There is no ambiguity about Sovereignty. In law, it is defined as “the supreme, absolute, and uncontrollable power by which an independent state is governed”. As far as cloud is concerned, sovereignty is therefore the absolute power over one’s data and applications.
Let’s get clear from the get-go: using the cloud is accepting losing some power and authority, for, in return, flexibility, performance, and access to innovative services, financially and technologically impossible to get locally.
Let me elaborate! Imagine you decide to outsource your customer relationship management (CRM) application. Application and data are now stored on the server of your service provider. You so entrust the latter to hardware, backups, and access control management, just to name a few services. You give a portion of your power to your provider in return for a better quality of services, for example, or a universal and fast access.
A few months later, your organization is caught up in a financial scandal and the Prosecutor’s office orders access to your customer data stored in the database of your CRM. If the service provider is in the same country as your principal place of business, it’s almost undisputable that it will provide access to your data. What if these data are stored in another country. The Prosecutor’s office no longer has sovereignty. So, it will need to go through an international process, which will be more complex, time-consuming and costly. There is however a strong chance that he gets it, unless he finds himself facing a State in which the law is blurry without legal precedents.
Let’s now look at the problem the other way. The Prosecutor’s office of the other country launches proceedings against your company. If your data are located on the ground of the country of your principal place of business, then we are almost in the previous case and your sovereignty applies. If your data are in the other country, the one who starts the procedure, there are then chances that the law of that country will apply and that access to the data is granted without you and local justice have a say.
The location of the data center is important. Edward Snowden revelations showed that a country like the United States could exercise an abuse of sovereignty and access individuals and company data stored on its soil. Conversely, the appeal won by Microsoft against the Government of the United States indicates that a State may not unilaterally compel a service provider to provide access to data located in another country.
USA Legal Framework
When you read the minutes of the hearing of the case of “Microsoft against the Government of the United States”, you find two particularly interesting points:
« The effect of the government’s demand here impermissibly fell beyond U.S. borders and therefore the Microsoft warrant should be quashed ». In other words, it is not because it is possible to access the data from the United States that the principle of territoriality does not apply. In this case, the data is stored in Ireland, it’s Irish law that applies and the Government of the United States must use the Treaty of mutual judicial assistance, to carry out the mandate on Irish soil. There are several of these treaties, including one with the European Union.
« The SCA (Stored Communications Act) is outdated and overdue for congressional revision ». This is a crucial point that we meet again later: most of the laws of data protection are no longer in tune with internet technology. It is urgent to make sure they follow more closely the evolution of the internet.
Europe Legal Framework
If one refers to the EU directive 95/46/EC, which regulates data protection in Europe, Parliament has recognized that it no longer met the need of our new digital era. Unlike the United States, for the moment, it was repealed in 2016 and replaced by the Regulation (EU) 2016/679, also called GDPR (General Data Protection Regulation). This regulation is very important for any data stored on the European territory, because it gives individuals control over their data and sets standards for the use of data for police and judicial purposes. As it had been pointed out by Marju Lauristin, the Member of European Parliament in charge of this parliament case:
« In establishing European standards on the exchange of information between law enforcement authorities, the directive on data protection will become a powerful and useful instrument designed to help the authorities to transfer personal data easily and effectively while respecting the fundamental right to privacy ».
This introduces a key point of data storage in the European territory: Community law applies and access to data is governed by regulation 2016/679. Therefore, there is no blank check given to the country in which the data is stored. When you think about it, it seems obvious, and yet, this is not necessarily always the case.
The sovereignty issue seems more complex than it seems at first glance. Yet, while thinking about it deeply and getting back to the definition of sovereignty as the detention of supreme authority, as soon as your data or applications are hosted by a third party, you abandon your sovereignty. It is that simple!