Data sovereignty

Last updated

Data sovereignty is the idea that data is subject to the laws and governing structures of the nation where they are collected. In other words, a country is able to control and access the data that is generated in its territories [1] . An example of a nation's data sovereignty policy would be Australia's Privacy Policy guidelines, also known as APP. [2] The APP contains 13 principles for how all personal or organizational data in Australia is meant to be kept. [2] For many countries, the issue of data sovereignty is presented as an issue of national security with concerns over being able to protect citizens' personal data. [1] Data can be used to help improve medical care, reinforce national security as well as have a positive impact on many economic and social infrastructures but may also be used for identity theft and other data related attacks. [1]

Contents

The concept of data sovereignty is closely linked with data security, cloud computing, network sovereignty, and technological sovereignty. Unlike technological sovereignty, which is vaguely defined and can be used as an umbrella term in policymaking, [3] data sovereignty is specifically concerned with questions surrounding the data itself. [4] The issue of managing data sovereignty can be considered more complex when introducing the idea of cloud computing, where data can be accessed globally; meaning organizations and companies must comply with multiple nations data laws. [5] Data sovereignty is also associated with data localization, the requirement that data be stored within a specified region, and data residency, the actual location in which the data is stored, such as cloud servers. [1]

Data sovereignty as the idea that data is subject to the laws and governance structures within one nation, is usually discussed in one of two ways: in relation to Indigenous groups and Indigenous autonomy from post-colonial states, or in relation to transnational data flow. [6] With the rise of cloud computing, many countries have passed various laws around the control and storage of data, which all reflect measures of data sovereignty. [4] More than 100 countries have some form of data sovereignty laws in place. [7] With self-sovereign identity (SSI), the individual identity holders can fully create and control their credentials, although a nation can still issue a digital identity in that paradigm. [8]

History

The Snowden revelations on the National Security Agency's (NSA) PRISM program provided a catalyst for global data sovereignty discussions. It was revealed that the US was collecting vast swaths of data not only from American citizens, but from around the world. [9] The program was designed “to "receive" emails, video clips, photos, voice and video calls, social networking details, logins and other data held by a range of US internet firms” such as American tech companies like Facebook, Apple, Google, and Twitter among others. [10] In the wake of the revelations, countries became increasingly concerned with who could access their national information and its potential repercussions. Their worries were further exacerbated due to the US Patriot Act. [10] Under the act, US officials were granted access to any information physically within the United States (such as server farms), regardless of the information's origin. [11] This meant that any information collected by an American server would have no protection from the US government. [11]

Another instance that put data sovereignty in the news was a case between Microsoft and the US government. In 2013, the Department of Justice (DoJ) demanded that Microsoft grant the DoJ access to emails “related to a narcotics case from a Hotmail account hosted in Ireland”. [12] [13] Microsoft refused, stating that this transfer would result in the company breaking data localization and protecting laws in the EU. [14] The initial ruling was in favor of the US government, with Magistrate James Francis concluding that American companies “must turn over private information when served with a valid search warrant from US law enforcement agencies". [14] Microsoft asked for an appeal and went to court again in 2016 with the case Microsoft v. United States. John Frank, the VP for EU Government Affairs at Microsoft, stated in a 2016 blog post that a US court of appeals ruled in favor of Microsoft, supporting the notion that "US search warrants do not reach our customers' data stored abroad". [15] On October 23, 2017, Microsoft said it would drop the lawsuit as a result of a policy change by the Department of Justice (DoJ) [16] that represented “most of what Microsoft was asking for." [17]

Indigenous context

Discussions of Indigenous data sovereignty for Indigenous peoples of Canada, New Zealand, Australia, and the United States of America are currently underway. [18] Data sovereignty is seen by Indigenous peoples and activists as a key piece to self-governance structures and an important pillar of Indigenous sovereignty as a whole. [19] The decolonization of data is seen by activists as a way to give power to Indigenous people to "determine who should be counted among them" and would be able to better reflect the "interests, values and priorities of native people". [19] Scholars also argue that given the power over their own data, Indigenous peoples would be able to decide which data gets disseminated to the public and what does not, a decision typically made by the settler government. [19] According to author Peter Yu, as discussed in his article on the Power of Data in Aboriginal Hands, [20] the significant gaps in statistical data that can be seen with indigenous people is highlighted in importance. It is believed that by restoring control over data, new possibilities for improvement will open and lead to increased understanding, dialogue, accountability, and even "informed decision-making" [20] which one could argue would give the power back to indigenous people. [20] Currently some researchers, such as Ray Lovett, argue that there is a significant issue when looking at statistical expertise and capacity. In fact, it is believed that if statistical capacity is increased it could be the exact pivoting point that indigenous peoples will need in order to better "assert data sovereignty". [21]

In New Zealand, Te Mana Raraunga, a Māori data sovereignty network, created a charter to outline what Māori data sovereignty would look like. Some of the requests in the charter included "asserting Māori rights and interests in relation to data", "advocating for Māori involvement in the governance of data repositories" and "Supporting the development of Māori data infrastructure and security systems". [22]

In Canada, Gwen Phillips of the Ktunaxa nation of British Columbia has been advocating for Ktunaxa data sovereignty and other pathways towards self-governance in the community. [23]

Data sovereignty, in regards to indigenous groups, can also be viewed under the lens of health data as it is collected and stored in the nation for research purposes [24] [25] . Many Indigenous groups today are reluctant to share health data due to a history of exploitation and improper handling of their data as well as their data being historically used in ways that they did not consent or agree to [24] [25] . Some scholars argue that in order for the creation of a complete global genomic conservation effort to be feasible, it will need to work within the framework of Indigenous data sovereignty [24] . At the United Nation’s level, the UN General Assembly formally agreed to adopt the UN’s Declaration on the Rights of Indigenous Peoples. This declaration confirms that indigenous people have the right to control their own scientific and technical data, including the ability to protect and maintain their own human and genetic resources [24] .Additionally, in light of this declaration, the study Access and Managment: Indigenous Perspectives on Genomic Data Sharing [26] , observed that when various individuals from different tribes were asked if they think tribes should share their data or not, most were fairly apprehensive [26] . To be specific, most participants expressed an emphasis on confidentiality and deidentification [26] . Although, many shared a common view on remaining anonymous, they did however vary when it came to whether or not the data should be shared [26] . While some were apprehensive and did not feel comfortable sharing this data, others were fine with letting this information be public. Despite being open to sharing the data many individuals had specific cavoites. In fact, one participant believed that if they were to share this data then they "need to do a better job of understanding what that data-sharing really means, and what’s done with it" [26] .

National data sovereignty measures

Canada has enacted various data sovereignty measures, primarily on the storage of Canadian data on Canadian servers. As part of Canada's IT strategy for the years 2016–2020, data localization measures were discussed as a way to uphold citizens' privacy. [27] By using Canadian servers to store Canadian data as opposed to American servers, this would safeguard Canadian data from being subject to the US Patriot Act. [11] In 2017, it was discovered that Shared Services Canada and the Communications Security Establishment were "exploring options for sensitive data storage on U.S.-based servers" with Microsoft". [28]

Also in 2016, the EU Parliament approved its own data sovereignty measures within a General Data Protection Regulation (GDPR). [29] This regulatory package homogenizes data protection policy for all European Union members. It also includes an addendum that establishes extraterritorial jurisdiction for its rules to extend to any data controller or processor whose subjects are EU citizens, regardless of the location the holding or processing is conducted. This forces companies based outside of the EU to reevaluate their sitewide policies and align them with another country's law. The GDPR also effectively replaced the 1995 European Data Protection Directive [30] that had originally established the free movement of personal data between member state borders, and in doing so granted interoperability of such data among nearly thirty countries.

Criticism

A common criticism of data sovereignty brought forward by corporate actors is that it impedes and has the potential to destroy processes in cloud computing. [31] Since cloud storage might be dispersed and disseminated in a variety of locations at any given time, it is argued that governance of cloud computing is difficult under data sovereignty laws. [31] For example, data held in the cloud may be illegal in some jurisdictions but legal in others. [4] The concept of a sovereign cloud is proposed as a solution to address this challenge. [32] [33]

Some scholars have presented the argument that data sovereignty involves the authority of the state being able to control data. This excessive power that the state and a few large corporations hold, due to their direct influence over data resources, can undermine the security of data sovereignty. [34]

According to economist and political science Professor Susan Ariel Aaronson, founder and director of the Digital Trade and Data Governance Hub at George Washington University, [35] "some governments are seeking to regulate the commercial use of personal data without enacting clear rules governing public sector use... The hoarding of data by nations or firms may reduce data generativity[ clarification needed ] and the public benefits of data analysis." [36]

See also

Related Research Articles

Information privacy is the relationship between the collection and dissemination of data, technology, the public expectation of privacy, contextual information norms, and the legal and political issues surrounding them. It is also known as data privacy or data protection.

The right to privacy is an element of various legal traditions that intends to restrain governmental and private actions that threaten the privacy of individuals. Over 185 national constitutions mention the right to privacy. On 10 December 1948, the United Nations General Assembly adopted the Universal Declaration of Human Rights (UDHR); while the right to privacy does not appear in the document, many interpret this through Article 12, which states: "No one shall be subjected to arbitrary interference with their privacy, family, home or correspondence, nor to attacks upon his honor and reputation. Everyone has the right to the protection of the law against such interference or attacks."

<span class="mw-page-title-main">Australian Indigenous sovereignty</span> Concept and political movement regarding land ownership by Indigenous peoples in Australia

Australian Indigenous sovereignty, also recently termed Blak sovereignty, encompasses the various rights claimed by Aboriginal and Torres Strait Islander peoples within Australia. Such rights are said to derive from Indigenous peoples' occupation and ownership of Australia prior to colonisation and through their continuing spiritual connection to land. Indigenous sovereignty is not recognised in the Australian Constitution or under Australian law.

Data security means protecting digital data, such as those in a database, from destructive forces and from the unwanted actions of unauthorized users, such as a cyberattack or a data breach.

Information privacy, data privacy or data protection laws provide a legal framework on how to obtain, use and store data of natural persons. The various laws around the world describe the rights of natural persons to control who is using its data. This includes usually the right to get details on which data is stored, for what purpose and to request the deletion in case the purpose is not given anymore.

Data portability is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. closed platforms, thus subjecting them to vendor lock-in and making the creation of data backups or moving accounts between services difficult.

<span class="mw-page-title-main">United Nations International Computing Centre</span> Specialized agency of the United Nations

The United NationsInternational Computing Centre (UNICC) was established in 1971 by a Memorandum of Agreement among the United Nations (UN), the United Nations Development Programme (UNDP) and the World Health Organization (WHO), pursuant to resolution 2741 (XXV) of the United Nations General Assembly. It was created as an inter-organization facility to provide electronic data processing services for themselves and other Users.

Cloud computing security or, more simply, cloud security, refers to a broad set of policies, technologies, applications, and controls utilized to protect virtualized IP, data, applications, services, and the associated infrastructure of cloud computing. It is a sub-domain of computer security, network security, and, more broadly, information security.

<span class="mw-page-title-main">Digital privacy</span>

Digital privacy is often used in contexts that promote advocacy on behalf of individual and consumer privacy rights in e-services and is typically used in opposition to the business practices of many e-marketers, businesses, and companies to collect and use such information and data. Digital privacy, a crucial aspect of modern online interactions and services, can be defined under three sub-related categories: information privacy, communication privacy, and individual privacy.

<span class="mw-page-title-main">General Data Protection Regulation</span> EU regulation on the processing of personal data

The General Data Protection Regulation, abbreviated GDPR, or RGPD is a European Union regulation on information privacy in the European Union (EU) and the European Economic Area (EEA). The GDPR is an important component of EU privacy law and human rights law, in particular Article 8(1) of the Charter of Fundamental Rights of the European Union. It also governs the transfer of personal data outside the EU and EEA. The GDPR's goals are to enhance individuals' control and rights over their personal information and to simplify the regulations for international business. It supersedes the Data Protection Directive 95/46/EC and, among other things, simplifies the terminology.

<span class="mw-page-title-main">Network sovereignty</span> Effort to create boundaries on a network

In internet governance, network sovereignty, also called digital sovereignty or cyber sovereignty, is the effort of a governing entity, such as a state, to create boundaries on a network and then exert a form of control, often in the form of law enforcement over such boundaries.

Cloud computing is used by most people every day, but there are issues that limit its widespread adoption. It is one of the fast developing area that can instantly supply extensible services by using internet with the help of hardware and software virtualization. Cloud computing biggest advantage is flexible lease and release of resources as per the requirement of the user. Its other advantages include efficiency, compensating the costs in operations and management. It curtails down the high prices of hardware and software

Technological sovereignty is a political outlook where information and communications infrastructure and technology is aligned to the laws, needs and interests of the jurisdiction in which users are located; data sovereignty or information sovereignty sometimes overlaps with technological sovereignty, since their distinctions are not clear, and also refer to subjective information about the laws of the country in which the data subject is a citizen, or the information is stored or flows through, whatever its form, including when it has been converted and stored in binary digital form.

Data localization or data residency law requires data about a nation's citizens or residents to be collected, processed, and/or stored inside the country, often before being transferred internationally. Such data is usually transferred only after meeting local privacy or data protection laws, such as giving the user notice of how the information will be used, and obtaining their consent.

<span class="mw-page-title-main">NOYB</span> European data protection advocacy group

NOYB – European Center for Digital Rights is a non-profit organization based in Vienna, Austria established in 2017 with a pan-European focus. Co-founded by Austrian lawyer and privacy activist Max Schrems, NOYB aims to launch strategic court cases and media initiatives in support of the General Data Protection Regulation (GDPR), the proposed ePrivacy Regulation, and information privacy in general. The organisation was established after a funding period during which it has raised annual donations of €250,000 by supporting members. Currently, NOYB is financed by more than 4,400 supporting members.

<span class="mw-page-title-main">CLOUD Act</span> United States federal data privacy and government surveillance law

The Clarifying Lawful Overseas Use of Data Act or CLOUD Act is a United States federal law enacted in 2018 by the passing of the Consolidated Appropriations Act, 2018, PL 115–141, Division V.

A data economy is a global digital ecosystem in which data is gathered, organized, and exchanged by a network of companies, individuals, and institutions to create economic value. The raw data is collected by a variety of factors, including search engines, social media websites, online vendors, brick and mortar vendors, payment gateways, software as a service (SaaS) purveyors, and an increasing number of firms deploying connected devices on the Internet of Things (IoT). Once collected, this data is typically passed on to individuals or firms, often for a fee. In the United States, the Consumer Financial Protection Bureau and other agencies have developed early models to regulate the data economy.

The Cybersecurity Law of the People's Republic of China, commonly referred to as the Chinese Cybersecurity Law, was enacted by the National People’s Congress with the aim of increasing data protection, data localization, and cybersecurity ostensibly in the interest of national security. The law is part of a wider series of laws passed by the Chinese government in an effort to strengthen national security legislation. Examples of which since 2014 have included the data security law, the national intelligence law, the national security law, laws on counter-terrorism and foreign NGO management, all passed within successive short timeframes of each other.


The EU Cloud Code of Conduct is a transnational Code of Conduct pursuant Article 40 of the European General Data Protection Regulation (GDPR).

Indigenous librarianship is a distinct field of librarianship that brings Indigenous approaches to areas such as knowledge organization, collection development, library and information services, language and cultural practices, and education. The Encyclopedia of Library and Information Sciences states that Indigenous librarianship emerged as a "distinct field of practice and an arena for international scholarship in the late twentieth century bolstered by a global recognition of the value and vulnerability of Indigenous knowledge systems, and of the right of Indigenous peoples to control them."

References

  1. 1 2 3 4 "Data Sovereignty: Protecting Our Digital Footprint in the Age of Information". Kiteworks | Your Private Content Network. Retrieved 11 December 2024.
  2. 1 2 OAIC (10 March 2023). "Australian Privacy Principles". OAIC. Retrieved 11 December 2024.
  3. Maurer, Tim; Morgus, Robert; Skierka, Isabel; Hohman, Mirko (November 2014). "Technological Sovereignty: Missing the Point?" (PDF). digitaldebates.org.
  4. 1 2 3 Irion, Kristina (1 December 2012). "Government Cloud Computing and National Data Sovereignty". Policy & Internet. 4 (3–4): 40–71. doi:10.1002/poi3.10. ISSN   1944-2866. S2CID   261812714.
  5. "What is data sovereignty? | IBM". www.ibm.com. 5 June 2024. Retrieved 11 December 2024.
  6. Chander, Anupam; Sun, Haochen, eds. (2024). Data Sovereignty: From the Digital Silk Road to the Return of the State. Oxford, United Kingdom: Oxford University Press. Open Access logo PLoS transparent.svg
  7. "Gilmore, David, DataFleets, "Google Scrapped Cloud Initiative in China, Other Markets", Bloomberg News". Bloomberg News . 8 July 2020.
  8. Kukutai, Tahu, and John Taylor. Indigenous Data Sovereignty: Toward an Agenda. ANU Press, 2016.
  9. Padilla, Len (9 June 2014). "Four ways the NSA revelations are changing businesses". The Guardian. ISSN   0261-3077 . Retrieved 28 November 2017.
  10. 1 2 Kelion, Leo (25 June 2013). "Q&A: NSA's Prism internet surveillance scheme". BBC News. Retrieved 16 November 2017.
  11. 1 2 3 "USA PATRIOT Act Comprehensive Assessment Results". Treasury Board of Canada Secretariat. 28 March 2006.
  12. Thielman, Sam (2 September 2015). "Nationality in the cloud: US clashes with Microsoft over seizing data from abroad". The Guardian . ISSN   0261-3077 . Retrieved 30 November 2017.
  13. Marks, Joseph (8 September 2015). "Can the US demand emails stored in Ireland?". Politico . Retrieved 30 November 2017.
  14. 1 2 Gibbs, Samuel (29 April 2014). "US court forces Microsoft to hand over personal data from Irish server". The Guardian. ISSN   0261-3077 . Retrieved 30 November 2017.
  15. Frank, John (5 September 2016). "Our search warrant case: Microsoft's commitment to protecting your privacy". EU Policy Blog. Microsoft. Retrieved 30 November 2017.
  16. "Microsoft drops lawsuit after U.S. government revises data request transparency rules". venturebeat.com. VentureBeat. Reuters. 24 October 2017. Retrieved 30 November 2017.
  17. Woollacott, Emma. "Microsoft Drops Lawsuit As DoJ Reins In Use of Gagging Orders". Forbes. Archived from the original on 24 October 2017. Retrieved 30 November 2017.
  18. Rainie, Stephanie Carroll; Schultz, Jennifer Lee; Briggs, Eileen; Riggs, Patricia; Palmanteer-Holder, Nancy Lynn (2017). "Data as a Strategic Resource: Self-determination, Governance, and the Data Challenge for Indigenous Nations in the United States". The International Indigenous Policy Journal. 8 (2). doi: 10.18584/iipj.2017.8.2.1 . hdl: 10150/624737 .
  19. 1 2 3 Taylor, John; Kukutai, Tahu (25 November 2016). Indigenous data sovereignty: toward an agenda. Australian National University. Centre for Aboriginal Economic Policy Research. Acton, ACT, Australia. ISBN   9781760460303. OCLC   947953955.{{cite book}}: CS1 maint: location missing publisher (link)
  20. 1 2 3 Director, Centre; caepradmin.cass@anu.edu.au (17 May 2017). "The Power of Data in Aboriginal Hands -". Centre for Aboriginal Economic Policy Research. Retrieved 10 December 2024.
  21. Lovett, R. (2016). Aboriginal and Torres Strait Islander community wellbeing: identified needs for statistical capacity. In T. KUKUTAI & J. TAYLOR (Eds.), Indigenous Data Sovereignty: Toward an agenda (Vol. 38, pp. 213–232). ANU Press. http://www.jstor.org/stable/j.ctt1q1crgf.19
  22. "Te Mana Raraunga – Māori Data Sovereignty Network Charter" (PDF). Te Mana Raraunga.
  23. Phillips, Gwen (12 August 2017). Lauriault, Tracey P.; Lim, Merlyna (eds.). Data Power 2017 Keynote: Indigenous Data Sovereignty and Reconciliation. Ottawa: Data Power. doi: 10.22215/1/conf/dp2017.1 . Retrieved 16 November 2017 via YouTube.
  24. 1 2 3 4 Mc Cartney, Ann M.; Anderson, Jane; Liggins, Libby; Hudson, Maui L.; Anderson, Matthew Z.; TeAika, Ben; Geary, Janis; Cook-Deegan, Robert; Patel, Hardip R.; Phillippy, Adam M. (25 January 2022). "Balancing openness with Indigenous data sovereignty: An opportunity to leave no one behind in the journey to sequence all of life". Proceedings of the National Academy of Sciences. 119 (4): e2115860119. Bibcode:2022PNAS..11915860M. doi: 10.1073/pnas.2115860119 . PMC   8795560 . PMID   35042810.
  25. 1 2 Cordes, Ashley; Bak, Marieke; Lyndon, Mataroria; Hudson, Maui; Fiske, Amelia; Celi, Leo Anthony; McLennan, Stuart (4 July 2024). "Competing interests: digital health and indigenous data sovereignty". npj Digital Medicine. 7 (1): 1–5. doi:10.1038/s41746-024-01171-z. ISSN   2398-6352.
  26. 1 2 3 4 5 Garrison NA, Barton KS, Porter KM, Mai T, Burke W, Carroll SR. Access and Management: Indigenous Perspectives on Genomic Data Sharing. Ethn Dis. 2019 Dec 12;29(Suppl 3):659-668. doi: 10.18865/ed.29.S3.659. PMID: 31889771; PMCID: PMC6919970.
  27. Treasury Board of Canada Secretariat (13 June 2016). "Government of Canada Information Technology Strategic Plan 2016-2020". canada.ca. Retrieved 16 November 2017.
  28. Beeby, Dean (8 September 2017). "Canadian agencies discuss US 'cloud' storage of sensitive data with Microsoft". CBC News. Retrieved 30 November 2017.
  29. "What is GDPR Hosting and How Will it Impact Your Website?". Verpex. Retrieved 17 August 2021.
  30. Directive 95/46/EC of 1995-10-24 of the European Parliament and of the Council Directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data
  31. 1 2 Ettling, Mike (26 December 2015). "The Cloud's Biggest Threat Are Data Sovereignty Laws". TechCrunch. Retrieved 16 November 2017.
  32. Staniszewski, Przemysław (26 September 2024). "Oracle Sovereign Cloud: Is it the answer to your privacy concerns?". Pretius. Retrieved 28 October 2024.
  33. "The pros and cons of sovereign clouds | TechTarget". Cloud Computing. Retrieved 28 October 2024.
  34. Liu, Jinhe (2 January 2020). "China's data localization". Chinese Journal of Communication. 13 (1): 84–103. doi:10.1080/17544750.2019.1649289. ISSN   1754-4750.
  35. "Our Team Susan Ariel Aaronson" Archived 2022-09-30 at the Wayback Machine Institute for Data, Democracy & Politics, School of Media and Public Affairs, The George Washington University. Retrieved September 30, 2022.
  36. Aaronson, Susan (3 August 2021). "Data is disruptive: How data sovereignty is challenging data governance". Hinrich Foundation. Retrieved 4 January 2022.