Data sovereignty and data security should not be confused. They may sound similar and there may be overlap, but they are not interchangeable concepts. The principle of data sovereignty is that information which has been converted and stored in binary digital form is subject to the laws of the country in which it is located. This, in effect, is the nation state exerting ownership and national macro regulation over information it regards as its property. There may still be micro regulation applied by individuals and/or organisations in order to secure or protect the data but data sovereignty is governmental: it regulates who may access or control the data.
The approach to the security of data is one of the most significant issues facing governments, corporate entities and individuals. Such has been the (understandable) fanfare around the implementation (25 May 2018) of the General Data Protection Regulation (GDPR) in all European Union states that many are acutely aware and fearful of the new regulatory landscape and fines that will follow non-compliance. What far fewer appreciate is that it has wider cultural ramifications. We may be witnessing the start of a philosophical divergence in the treatment of information protection across the globe.
GDPR is the first attempt at a unified law to govern the collection, control and processing of personal data. But law is rarely without politics and politics can be geographically sensitive. Significantly GDPR emphasises the individual citizen and the sanctity of an individual’s personal data. This runs root and branch through GDPR; from the need to show an individual has given active and demonstrable consent through to the embedded rights of the data subject (individual) to ensure that organisations only keep data for the purposes specified in the Regulation and that a data subject has a “right to be forgotten”.
This development ought to ensure that there is a sea change in the way that entities which are subject to European jurisdiction treat personal data. They become mere custodians of someone else’s valuable property (the individual’s data) and they are required to deal with that personal data in a way that is consistent with handling someone else’s item of significant value. There are individual rights of redress built into the Regulation and evidence will be required to show that dealings in personal data have been conducted appropriately. In Europe then, the rights of the individual in relation to their data have been recognised as paramount. The UK will similarly adhere to this edict (there is no doubt as to that).
One might have hoped for global uniformity on the regulation and philosophical treatment of information. Or perhaps not. Significant cyber security legislative initiatives have occurred in China, Russia and the United States. The result is a divergence in philosophy and a rejection of the European model of individual data protection values.
In the cases of China and Russia the role of the state in data protection and management has been placed at the epicentre of regulation. Data sovereignty or data of the state are the guiding, dominant policies at play.
In Russia, on 1 September 2015, the Russian Federation passed a law which required personal data relating to Russian citizens to be stored on servers physically located within the country. Such information belonged to Russia and it would remain within its national borders.
Nation state regulation, data sovereignty, trumps individual data rights in Russia. GDPR, its notions and philosophies have no place there.
China’s new Cyber Security Law commenced on 1 June 2017. It should be noted that prior to June 2017 any European model of personal data protection law had not been recognisable in China. Indeed China had not previously passed any meaningful comprehensive data protection legislation that regulated the collection, control and processing of personal information. On 1 June that changed; but while China’s Cyber Security Act does give a nod to protection of an individual’s rights, it has state interest and sovereignty at its heart.
The new Chinese cyber security law impacts on what it terms “network operators” who, when handling personal information, must abide by regulations that chime with GDPR in broad terms.
But this nod to protection of the individual is secondary to the interests and sovereignty of the state. The definition of “network operators” in the Act is so widely drawn that it would cover even the domestic user with more than a single computer (or indeed a device such as a phone) with access to a printer. In short, almost everyone is caught and those deemed “critical information infrastructure operators” (CIIOs) are forced to physically store within China (ie within its geographical borders) personal information and important data which was produced within China. In short this Chinese data must be physically kept on servers within China, thus chiming with the law in Russia. The state may also conduct what are termed “security risk assessments” to trawl through data. The new legislation allows extensive state intrusion and is aimed at keeping “critical” Chinese data in China.
This is data sovereignty at its highest. The definition of CIIOs may be so broad as to ensure China can exert influence wherever it sees fit and it applies to non-Chinese operators as well as those in China as no distinction is made between internal or external networks.
Meanwhile in the United States, the right of an individual in relation to data could be said to have been diminished by the repeal of regulations requiring internet service providers to do more to protect customers' privacy than websites like Alphabet's Google or Facebook.
The initiative, founded during the currency of the Obama administration, had sought to restrict the ability of internet providers to use information such as location, financial information, information in relation to health and web browsing history for advertising and marketing purposes. The rules made it unlawful to use such information without obtaining appropriate consent. The decision of the senate to vote down these provisions was based on the assertion that it would lead to a different set of regulations for internet providers and websites. The sale of personal information collected by retailers is huge business in the US.
The really significant issue is how will, and is it even possible to, mesh these different approaches? In the case of Russia and China, the centre of data protection and management is the state. In Europe the individual is paramount. In the United States, corporations appear to be the victor.
A global entity doing business in each of the jurisdictions discussed above will be faced with regimes and policies which are at odds with each other.
How will, for example, an entity free to sell data in the US deal with the need to obtain active and demonstrable consent to such a course in Europe?
The requirement in Russia or China to ensure that data is subjected to scrutiny by the state will impact on the rights of the subject if they are European.
The global economy is here to stay. However, the lack of a unified philosophical approach to data protection and regulation will be a serious hindrance to its development. So long as nation states decree that your information is their sovereign property and data philosophies diverge as to the weight to be given to individual rights, there can be no uniformity in global data regulation.