adam's notes

Data Sovereignty and Geographical Considerations

Data Sovereignty

Data sovereignty is the legal, regulatory, and jurisdictional control over data.

  • principle that countries and states may impose individual requirements on data collected or stored within their jurisdiction
  • preventing or restricting processing and storage from taking place on systems that do not physically reside within that jurisdiction
  • may demand certain concessions, such as using location-specific storage facilities in a cloud service
  • e.g., GDPR protections are extended to any EU citizen while they are within EU or EEA (European Economic Area) borders
    • data subjects can allow transfer
    • but must have option to refuse consent
    • if transfer destination does not have equal privacy regulations, then GDPR rights must extend
    • in US, companies can self-certify that protections are adequate under the Privacy Shield scheme

Geographic Considerations

Geolocation refers to the identification of the geographic location of an object, such as a computing device or server.

  • Geographic access requirements fall into two different scenarios:
    • Storage locations might have to be carefully selected to mitigate data sovereignty issues
      • Most cloud providers allow a choice of datacenters for processing and storage
      • ensure information is not illegally transferred from a particular privacy jurisdiction without consent
    • Employees needing access from multiple geographic locations
      • can apply constraint-based access controls to validate the user’s geographic location before authorizing access
  • Geographic restrictions impact:
    • data protection practices
      • by requiring organizations to ensure data remains within a designated boundary
        • e.g., utilizing local datacenters or cloud providers
      • affect data protection practices such as data replication and data dispersion
    • incident investigation and forensics activities
      • because they often include jurisdiction-specific data access and sharing restrictions, and other legal requirements

Graph View

Backlinks