Data sovereignty is causing issues for multinational businesses involved in data transfer across nation states such as the United States, Russia and China. Unique regulations provide for a varied degree of ownership of information within national borders. Dan Hyde, partner at Penningtons Manches LLP, assesses these differing approaches to data sovereignty, and explores how nationality and state culture are becoming a growing issue for cyber security.

Data sovereignty and data security should not be confused. They may sound similar and there may be overlap, but they are not interchangeable concepts. The principle of data sovereignty is that information which has been converted and stored in binary digital form is subject to the laws of the country in which it is located. This, in effect is the nation state exerting ownership and national macro regulation over information it regards as its property. There may still be micro regulation applied by individuals and/or organisations in order to secure or protect the data but data sovereignty is governmental: it regulates who may access or control the data.

The approach to the security of data is one of the most significant issues facing governments, corporate entities and individuals. Such has been the understandable fanfare around the pending implementation (25 May 2018) of the GDPR in all EU member states, that many are acutely aware and fearful of the new regulatory landscape and fines that will follow non-compliance.

What far fewer appreciate is that it has wider cultural ramifications. We may be witnessing the start of a philosophical divergence in the treatment of information protection across the globe.

The GDPR is the first attempt at a unified law to govern the collection, control and processing of personal data. But law is rarely without politics, and politics can be geographically sensitive. Significantly the GDPR emphasises the individual citizen and the sanctity of an individual’s personal data. This runs root and branch through the GDPR; from the need to show an individual has given active and demonstrable consent through to the embedded rights of the data subject (individual) to ensure that organisations only keep data for the purposes specified in the GDPR and that a data subject has a ‘right to be forgotten’. This development ought to ensure that there is a sea change in the way that entities which are subject to European jurisdiction treat personal data. They become mere custodians of someone else’s valuable property (the individual’s data) and they are required to deal with that personal data in a way that is consistent with handling someone else’s item of significant value. There are individual rights of redress built into the GDPR and evidence will be required to show that dealings in personal data have been conducted appropriately. In Europe then, the rights of the individual in relation to their data have been recognised as paramount. The UK will similarly adhere to this edict (there is no doubt as to that) and one might have hoped for global uniformity on the regulation and philosophical treatment of information. Or perhaps not. Significant cyber security legislative initiatives have occurred in China, Russia and the United States. The result is a divergence in philosophy and a rejection of the European model of individual data protection values.

In the cases of China and Russia the role of the state in data protection and management has been placed at the epicentre of regulation. Data sovereignty or data of the state are the guiding, dominant, policies at play.

In Russia, on 1 September 2015, the Russian Federation passed a law which required personal data relating to Russian citizens to be stored on servers physically located within the country. For Russia, such information belonged to Russia and it would remain within its national borders. Companies including Viber and Ebay complied, and moved relevant personal data to Russian servers. Google reportedly also complied. Facebook, Twitter and LinkedIn decided not to comply with the new requirements. Roskomnadzor, the Russian regulator, sued LinkedIn for non-compliance, and won its case twice, first in a lower court in August and then again, on 10 November 2016, in a Moscow city court. At this point access was blocked.

Roskomnadzor made it clear compliance would require moving Russian users’ data onto Russian soil and by amending its user agreement that states that the company collects not only personal data of its users but also personal metadata (IP addresses and cookie files) of its website’s visitors. In Russia then nation state regulation, or data sovereignty, trumps individual data rights. The GDPR, its notions and philosophies have no place in Russia.

China’s new cyber security law commenced on 1 June 2017. It should be noted that prior to 1 June 2017, any European model of personal data protection law had not been recognisable in China. Indeed, China had not previously passed any meaningful comprehensive data protection legislation that regulated the collection, control and processing of personal information. On 1 June that changed; but whilst China’s cyber security law does give a nod to protection of an individual’s rights, it has state interest and sovereignty at its heart.

The new Chinese cyber security law impacts on what it terms ‘network operators’ who, when handling personal information, must abide by regulations that chime with the GDPR namely (in broad terms) that:

  • the collection and use of personal information must be lawful, proper and necessary;
  • the purpose, method, and scope of collection and use is transparent and consensual;
  • they do not disclose, alter, or destroy personal data without appropriate consent;they report data breaches and effect remedial steps;
  • they deal with requests for deletion (akin to the right to be forgotten) or correction.

But this nod to the protection of the individual is secondary to the interests and sovereignty of the state. The definition of ‘network operators’ in the cyber security law is so widely drawn that it would cover even the domestic user with more than a single computer (or indeed a device such as a phone) with access to a printer. In short, almost everyone is caught and those deemed ‘critical information infrastructure operators’ (‘CIIOs’) are forced to physically store within China (ie within its geographical borders) personal information and important data which was produced within China. In short this Chinese data must be physically kept on servers within China, thus chiming with the law in Russia. The state may also conduct what are termed ‘security risk assessments’ to trawl through all their data. The new cyber security law allows extensive state intrusion and is aimed at keeping ‘critical’ Chinese data in China. Data sovereignty at its highest. The definition of CIIOs may be so broad as to ensure China can exert influence wherever it sees fit and it applies to non-Chinese operators as well as those in China as no distinction is made between internal or external networks. In practice the state will have to ensure personal information it regards as important remains on servers within China; any attempt to transfer will then be subject to the ‘genuine business need’ test after an intrusive state assessment.

In the US, the right of an individual in relation to data could be said to have been diminished by the repeal of regulations requiring internet service providers to do more to protect customers' privacy than websites like Google or Facebook.

The initiative, founded during the currency of the Obama administration, had sought to restrict the ability of internet providers to use information such as location, financial information, information in relation to health and web browsing history for advertising and marketing purposes. The rules made it unlawful to use such information without obtaining appropriate consent. The decision of the Senate to vote down these provisions was based on the assertion that it would lead to a different set of regulations for internet providers and websites. The sale of personal information collected by retailers is huge business in the US. The really significant issue is how to, and if it is even possible to, mesh these different approaches.

Whilst, certainly in the case of Russia and China, the centre of data protection and management is the state, that is not the case in Europe and seemingly, the United States. In Europe the individual is paramount. In the United States, corporations appear to have scored a major victory. So where does that leave the possibility of a consistent approach to data protection and management across the world? In tatters.

A global entity doing business in each of the jurisdictions discussed above will be faced with regimes and policies which are at odds with each other. How will, for example, an entity free to sell data in the US deal with the need to obtain active and demonstrable consent to such a course of action in Europe? The requirement in Russia or China to ensure that data is subjected to scrutiny by the state will impact on the rights of the subject if they are European. The GDPR envisages only allowing data transfers to jurisdictions that have ‘adequate’ measures to ensure consistency of approach. The ability to sell personal data for advertising purposes does not sit well with the cornerstone of the sanctity of an individual’s personal data.

How will it be handled if an organisation in Europe has dealings in Russia and has to subject itself to state scrutiny of personal data. Will the relevant supervisory authority allow that entity to trade in that jurisdiction without sanction?

The global economy is here to stay. However, the lack of a unified philosophical approach to data protection and regulation will be a serious hindrance to its development. So long as nation states decree that your information is their sovereign property and that data philosophies diverge as to the weight to be given to individual rights, there can be no uniformity in global data regulation. For me the only surprise is that anyone should be surprised.

This article was published in Cyber Security Practitioner in September 2017.