More countries are adopting laws designed to protect the privacy of citizens and local entities by defining how data can be securely collected, stored, and used. Many organizations are re-evaluating how to comply with the changing geo-political landscape and privacy/security regulations, which requires defining some relevant concepts:
- Digital sovereignty – the ability to have full control over your own digital destiny – the data, hardware, and software that you rely on and create1…in other words individuals owning their own data and controlling it’s use
- Data residency – the physical and geographic location where data and meta-data is stored and processed
- Data sovereignty – data is subject to the privacy laws and governance structures within the nation or jurisdiction where data is collected, stored, processed, and used
- Jurisdiction – a legal authority over data centers and clouds aligned to national standards and supported by national government
Data sovereignty laws are designed to protect the personal data of citizens or residents by controlling who can potentially have access. This keeps any sensitive data out of the hands of other countries and jurisdictions.
For example, the New York Times reports an executive order is in progress that is meant to prevent countries like China from gaining access to U.S. data.2 Other countries require that data on their citizens remain only within national borders.
To ensure data sovereignty, rules may require that all related data, such as metadata, also resides locally. But location of data alone isn’t enough to ensure that data is only subject to the local legal jurisdiction. Enterprises especially operating outside of US in EU and other regions are extremely concerned about the authority of the US Cloud Act. The 2018 U.S. CLOUD Act allows U.S. federal law enforcement to compel U.S.-based technology companies to provide requested data stored on company servers, regardless of whether the data is stored in the U.S. or on foreign soil.3
That means complying with data sovereignty laws while using a U.S.-based public cloud provider for sensitive data might not be possible or suitable to comply with local jurisdictional requirements. The Centre for European Policy Studies (CEPS) estimated that 92% of the Western world’s data is currently stored in the U.S., and over 100 countries now have data sovereignty laws.4
The European Union’s General Data Protection Regulation (GDPR) has inspired similar regulations in other jurisdictions. GDPR requires all businesses who operate in or have customers in the EU to change how they collect, handle, and store personal data.
With the ever-changing landscape of data protection laws, the increased risk of data breaches and evolving attack vectors there is growing concern about sensitive national, corporate, and personal data being subject to the control of foreign authorities and companies.
Organizations that run afoul of these laws risk fines or lawsuits. As of May 2022, over 900 fines have been issued for GDPR violations, the largest of which topped $877 million (746 million Euro).5 The penalty for noncompliance can be steep, with fines of up to 20 million Euro (or 4% of worldwide turnover from the prior financial year).
Alongside protecting the way in which personal data is secured and used, many data sovereignty laws also restrict where data can go. For example, lawmakers in India are debating what types of citizen data are allowed to leave the country’s borders.6 This has caused issues for some multi-national companies who are unable to transmit data outside of a local jurisdiction. It can also impact international trade if data-sharing treaties between countries aren’t negotiated.
The effort to protect data as a new strategic asset is creating a clear need for sovereign clouds to secure and use data sensibly.
Customers want all the benefits of cloud but also need to meet the rapidly growing and changing data privacy laws while organizations need to protect data in the cloud against evolving cyberattacks.
As these laws impact business operations, organizations are seeking better ways to comply with data sovereignty laws and mitigate compliance risks. They need a way to store and process data locally and securely using a platform that is free from outside interference.
As a result of all this, the need for carefully architected sovereign clouds has gone mainstream and VMware is powerfully positioned to expand its multi-cloud strategy with VMware Sovereign Cloud.
The benefits of VMware Sovereign Cloud for both cloud providers and customers
A common benefit of sovereign clouds for cloud providers and customers is compliance. Cloud providers can obtain compliance with local regulations and their appropriate jurisdiction through the construction of sovereign clouds. Customers gain the assurance that their privacy is maintained, and their data is stored, secured, and protected in their specific jurisdiction, by a partner with oversight and expertise in local laws and regulations.
Sovereign cloud providers can also accelerate local business growth by securely expanding into government data and developing a national capability for digital infrastructure and resilience. As the data economy becomes a vital national interest, sovereign states need a digital capability that prevents them from becoming dependent on foreign powers and operators for processing their own data.
VMware Sovereign Cloud Providers can help customers fully unlock the true value of protecting their national, corporate, and personal data by ensuring:
- ALL data (customer data and meta data) remains on sovereign soil
- Compliance with established and constantly changing privacy laws
- Autonomy with digital suppliers to guarantee continuity of digital services
- All customer information is being managed appropriately with prevention from foreign access
VMware Sovereign Cloud providers offer a cloud service that is designed specifically to meet data sovereignty requirements. It provides flexibility and scale for data storage and processing while complying with residency and sovereignty requirements. In future blogs, we will be sharing market trends, impacts, and needs that we’re seeing.
- World Economic Forum, What is digital sovereignty and why is Europe so interested in it?, March 2021
- New York Times, The Era of Borderless Data Is Ending, May 2022
- Wikipedia, CLOUD Act, accessed June 2022
- Bloomberg, Google Scrapped Cloud Initiative in China, Other Markets, July 2020
- Tessian, 30 Biggest GDPR Fines So Far (2020, 2021, 2022), Accessed July 2022
- New York Times, The Era of Borderless Data Is Ending, May 2022