Jurisdictions around the world, including the European Union and Canada, are enacting laws and creating regulations forcing companies that collect personally identifiable information (PII) to store the data of their residents within their national boundaries. This concept is known as data residency and the idea is that local privacy laws will apply to data stored locally. Since privacy laws differ depending on the jurisdiction, it makes sense that Europeans, for example, want to be protected by their own laws. The problem is that data residency has never provided this kind of protection and recent court rulings in San Francisco and Canada highlight this fact.
Why Data Residency Fails to Protect Privacy
There are two main reasons why the location where private data is stored does not guarantee the privacy protection provided by local laws. The first is that data may cross borders when it is in transit or when it is processed. The second is that the data may be controlled by companies resident elsewhere and subject to foreign courts.
For example, if you send customer data to the cloud in Canada, the data likely goes through Internet nodes in the United States, even if it is finally stored in a Canadian data center. The Edward Snowden documents and some of the Wikileaks revelations have shown that American agencies routinely intercept Internet traffic, so your data could easily be compromised. Even if it is encrypted in transit, American authorities may be able to access the encryption keys. The same problem arises when data is processed. The Canadian data center may not have the capacities or capabilities required and the data may be sent elsewhere. Just because the data is stored in Canada doesn’t mean it is protected by Canadian privacy laws.
But the key issue for data protection is not data storage, transit or processing. It is data control or data sovereignty. In reality, the cloud services provider controls your data but for true data sovereignty, you need to take control of your data yourself.
For example, if an American cloud services provider offers you storage, processing, backup and additional services from a Canadian data center, you have Canadian data residency but Canadian laws apply in a limited fashion. That’s because the American company controls the data and is subject to American courts. If a third party such as a United States government agency wants access to your data and can get a court order, it can force the company to turn over your data.
Real Data Protection means that you control your data, not the service provider, and that you can prevent access that you don’t authorize.
Recent Court Rulings on Data Residency Protection
In rulings that show how data residency does not ensure data sovereignty, California courts have been ruling against Google. The company was first ordered to produce emails from a number of foreign accounts in June 2016 but argued that the emails were stored abroad and were therefore outside the authority of the United States courts.
In a new ruling filed on August 14, 2017, the court rejects that argument because Google personnel can access the emails from the company offices in the United States, bring the data to the United States and disclose it in the California jurisdiction. According to the court, no extra-territorial application of American laws is involved. When a court in the provider’s home country issues orders to turn over data, the provider has to comply. Just because your data happens to be stored in your country makes very little difference.
In a further example of a broad international application of a local ruling, the Supreme Court of Canada ruled that Google has to de-index a counterfeiter’s web pages world wide, not just in Canada, because the counterfeiter’s activities would materially damage a Canadian company. The court argued that, “the Internet has no borders.”
Data residency, or where data is stored, no longer matters in an Internet without borders.
If you rely on borders and local jurisdictions to protect your data, the PII of your customers, employees and partners may be compromised and that will be your responsibility, not that of the service providers or the government.
Protecting Your Data
To achieve fully effective data protection, you have to take control of your data and stop relying on third parties such as the cloud services providers. CloudMask can encrypt your data using dynamic data masking to render data inaccessible from the time it leaves your device to the time an authorized individual reads it. The encrypted data can’t be read by anyone, not cloud service provider personnel, not government agencies who obtain it via a court order or even your in house IT people. Data encrypted with CloudMask can travel anywhere and be stored locally or abroad without being compromised and you can be sure that your Data is safe and protected.
With CloudMask, only your authorized parties can decrypt and see your data. Not hackers with your valid password, Not Cloud Providers, Not Government Agencies, and Not even CloudMask can see your protected data. Twenty-six government cybersecurity agencies around the world back these claims.
Watch our video and demo at www.vimeo.com/cloudmask
