The awaking’s of data sovereignty – or enough is enough!
Our daily live is relentless shaped by digitalisation, regardless we act in our private, business or political sphere. Vast amounts of data are collected, stored, processed, analysed and often profitable distributed legally or illegal. The users got aware of this infringement of their privacy by the international established privacy and data protection regulations, as for example the European GDPR.
This consciousness of self determination regarding personal data, even made governments realise a growing awareness of national data sovereignty. Actually, we face a clash of international rights, and global interests of the stakeholders, the ones who want to use data, and the ones who wants to protect data.
The trend gets very clear with examples of some cases:
The Kingdom of Saudi Arabia is a growing major hub for the IT-world especially under the Vision 2030, and there is a growing awareness on data sovereignty and the importance of data privacy. (announcement to develop a secure local messenger service https://www.arabnews.com/node/1729681/saudi-arabia; privacy to be top priority on cybersecurity https://www.arabnews.com/node/1749156/saudi-arabia)
The United States of America and the recent policy acts by the Trump administration, regarding e.g. HUAWEI, and or BYTEDANCE – TikTok, to protect the data sovereignty of the US and the data of the US-users https://www.nytimes.com/2020/09/15/opinion/united-states-huawei.html https://www.nytimes.com/2020/09/18/business/trump-tik-tok-wechat-ban.html. The case gets somehow a different perspective, if we take a look into the laws of the Republic of China; the law on Counterespionage (2014), Cybersecurity law (2016) or the National Intelligence Law (2017) [https://www.canada.ca/en/security-intelligence-service/corporate/publications/china-and-the-age-of-strategic-rivalry/chinas-intelligence-law-and-the-countrys-future-intelligence-competitions.html] The NIL 2017 determines a broad range of powers to intelligence organs to protect the interests of the state, and this concerns as well Data and the access to Information.
The US-privacy shield and the GDPR; The European Supreme Court and its decision 16.07.2020 (Az: C311/18) invalidates the US-privacy shield, the USA and their providers are not compliant to data security and privacy, which means that no data transfer to the US is allowed. https://www.bbc.com/news/technology-53418898; curia.europa.eu/juris/celex.jsf?celex=62018CJ0311&lang1=de&type=TXT&ancre=
The US-privacy shield gets a different perspective if you take a look into the case USA vs. Microsoft https://www.justice.gov/archives/opa/blog-entry/file/937006/download and the US-cloud-act, also signed under the Trump administration. US authorities are now expressly allowed to access data of non-US persons and companies that are only stored abroad, largely unrestricted by foreign law, at least if US companies control them.
The term “controlled” is very undetermined, and leaves open doors even if data centers are operated outside the US, which is on the global policy by many governments that data centers have to be operated locally (e.g. GCC countries), but is this enough to ensure data sovereignty?
What if not only the USA or China restrict incompliant foreign providers to access to their IT-market, justified with the protection of national security, and data sovereignty?
It is more than obvious that data protection gets a top priority on any level, private, corporate or government, and that those companies who operate on a high secure and privacy business model will have an edge over those who don’t want to change or simply cannot change easyly.
About the author
- Mag. Michel Sharbin
- Certified data protection officer (DKU)
- Lawyer (KFU)
- Adviser to various national and international companies, investment companies, UHNWI and state institutions