As a practical matter, data sovereignty, the idea that data is subject to the laws and governance structures “only” or “exclusively” within the nation where it is collected or stored, is probably more accurately described as “data residency” in some cases and in some cases not sovereignty at all.
Governments can lawfully obtain some data, when prosecuting major crimes, for example. And how often does any bit of data reside “exclusively” within any one political jurisdiction, in any case?
While a country may assert that data stored within its borders is governed by its laws, in reality, data often resides in cloud infrastructure spanning multiple jurisdictions. can be subject to both General Data Protection Regulation and U.S. subpoenas under the CLOUD Act.
Mutual Legal Assistance Treaties (MLATs) and bilateral frameworks such as the U.S. CLOUD Act allow law enforcement access to data stored in other jurisdictions when investigating serious crimes.
These mechanisms sidestep national data sovereignty, creating pragmatic paths for lawful access, even if the data physically resides in a foreign jurisdiction.
If a local data center is operated by a foreign company (AWS, Google Cloud, Azure), that company may still be compelled to produce data under its home country’s laws.
So data residency becomes more symbolic than anything else, a bit of posturing, even if, under most circumstances, most data will not be subject to unusual or extraordinary access. In cases involving terrorism, money laundering, cybercrime, or child exploitation, governments often claim national security imperatives that justify sidestepping normal sovereignty considerations, and many observers might agree such practices are defensible.
So while “sovereignty” might still hold, in practice, for most data, the protections are not absolute.
No comments:
Post a Comment