Data Sovereignty, Data Residency, Data Processing Chain
"In recent months many organizations that operate within EEA (European Economy Area) have been fined because of not being able to demonstrate compliance with GDPR for PII originated within EEA. Many of the biggest data controllers have been caught and fines have been very high. Lets be sure that we have just scratched the surface."
I wrote this text about 3 years ago, but decided it was not the right time to post it. What we have seen in the recent months shows both me and I assume most of those reading this that the fines we shaw 3 years ago were very moderate.
Few years ago, I was asked to analyze and get a clearer picture of the terms data sovereignty and data residency within the Azure Cloud Environment and especially within Microsoft 365 Multi-Geo environment. It turned out to very complicated, complex and fun stuff. It was like opening up Pandora's box with questions on who can have access to what data from what location across many jurisdictions and at the same time complying to privacy requirements in all applicable jurisdictions. One led to another and I would be looking at privacy laws and regulations in many countries and jurisdictions, including within EU, US and China.
Not all will be explained in details in a short post, but it is about data sovereignty (where the data is originated), data residency (where the data is stored) and from where the data is accessed (one part of data processing). This is not an issue when all parts are within the same jurisdiction, but can get very mezzy when spread among many. That could lead to incompateble laws and regulations decide on the data protection requirements. Many supervisory authorities having jurisdiction over the PII in question and each having their own view on compliance requirements.
GDPR in a way started this, but if one looks at privacy law and regulation in various countries, it actually turns out that restrictions on where PII can be processed can be found in most of them. Last year I did a compliance review of Chinese operation of an European organization. To do that I had to read through the Chinese Privacy Law and compare to GDPR. Very similar restrictions where in both direction. China is as concerned about that PII of their citizens would be transferred to other countries as EU is concerned about the tranfer of PII originated within EU.
For years I have had concerns that transfer of PII that multinational organizations have been involved were in compliance with even the older privacy regulation/directive. GDPR did not really add that much, except fines could get very high. Much higher than before. For me it was always questionable what PII originated within EU could be transferred and processed in other jurisdictions. And that was before a simple webpage was filled with analyzing tools collecting all kind of PII (and non-PII) to be processed in countless jurisdictions.
Go to a news website in any country and you will be asked to consent or decline the use of cookies. Most of these websites are in non-compliance with the privacy by default requirement and many ignore the requirement to limit the PII collection and processing to what is strictly necessary. The readers have no way of knowing which cookies apply to the page one is viewing, because such information is not made available to the reader. I have come across websites that claim they use more than 1000 sub-data processors to analyze how their website is used. Looking closer at each and everyone, it turns out that these subcontractors are located all around the world, including in jurisdictions that do not have a good repuation of protecting PII.
I sometimes wonder who has time to oversee between 450 and 1350 subprocessors and make sure that they comply with the TOM that should be part of the Data Processing Agreement. Well, of course nobody has the time and most do not care to monitor the data usage. But in reality the jurisdiction of the Data sovereignty should set the first level of PII protection, if the Data recidency is in another jurisdiction it defines the second level of PII protection and these two should then restrict who can access the PII and from where. But does anyone have the required overview?
This is simply what happened at Meta, Microsoft and Google and is possibly a problem at AWS and other multinational organizations that they think they can transfer PII from one jurisdiction to any other because the structure of the organization is some how optimize by doing that. Then when the PII has been transferred to US the locals are to expensive to do the work, so personnel are working in various countries around the world. This does not have to be in non-compliance with the applicable legislation in the country of data sovereignty, but as this gets more complicated it likely will.
The organization does not need to be as large as Meta, Microsoft and Google to be in this position. A school using webapplication as a tool in a class, can be in a similar situation. Or is it a bank, hospital or government agency. Most users of webapplications understand in which jurisdiction the data sovereignty is, they can on many occasion select the data center that will count as the data recidency, but they usually have no clue where the data is being processed. What is more, the data processing agreement is provided by the service provider, the customer (and data controller) has no way to make any changes to the agreement, usually such agreements do not mention how monitoring is performed and by whom, they do not provide enough information on subcontractors (like the cloud service provider) and we can continue.
I am not saying that people are misusing the data collected, but it only takes one bad apple to do the damage. One sub(subsub)contractor is perhaps not taking their security and privacy seriously and that results in data leakage. Or is it that in that jurisdiction security and privacy is not considered important. And who will get the fine? The data controller that thought he/she was doing everything right, but was lacking the overview or understanding of how complex the processing environment was in reality. If you think that this is complicated by now, it is simple compare to how it will be in the future. That is why organization need to get better understanding of data sovereignty, data residency and the data processing chain.