The subtleties of data sovereignty
The ongoing complexities and issues related to data privacy and security that spans jurisdictions around the globe were explored in a recent Comment piece in the US print edition of the financial times.
In “Virtual sovereignty can help you govern data“, Andrew Burt (chief privacy officer at Immuta) and Craig Mundie (former chief research and strategy officer at Microsoft) highlight that there are several dynamics involved in determining sovereignty and so control over data. They include considering where the creator of the data existed at the time the data was formed. This location could very well differ to where the data is now stored. And finally the third aspect could be the location from from where the inquiry is being undertaken.
For example, new data about a financial transaction is physically executed in the United Stares. Thus the data and the system used are subject to US federal and state jurisdiction. That data is then moved and housed in a cloud or server physically sitting in Ireland. Now that equipment and data is subject to that country’s and EU jurisdiction. Finally the Japanese state police, via Interpol, seek access to that data in support of a criminal money-laundering case. Now the inquiry has to work through Japanese, Interpol, EU, US and Irish jurisdictions. Or does it?
So then the question arises- which takes precedence and why? And other questions emerge- why can’t entities harmonize their regulations in order to make them simpler? This draws out the point that countries have different views on privacy and security and so there won’t likely be any universal harmonization – perhaps just regional blocks that support similar conditions.
This will keep us all, and the lawyers, busy for a long time to come.