible with the person’s knowledge or consent – 2%
- Threat from the government regarding themselves, possessions, or private life – 1%
- Other – 4%
Source: Pew Research Center
Regardless of whether we can agree on its meaning, most Americans feel their data is less secure now. That 6 in 10 follow privacy news closely is a little reassuring, but I am still not convinced that we are doing enough to protect ourselves.
We need groups like MyData Global, a non-profit that works to empower individuals by improving their right to self-determination regarding their data. We also need governments and organizations to prioritize this issue and recognize that we need a global and comprehensive framework that evolves and keeps pace with changes in technology.
Why organizations need to be concerned
The onus is on corporations to be aware of not just regulations but also the claim by some governments that they have the right to seize data from servers located in their territory. It is no longer acceptable to hide behind a shield of ignorance. Businesses must know precisely where their data is stored and then take the necessary steps to ensure that they comply with the legislation that governs that location. Plus, they need to ensure that their cloud provider offers tight security and has protocols to follow should they experience a data breach or if they need to destroy any data.
How the EU is fighting for data sovereignty
In addition to the GDPR, in February this year, the EU released Digital Strategy, part of an overall initiative that includes the “Shaping Europe’s digital future” and a white paper on artificial intelligence. The goal is to realize the EU’s vision that by 2030 the EU’s share of the data economy- data stored, processed, and put to valuable use in Europe-at least corresponds to its economic weight. The strategy itself is based on four pillars:
- a cross-sectoral governance framework for data access and use,
- investing in infrastructure,
- investing in skills and empowering individuals,
- developing a common European data space.
In the meantime, I believe we all have a responsibility to protect our data and our privacy rights. As a business leader, I take this matter very seriously and would love to hear from others regarding what they do within their organization to defend the data rights of their employees and customers.