Episode #3: Is Data Sovereignty a Myth in the Age of the Cloud

Transcript

Bill Tolson:

Welcome to the Archive360 podcast titled, Is Data Sovereignty a Myth in the Age of the Cloud? Joining me today is Jim McCarthy. Jim is the chief compliance officer and general counsel for Archive360 And my name is Bill Tolson, I'm the VP of compliance and eDiscovery here at Archive360.

Bill Tolson:

In this podcast, we're going to be addressing issues like, what is data sovereignty? Why is it important for companies to understand the regulatory risks associated with it? And how can you ensure your company avoids the risk of data sovereignty non-compliance?

Bill Tolson:

With the rising popularity of cloud computing and software as a service cloud solutions or SaaS cloud solutions, where electronic data needs to be stored due to regulatory requirements have become a greater focus for chief regulatory officers and general councils. By being better informed, you can make better solution choices and ensure future issues and costs are minimized. And when we talk about data sovereignty, it really is there, and we're talking about worldwide now, especially around GDPR, where is data actually originally generated? For example, in a country like France, France has regulations and laws that basically says data generated in France must be stored and maintained in France and can't be transferred to the US or another country without various approvals and processes and procedures and things like that. When we're dealing with these new privacy regulations, especially GDPR and so forth, companies need to be very aware of where that data is being generated and how it's being stored and who has access to it. That's what we're going to be talking about today.

Bill Tolson:

Jim, we've talked a lot about data sovereignty in reference to the GDPR and the California law, the CCPA and the various privacy regulations that they have put out there. In a lot of cases, they are number one, difficult and complex and a lot of companies still aren't brought up to speed on them. Actually, I think we've done a couple webinars on the subject as well. But in this case, especially when we're dealing with the worldwide generation of data and data storage and I think I touched on it, but Jim, can you expand a little bit on what data sovereignty actually is?

Jim McCarthy:

Sure. Good to be joining you today, Bill. Data sovereignty, it's a concept that information that has been converted and now stored in some type of digital form would be subject to the laws of the country in which it's located. That's the simple, 10,000 foot view, Bill. When we unpack that, though, it gets a little bit more complicated. For one point, data sovereignty law is not a universal law. It's really a law that differs from jurisdiction to jurisdiction. And then the last part of my phrase is it's subject to the laws in which it, the data, is located.

Jim McCarthy:

Well, where is the data located? And that brings up something called data residency. Now that's different than a data sovereignty issue and pinning down where data is located, where it lives, is sometimes hard to do. It's really hard to do let's say if a company is headquartered in New York and has operations in five other continents. A piece of the work that you and I did and started in New York, but then had our resources in the EU, revise it before it's finalized and then perhaps that document gets revised in several different locations of our company and then we'll ultimately, we store it on our system. Where does that piece of data live?

Bill Tolson:

Especially if the system that we're talking about is a cloud environment. A lot of people kind of envision the cloud as kind of omnipresent, circling the world and it just kind of floats around up there. But one of the things that many people are aware of, but some aren't is that you can stipulate what data cloud data center that data be stored in. And that's an absolute requirement when we're talking about data sovereignty. You don't just say, "Well gee, pull it up to the cloud," and not worry about where that cloud is. There are various cloud providers who only have a data center in one or two countries and that in fact possibly could violate the regulation of data sovereignty if there's not a data center in that given country to where the originator of the data can basically stipulate, the data needs to be stored in this data center versus others. And then you bring in the idea of access controls. Gee, it might be sitting in a data center sitting in Paris, but if a US worker in Illinois can access it, does that violate the rights of the data subjects in France?

Jim McCarthy:

Yeah, exactly. Yeah. I don't know if it's common knowledge that the cloud is not some sort of ethereal thing out in the atmosphere, Bill, but these data centers exist on campuses, within mountains, some are at sea. They're all over. The ones at sea in particular, they may not be in the jurisdictional waters of a particular country. What do we do with that? We had a customer not too long ago, Bill, that had 500 laptops of departed employees in a basement somewhere in a jurisdiction in Europe and they needed to capture and load all of that data so it could be archived and ready for litigation hold should anything happen. Those laptops came from employees all over the world. Where does that data live? It was images stored on that particular laptop.

Jim McCarthy:

All of these issues make these data sovereignty laws and complying with them a challenge. And there's pretty stiff penalties when you violate one of these, what we call the cross border transfer laws that restrict how data of customers let's say, is transferred across jurisdictions. Yeah, I think it would be it's in my mind more of a myth than a reality, but that doesn't stop many jurisdictions from trying to enforce them.

Bill Tolson:

Yeah. And like you say, some of the penalties can be huge, especially when we're dealing with the GDPR and the GDPR data sovereignty laws around that. And now companies, we have CSOs and CIOs and stuff when we're talking to them are now becoming, are now already aware of those issues and are asking all the right questions instead of just assuming that the cloud storage vendors are going to know and going to do what needs to be done. They're not going to do that and hopefully during the contract processes, the questions are going back and forth. But I think the bottom line is here, don't assume because nowadays those penalties can put a company out of business overnight, potentially. And that brings up kind of a question that I've been asked a couple of times, Jim, and that is, the idea of data sovereignty and where data lives and data being subject to only being stored in a particular geographic location. A lot of people assume that that was driven by the 2018 GDPR regulations. And I don't think that's the case. What's your opinion on that?

Jim McCarthy:

Actually the genesis of these data protection laws, I think that GDPR was one of the more recent laws, but certainly not the start of it. I think we can ascribe the maturation of these data privacy laws with a young law student in Austria. In fact, some of the decisions lately from the EU still bear his name, Max Schrems. He was a young man who was very concerned about his social media information being available in other countries and he felt that that violated his privacy rights. A David and Goliath type of battle ensued and years later, Mr. Schrems won. And that I think kick started these privacy laws and made them more focused in business and businesses started to take note of them in earnest.

Bill Tolson:

Yeah. Max Schrems actually has a long history that originally, several years ago we had what was referred to as the safe harbor for transferring data back and forth. And in the Schrems I case, he won the case and he brought exactly what you said and he got the safe harbor basically invalidated. Because of that, they created the privacy shield. Mr. Schrems took that to court and just here lately, very recently, got that overturned so the privacy shield was invalidated. Now, I just read an article this morning and he is very closely looking at and preparing to go after the standard contractual clauses tool that has been used over these years. And we won't get into that very much. You can look that up. But if the SCCs disappear, what happens?

Bill Tolson:

But I remember years ago, 20 years ago at a big high tech I worked for, even then, we had to be very careful about dealing with our divisions in other countries, especially France, for example or Portugal or several other companies, because they already had data sovereignty laws that basically said, "You cannot move data originating in these countries, outside the country period." And in certain cases you had to ask permission of the actual employee author to get their written permission. It caused a lot of problems, but yeah, no, the whole idea of data sovereignty has been around obviously for a long time. And we've all been dealing with it.

Jim McCarthy:

I think a few things are fueling this recently, not the least of which of course is the ability of companies to share data throughout the world almost immediately. And the other thing I think is that different nations have a different expectation of privacy. And if I poll my college students, Bill, barely any of them are interested in privacy and they want to share every aspect of their lives with each other. But so to them, invasions of privacy are not nearly as important as perhaps privacy expectations in Europe. In large part, these different data sovereignty laws recognize that different people have different expectations of privacy. These things are efforts to stem the tide of this incredibly efficient way of transferring data and having data visible in all parts of the globe immediately over the internet.

Bill Tolson:

Oh yeah. More and more countries are coming out with very strict data residency or data sovereignty laws around privacy and stuff. I know Brazil has a very tough one. India has a very tough one that is going to be passed here very soon. The bottom line is companies just need to be aware of it and because they're storing something in the cloud, doesn't get them beyond the data sovereignty requirements, because data is stored somewhere. There is nothing in the cloud that actually stores things. There are always data centers associated. Where those data centers are physically located is where the data residency of that data happens. And we started off a couple of minutes ago talking about data residency. What's the difference between data residency and data sovereignty? And data residency in my mind is, if I'm going to store data, I choose where it goes based off of maybe tax limitations or business requirements, whatever it happens to be. Data sovereignty is more of a legal obligation, right?

Jim McCarthy:

It is.

Bill Tolson:

Jim, really companies looking for a cloud archiving, cloud information management capability should, like we've said, first be aware of the data sovereignty requirements they may have. Again, they might not have data sovereignty requirements. If you're a small to medium sized company sitting in Montana or Wyoming and you only do business in the United States, you might not be faced with this. Unless we get into some of the privacy regulations around PII and stuff like that. But especially for medium or large size companies, this is one of the first things they need to look at, data sovereignty and data privacy. They need to be asking potential cloud vendors tough questions about where their data is stored, who has access to it, is it encrypted? Who has access to the encryption keys. If a government asked for the data, are they going to turn it over? Those kinds of things, but again, this is one of those topics a lot of companies haven't been faced with before that I think many of them are going to run afoul of.

Jim McCarthy:

Yeah. Add to the list of questions you need to ask are, what's the geo redundancy protocol of your cloud service provider? As we all know, in case of a natural disaster in one region, Microsoft, for example, we'll have geo redundancy running in several different regions as a fail safe so as not to lose the data. But is that geo redundancy tool, which is useful when we see the utility in it, is that tool in and of itself a violation of one of these cross border transfers? I don't know. I don't know.

Bill Tolson:

Yeah, no, that's a great point. if you tell Microsoft or AWS or somebody like that, based on my disaster recovery requirements or because of regulatory requirements, I want to have all my datasets copied to a separate data center so that it can fail over if need be. When we're talking about data sovereignty, at least you need to be able to say, "Well gee, I need to geo replicate my data, but it still needs to be within the same country so I'm not out of compliance of the data sovereignty requirements."

Jim McCarthy:

Right. Which is more difficult in smaller countries that may not have multiple data centers, right?

Bill Tolson:

Exactly. And that one of the problems, one of the issues that we've brought up with clients and potential clients. We currently work within the Microsoft Azure environment and they have huge numbers of data centers all over the world so you're more than able to say, "Based off of these regulatory requirements, the data needs to be stored within these country's borders." And if you're dealing with a SaaS provider, or maybe an email archiving provider that only has a data center in Vancouver, Canada, only has one in the United States, what do people in the EU, for example, do? In reality, if an EU company is looking to contract with a company with only one data center in Vancouver, British Columbia or something like that, they can't because they immediately break the GDPR data sovereignty rules by storing it in a data center in Canada.

Jim McCarthy:

That's absolutely correct. Like you said at the outset, need to be asking the correct questions of our data vendors and this is one of them.

Bill Tolson:

And that's where you rely also on cloud vendor to offer their expertise and to make sure that you are aware of all of the potential issues involved. If I'm a SaaS provider and I don't want to get my client in trouble and I don't want to get in trouble, if I'm talking to a potentially new client, I'm going to make sure they know this is where the data is going to be stored. There's an issue with that. And maybe you should look at your data sovereignty requirements.

Bill Tolson:

Jim, another question and this has to do with, we've been talking about regulatory requirements, but actually has to do with litigation too. And we've talked about this in other podcasts. But litigation often spans country borders. And if companies are storing stuff in the cloud and that cloud is Japan or in the EU, how does that work with, for example, an eDiscovery request? And I know we've talked about this idea of the Microsoft case and where that went and what kind of laws that triggered.

Jim McCarthy:

It did. The Microsoft case that started in New York, which dealt with data that was in Ireland at one of its data centers was a very interesting case because it tested the limits of this concept of the data sovereignty and the enforceability. One of the takeaways from that case is the recognition by governments all over the world as to the very long arm of the law. And in particular US law. We bring up the Cloud Act. The Cloud Act is a law enforcement tool that the US can use to get information maintained by companies in the US but not necessarily data that lives in the US. It could be from other countries entirely. Again, using our Microsoft example, Microsoft has a PII on people in let's say, Germany or France. The cloud app can be used to gather just that information. And not only one way, Bill. Importantly, the cloud app also allows other governments to apply for permission to get information as to US citizens' PII.

Jim McCarthy:

This is a very concerning overreach, some would say, that has now resulted in a breakdown of our streams of commerce when we talk about the standard contractual clauses being undermined and the recent decision, the Schrems II decision. This is a big concern that other countries have, because like we said earlier, their expectations of privacy are different than perhaps the US expectation of privacy and US has a deference for law enforcement that other countries may simply not share. Bill, I think the real question is, how can you, as an enterprise, insulate your customer's data so that it's not susceptible to bad actors or government overreach as perceived by another country? How do you do that? And you're going to hopefully talk to me about a phrase that I'm not so comfortable talking about, because I don't understand it. Tell me about homomorphic encryption.

Bill Tolson:

Yeah, no, this is actually one of the bigger topics that we have clients talk to us about and we're not passing judgment on the Cloud Act or anything else, but we do have, especially European based companies, who are very aware of this. And this is tied to the privacy shield and standard contractual clauses and all kinds of neat things. And the fear that if their data is kept even in a US company's based cloud data center, that based on the Cloud Act that the US government can demand that US company take the data from that foreign location in their servers and have to turn it over. And a lot of, especially non US companies don't want that to happen both via intelligence agencies or just from an eDiscovery request.

Bill Tolson:

Sometimes they'll say, "Well gee, we want the data kept in a foreign country's data center." Well, if that data center's owned by a US company, then the Cloud Act could cause problems. What Jim was asking about encryption and homomorphic encryption, one of the only ways to really protect against that is for a US company or a data center to offer the ability to do localized encryption, on premise encryption of all data and keep those encryption keys on site so that a government agency, whatever country's government agency can't go to that data center in whatever company it is and using, we talked about secrecy orders before. Going to the company and saying, "I need company ABC's data and you need to turn it over to us. And oh by the way, you cannot tell them that you turned it over to us. They will never know."

Bill Tolson:

And companies obviously are a little nervous about that. The idea is to actually locally encrypt that data before it's moved into the cloud, keep those encryption keys locally. Therefore, even the cloud solution provider cannot offer that data. Can't decrypt that data. If that foreign country really does, for whatever reason, need that data, they have to go to the data's owner specifically and say, "Here's a subpoena, here's a warrant. Turn over your data." And that gives the data owner the ability to fight it in court before they turn the data over instead of it being just turned over blindly and the data owner never knowing that it was turned over. And homomorphic encryption actually gets into that and allows for that fully encrypted data to be moved into the cloud, but also be fully manageable because you can imagine an encrypted file is absolutely unreadable in most cases. And if that's stored in the cloud, it can't really be managed except maybe based on length of time or something like that.

Bill Tolson:

But an archiving system with homomorphic encryption allows them to have a fully encrypted set of data in the cloud and have it be manageable, referenceable, be able to run analytics on it and all that kind of stuff. The idea is everybody should be looking at the idea of doing on prem encryption before utilizing any cloud repository. And that takes this whole idea of intrusive eDiscovery or government agencies going in and getting access to a company's data without them knowing it.

Jim McCarthy:

That's a good point. When you were explaining homomorphic encryption, Bill, I thought of the adage that was if a tree falls in the wood and nobody hears it, did it really happen? I guess what you're saying is that if this data is field encrypted or encrypted on prem, before it goes to the cloud and it is indeed hacked by either a bad actor or sought via a subpoena, you can't read the data.

Bill Tolson:

Yeah, it's useless.

Jim McCarthy:

In my mind, then that is a terrific preventive step so as to comply with all of these data sovereignty laws. For example, the EU has 28 different data sovereignty laws and many more throughout the world. By creating this field encryption or the homomorphic model, in my mind, I can defend all of those data sovereignty laws in one fell swoop.

Bill Tolson:

And that brings up a question. I think I've asked you in the past, and I don't think we have an answer for it, but the idea is this, if I'm in France and I fully encrypt a file and keep the encryption keys on prem and I store that file in a cloud in the United States, have I violated data sovereignty? Because it's absolutely unusable.

Jim McCarthy:

Without getting too deep into the definition sections in each one of these data sovereignty laws, I think at a minimum, it has to be data that can be viewed. In other words, if you see evidence of data, but don't see the data itself, how could you logically be held to be violating any law itself?

Bill Tolson:

I think that is absolutely true and I think that's a really interesting topic that I think the GDPR authorities need to address. And somehow, I don't think they're going to do it anytime in the near future, but I think your description of the data needs to be viewable to have violated the sovereignty requirement. And if that's the case, what does that open up? Gee, if I fully encrypt my data and then store it in the United States, are people going to do that? In reality, they don't really need to because there are data centers all over the world, but I could see that question coming up from some clients in the future. I think we might need to at least have a stance on that sometime here in the future.

Jim McCarthy:

I think a CISO would welcome the opportunity of being able to comply with all of the different laws that are out there by simply doing one preventative step. And I think this homomorphic encryption may just be that prescription. In my mind, that truly enables a customer to get end to end encryption.

Bill Tolson:

And meet their privacy and sovereignty requirements at the same time. Yeah. Data sovereignty now, as well as privacy is really come to the forefront, is a critical issue for many companies doing business, especially those doing business in other countries or at least purchasing PII from other countries. Especially from the EU and stuff like that. In my mind, it's always a great idea to ask for written opinions from your legal department or your outside legal counsel on your current or planned data handling and storage procedures. Gee, I have a new process for storing stuff. Nowadays, it's probably a good idea to get a written opinion from your attorneys before you actually spend money doing that, right?

Jim McCarthy:

I would agree. Setting this up in advance, it brings up the other adage is an ounce of prevention is worth a pound of cure, right?

Bill Tolson:

Oh yeah. Yeah. I once had a law firm partner tell me, he said, "Always ask for legal written opinions on this kind of stuff from your legal department or outside legal counsel because they are your insurance policy," you being the individual. Because if something bad happens down the line and everybody's looking at you because they think you made the mistake, it's always nice to pull out something saying, "No, no, no, no. My lawyer said it was fine." I've always kept that in mind.

Bill Tolson:

All right. Well, Jim, that again, wraps up this podcast on data sovereignty and information governance and the kinds of topics. Again, if anybody has questions on these topics, please send an email mentioning this podcast to info@archive360.com and we'll get back to you quickly on it. We are going to continue to be generating new podcasts and keep an eye out for new ones as they appear. But please, if you do have the time, we'd love to hear about what your opinions are of how we're doing the podcast, the content, all of that kind of stuff so please let us know. And with that, I will close it. And Jim, it's been great as usual. I appreciate the time and until the next one.

Jim McCarthy:

Good speaking with you today, Bill.

Bill Tolson:

Thanks.