Data Sovereignty and the Cloud

Data sovereignty is the concept that digital data is subject to the laws of the country in which it is collected.

SaaS (Software as a Service) and Cloud storage services have dramatically increased in popularity in recent years, but their use often entails international data transfers, which can result in major compliance challenges for users and providers.

This is particularly true when it comes to compliance with the EU GDPR (General Data Protection Regulation) and the Directive on Security of Network and Information Systems (NIS Directive)/NIS Regulations.

The EU GDPR applies to the processing of EU residents’ personal data, regardless of where that processing takes place. Moreover, it applies to both data controllers and data processors, so, whether your organisation uses or provides a Cloud service that processes EU residents’ data, you must comply.

If you are not GDPR compliant, you risk regulatory fines of up to €20 million or 4% of global annual turnover (whichever is greater), legal action from aggrieved data subjects, and reputational damage in the case of a breach.

Learn more about GDPR compliance

Chapter V of the EU GDPR states that personal data can be transferred outside the EU under two circumstances:

1. Based on an adequacy decision (Article 45).
2. When subject to appropriate safeguards (Article 46).

(There are also several derogations for specific circumstances, which are listed in Article 49.)

1. Adequacy decisions

As under the EU GDPR’s predecessor, the Data Protection Directive 1995, transfers of personal data to a third country (i.e. one that is not an EEA member), a territory or an international organisation may take place only if the European Commission has decided that there is “an adequate level of protection”.

On 28 June 2021, the European Commission announced that it had adopted an adequacy decision in respect of the UK’s post-Brexit data protection regime.

This means personal data can continue to flow from the EEA to the UK, without the need for organisations to use SCCs (standard contractual clauses) or other means of ensuring that appropriate safeguards apply.

The UK’s data protection regime will be deemed adequate for four years, after which the adequacy findings will be renewed only if the UK continues to afford EU residents’ personal data an adequate level of protection, in line with the EU GDPR. If UK data protection law deviates from the EU GDPR to a significant extent, the Commission could withdraw the decision.

To date, the Commission has adopted 14 adequacy decisions – with Andorra, Argentina, Canada (for transfers to commercial organisations that are subject to PIPEDA (the Personal Information Protection and Electronic Documents Act)), the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, Switzerland, the UK, Uruguay and the Republic of Korea.

2. Appropriate safeguards

If there is no adequacy decision, controllers or processors may transfer EU residents’ personal data to a third country or an international organisation only if they provide appropriate safeguards and “enforceable data subject rights and effective legal remedies for data subjects are available” (Article 46).

Appropriate safeguards may be provided by:

• Legally binding and enforceable instruments;
• Binding corporate rules (explained further in Article 47);
• Standard data protection clauses;
• Approved codes of conduct; or
• Approved certification mechanisms.

On 18 June 2021, the EDPB (European Data Protection Board) issued a set of recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data. These apply to organisations that transfer EU residents’ data to countries without adequacy decisions.

The NIS Directive applies to operators of essential services and DSPs (digital service providers), which include providers of Cloud computing services such as SaaS, PaaS (Platform as a Service) and IaaS (Infrastructure as a Service). Enterprises with a turnover of less than €10 million do not fall under the scope of the Directive.

Article 16 of the Directive states that DSPs must “take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which they use in the context of offering services”.

These security measures should “ensure a level of security of network and information systems appropriate to the risk posed”.

DSPs must also “take measures to prevent and minimise the impact of incidents affecting the security of their network and information systems on the services [they offer], with a view to ensuring the continuity of those services”.

The European Commission’s Implementing Regulation, which sets out the rules for implementing the Directive, clarifies that the “appropriate and proportionate technical and organisational measures” noted in Article 16 can be managed under the guidance of standards such as ISO 27001 and ISO 22301:2012, which set out a best-practice approach to cyber resilience.

Find out more about cyber resilience

All of these requirements can be met with a robust cyber resilience posture that combines information security and business continuity best practice.

Find out more about the NIS Directive/NIS Regulations

Increasing numbers of companies are seeking certification to international standards as a way of demonstrating their compliance with the information security requirements of the GDPR and other laws that relate to data security and privacy.

ISO 27001 is the international standard that specifies the requirements of a best-practice ISMS (information security management system) that will help you implement the “appropriate” organisational and technological security measures required by both the EU GDPR and the NIS Directive.

ISO 27001’s companion standard ISO/IEC 27018:2019 provides specific control objectives, controls and guidelines to help organisations involved in Cloud computing protect personal data in public Clouds.

Find out more about ISO 27001

IT Governance’s Cloud security compliance readiness assessment and remediation consultancy service gives you an objective assessment of your compliance with the 14 CSPs (Cloud Security Principles), the CSA CCM (Cloud Security Alliance’s Cloud Controls Matrix) or the CSA STAR (Cloud Security Alliance Security, Trust and Assurance Registry).