What is data sovereignty? In essence, wherever your digital information is stored, it is subject to the laws, or legal jurisdiction, of the country in which it resides.
So, does that mean if all of your data resides in New Zealand, the only law to be concerned with is New Zealand law? The answer depends on what organization stores it. Be aware that, if your data is stored by a U.S. company or a subsidiary of a U.S.-based company, your data will likely be subject to the Patriot Act, even if it resides in New Zealand.
The USA PATRIOT Act of 2001, and the US PATRIOT Improvement and Reauthorization Act of 2005, permit U.S. government agencies to access any information stored within the U.S. legal jurisdiction without your permission or notification to you. This includes data held by any U.S. organization which may hold your data in a country other than the USA.
As a practical matter, however, the U.S. government is usually only interested in information relating to tax evasion, criminal acts and threats to national security. However, it is a sobering thought to consider that data residing in a U.S. company-owned data centre in New Zealand is accessible by the U.S. government.
A second reason to worry about data sovereignty is civil litigation. If you have a commercial conflict, your opponent’s access to your digital data will depend upon the discovery rules applicable to the country in which your data is held.
If your data is held by a service provider located in Singapore, for example, you will need to understand Singapore’s law, not New Zealand’s law, in this regard.
Of course, access to data with respect to data sovereignty does not relate to the question of who owns the data. Ownership of data is a different matter.
If you do not know where your data resides, you should find out for your own protection. You will also need to understand how many parties hold your data.
For example, a New Zealand-based provider may appear to hold your data in New Zealand. However, the provider’s services may have been “white labeled” with the service actually performed by others, who may be located in other legal jurisdictions.
If a service provider allows another company to rebrand their service as if it were the cloud vendor’s own service, it is called “white labeling”.
There may be multiple parties involved in delivering the service. Each link in the supply chain may have different legal jurisdictions to consider. The opaqueness of the legal relationships must be clarified if you expect to sleep well at night. If you do not know what parties hold your data and where it resides, a problem looms.
By contrast, if you use a New Zealand-owned cloud service provider, who performs the service within New Zealand, your legal jurisdiction is, generally speaking, New Zealand.
As always, caveat emptor applies. If you don’t do your due diligence homework, you may well regret it.
– Dr Michael Snowden, Managing Director
Download PDF, as featured in IT Brief, August 2013