Swapping time and space...

Data sovereignty: control and protection for businesses in the era of cloud computing

July 11, 2023
Giulia Borgoni

Data sovereignty has gained significant importance in today's business landscape. It refers to the control and protection of data belonging to European companies and citizens, and was introduced by the European Union even before the implementation of GDPR.

In line with this concept, the European Union has launched the Gaia-X project, which aims to create an interconnected and distributed European cloud infrastructure. The project's objective is to ensure full control over data and precise localization within the boundaries of the Old Continent.

The Gaia-X project specifically aims to limit monopolistic control by major tech players such as Facebook, Google, and Amazon, or any international companies that store information in data centers whose precise location is often unknown.

However, Gaia-X is not solely focused on data control and protection for EU companies and citizens. Its primary goal is to generate tangible economic value from data and enable their smart processing and exchange to make impactful economic and social decisions.

Data sovereignty is a legal term used in guidelines and regulations related to data management and privacy protection adopted by various countries. It goes beyond the concept of "data residency," which simply refers to the geographic location of data at any given time. Data sovereignty encompasses access and generation of information derived from data processing.

The concept of data sovereignty emerged with the proliferation of cloud architectures, particularly during the initial stages when cloud computing was predominantly public and managed by hyperscale providers. During that time, business data would transit or reside in data centers where even the cloud provider often had limited knowledge of their precise location due to extensive virtualization.

The introduction of GDPR and increased outsourcing activities have extended data responsibilities to new entities, even if they are not the data owners themselves. Unfortunately, these entities often fail to provide adequate guarantees for data usage.

As a result, valuable and sensitive corporate data has been and continues to be stored or routed through data centers located in foreign countries with different legislative frameworks for data protection, when such frameworks exist.

Data sovereignty is not solely relevant to businesses. Since GDPR holds companies directly accountable for their own data as well as data passing through their infrastructure, it is a matter of concern for businesses as well.

References