Data sovereignty
Data sovereignty is the idea that data are subject to the laws and governance structures within the nation it is collected. The concept of data sovereignty is closely linked with data security, cloud computing and technological sovereignty. Unlike technological sovereignty, which is vaguely defined and can be used as an umbrella term in policymaking,[1] data sovereignty is specifically concerned with questions surrounding the data itself.[2] Data sovereignty is usually discussed in two ways: in relation to Indigenous groups and Indigenous autonomy from post-colonial states or in relation to transnational data flow. With the rise of cloud computing, many countries have passed various laws around control and storage of data, which all reflects measures of data sovereignty.[2] More than 100 countries have some sort of data sovereignty laws in place.[3] With self-sovereign identity (SSI) the individual identity holders can fully create and control their credentials, although a nation can still issue a digital identity in that paradigm.
History
The Snowden revelations on the National Security Agency's (NSA) PRISM program provided a catalyst for global data sovereignty discussions. It was revealed that the US was collecting vast swaths of data not only from American citizens, but from around the world.[4] The program was designed “to "receive" emails, video clips, photos, voice and video calls, social networking details, logins and other data held by a range of US internet firms” such as American tech companies like Facebook, Apple, Google and Twitter among others.[5] In the wake of the revelations, countries became increasingly concerned with who could access their national information and its potential repercussions. Their worries were further exacerbated due to the US Patriot Act.[5] Under the act, US officials were granted access to any information physically within the United States (such as server farms), regardless of the information's origin.[6] This meant that any information collected by an American server would have no protection from the US government.[6]
Another instance that put data sovereignty in the news was a case between Microsoft and the US government. In 2013, the Department of Justice (DoJ) demanded that Microsoft grant the DoJ access to emails “related to a narcotics case from a Hotmail account hosted in Ireland”.[7][8] Microsoft refused, stating that this transfer would result in the company breaking data localization and protecting laws in the EU.[9] The initial ruling was in favour of the US government, with Magistrate James Francis concluding that American companies “must turn over private information when served with a valid search warrant from US law enforcement agencies.[9] Microsoft asked for an appeal and went to court again in 2016 with the case Microsoft v. United States. John Frank, the VP for EU Government Affairs at Microsoft stated in a 2016 blog post that a US court of appeals ruled in favour of Microsoft, supporting the notion that "US search warrants do not reach our customers' data stored abroad".[10] On October 23, 2017, Microsoft said it would drop the lawsuit as a result of a policy change by the Department of Justice (DoJ)[11] that represented “most of what Microsoft was asking for."[12]
Indigenous context
Discussions of indigenous data sovereignty for indigenous peoples of Canada, New Zealand, Australia and the United States of America are currently underway.[13] Data sovereignty is seen by indigenous peoples and activists as a key piece to self-governance structures and important pillar of indigenous sovereignty as a whole.[14] The decolonization of data is seen by activists as a way to give power to indigenous people to "determine who should be counted among them" and would be able to better reflect the "interests, values and priorities of native people".[14] Scholars also argue that given the power over their own data, indigenous peoples would be able to decide which data gets disseminated to the public and what does not, a decision typically made by the settler government.[14]
In New Zealand, Te Mana Raraunga, a Maori data sovereignty network, created a charter to outline what Maori data sovereignty would look like. Some of the requests in the charter included "asserting Maori rights and interests in relation to data", "advocating for Maori involvement in the governance of data repositories" and "Supporting the development of Maori data infrastructure and security systems".[15]
In Canada, Gwen Phillips of the Ktunaxa nation of British Columbia has been advocating for Ktunaxa data sovereignty and other pathways towards self-governance in the community.[16]
National data sovereignty measures
Canada has enacted various data sovereignty measures, primarily on storage of Canadian data on Canadian servers. As part of Canada's IT strategy for the years 2016–2020, data localization measures were discussed as a way to uphold citizens' privacy.[17] By using Canadian servers to store Canadian data as opposed to American servers, this would safeguard Canadian data from being subject to the US Patriot Act.[6] In 2017, it was discovered that Shared Services Canada and the Communications Security Establishment were "exploring options for sensitive data storage on U.S.-based servers" with Microsoft".[18]
Also in 2016 the EU Parliament approved their own data sovereignty measures within a General Data Protection Regulation (GDPR). This regulatory package homogenizes data protection policy for all European Union members. It also includes an addendum that establishes extraterritorial jurisdiction for its rules to extend to any data controller or processor whose subjects are EU citizens, regardless of the location the holding or processing is conducted. This forces companies based outside of the EU to reevaluate their sitewide policies and align them with another country's law. The GDPR also effectively replaced the 1995 European Data Protection Directive[19] that had originally established the free movement of personal data between member state borders, and in doing so granted interoperability of such data among nearly thirty countries.
Criticism
A common criticism of data sovereignty brought forward by corporate actors is that it impedes and has the potential to destroy processes in cloud computing.[20] Since cloud storage might be dispersed and disseminated in a variety of locations at any given time, it is argued that governance of cloud computing is difficult under data sovereignty laws.[20] For example, data held in the cloud may be illegal in some jurisdictions but legal in others.[2]
See also
- Data governance
- Data localization
- Information privacy (data protection)
- Legal aspects of computing
- Privacy
References
- Maurer, Tim; Morgus, Robert; Skierka, Isabel; Hohman, Mirko (November 2014). "Technological Sovereignty: Missing the Point?" (PDF). digitaldebates.org.
- Irion, Kristina (2012-12-01). "Government Cloud Computing and National Data Sovereignty". Policy & Internet. 4 (3–4): 40–71. doi:10.1002/poi3.10. ISSN 1944-2866.
- "Gilmore, David, DataFleets, "Google Scrapped Cloud Initiative in China, Other Markets", Bloomberg News". July 8, 2020.
- Padilla, Len (2014-06-09). "Four ways the NSA revelations are changing businesses". The Guardian. ISSN 0261-3077. Retrieved 2017-11-28.
- Kelion, Leo (2013-06-25). "Q&A: NSA's Prism internet surveillance scheme". BBC News. Retrieved 2017-11-16.
- "USA PATRIOT Act Comprehensive Assessment Results". Treasury Board of Canada Secretariat. 2006-03-28.
- Thielman, Sam (2015-09-02). "Nationality in the cloud: US clashes with Microsoft over seizing data from abroad". The Guardian. ISSN 0261-3077. Retrieved 2017-11-30.
- Marks, Joseph (2015-09-08). "Can the US demand emails stored in Ireland?". Politico. Retrieved 2017-11-30.
- Gibbs, Samuel (2014-04-29). "US court forces Microsoft to hand over personal data from Irish server". The Guardian. ISSN 0261-3077. Retrieved 2017-11-30.
- Frank, John (2016-09-05). "Our search warrant case: Microsoft's commitment to protecting your privacy". EU Policy Blog. Microsoft. Retrieved 2017-11-30.
- "Microsoft drops lawsuit after U.S. government revises data request transparency rules". venturebeat.com. VentureBeat. Reuters. 2017-10-24. Retrieved 2017-11-30.
- Woollacott, Emma. "Microsoft Drops Lawsuit As DoJ Reins In Use of Gagging Orders". Forbes. Retrieved 2017-11-30.
- Rainie, Stephanie Carroll; Schultz, Jennifer Lee; Briggs, Eileen; Riggs, Patricia; Palmanteer-Holder, Nancy Lynn (2017). "Data as a Strategic Resource: Self-determination, Governance, and the Data Challenge for Indigenous Nations in the United States". The International Indigenous Policy Journal. 8 (2). doi:10.18584/iipj.2017.8.2.1.
- Taylor, John; Kukutai, Tahu (2016-11-25). Indigenous data sovereignty: toward an agenda. Australian National University. Centre for Aboriginal Economic Policy Research. Acton, ACT, Australia. ISBN 9781760460303. OCLC 947953955.
- "Te Mana Raraunga – Māori Data Sovereignty Network Charter" (PDF). Planet Maori.
- Phillips, Gwen (2017-08-12). Lauriault, Tracey P.; Lim, Merlyna (eds.). Data Power 2017 Keynote: Indigenous Data Sovereignty and Reconciliation. Ottawa: Data Power. doi:10.22215/1/conf/dp2017.1. Retrieved 2017-11-16 – via YouTube.
- Treasury Board of Canada Secretariat (2016-06-13). "Government of Canada Information Technology Strategic Plan 2016-2020". canada.ca. Retrieved 2017-11-16.
- Beeby, Dean (2017-09-08). "Canadian agencies discuss US 'cloud' storage of sensitive data with Microsoft". CBC News. Retrieved 2017-11-30.
- "Directive 95/46/EC". 1995-10-24.
Directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data
- Ettling, Mike (2015-12-26). "The Cloud's Biggest Threat Are Data Sovereignty Laws". TechCrunch. Retrieved 2017-11-16.