Puneet Varma (Editor)

Data residency

Updated on
Edit
Like
Comment
Share on FacebookTweet on TwitterShare on LinkedInShare on Reddit

A growing utilization of distributed computing resources across the globe, with data being regularly moved from country to country, causes a concern for the data owners that their data and the mechanisms of its movement may violate various international, national or local laws and regulations or expose such data to unintended access. These issues are collectively known as data residency.

Contents

This subject is broader than just the protection of personally identifiable information (PII). It also concerns the right to move "sovereign" data, such as oil field data; the international licensing of genomics data; the distribution of bio metric data for security purposes; etc.

The growth of cloud computing solutions has heightened the concern of data custodians about the location of their data. However, even organizations that do not use cloud solutions are often exposed to data residency issues.

Types of Data Posing Residency Issues

The list of information that definitely or potentially poses data residency issues is rapidly growing due to the evolution of legislation around the world, and a rising awareness of the value of information about national resources around the world. The following list is therefore only a start:

  • Personally identifiable information (PII)
  • Patient health information (PHI), which is a type of PII
  • Information about national resources such as oil and gas deposit, which may be obtained, processed or stored by foreign private contractors or partners
  • genetic data exchanged among international laboratories for scientific research purposes
  • social media records
  • electronic mail
  • database records
  • computer files

    • Residency, Sovereignty, Privacy and Security

    One of the few comprehensive computer, internet and data security guides to deal with the subject of mass surveillance techniques and data residency is Gunnar's Basic Internet Security Guide released in 2015 and provided to governments, corporations and the community free of charge. The guide was a direct response to Snowden's evidence of ongoing mass surveillance being conducted in part through the Internet. The book touches upon several aspects of data residency, sovereignty and security, including:

  • Corporate or government data assets (data of significant value) exposed to espionage, mining in foreign jurisdictions
  • Government and other sensitive plans, correspondence subjected to foreign mass surveillance
  • Security Concerns that cloud-based, international social networking sites and applications provide the same intelligence and profiling information as spy agency dossiers once did

    • Potential Consequences of Data Residency Violations

    Violations of data residency regulations, whether intentional or accidental, can expose the custodian of the data to:

  • Lawsuits by the individuals (information subjects) whose data was transferred in violation of the applicable law or regulation
  • Costs of compensating the victims if the violation resulted in damages to the information subjects
  • Lawsuits by the relevant enforcement authority
  • Fines by government agencies
  • Loss of the right to operate in certain countries (e.g., in the case of a service company that unlawfully exported data about national resources)
  • Loss of reputation
  • Loss of clientele
  • Cost of remedying the violation (such as the cost of setting up a data center in a country so that sensitive data from this country is not stored elsewhere)

    • Examples of Data Residency Issues

    (to be completed)

    Approaches to Resolving Data Residency Issues

    In June 2015, the Object Management Group (OMG) created a Data Residency Working Group to explore how OMG can help address the issues through the development of new standards, for example to represent metadata about data sensitivity or residency constraints.

    The European Union (EU) has some of the strictest privacy regulations in the world. All EU members state are required to have and maintain their own inclusive privacy laws that protect individual rights against information collection and processing by the government and private entities. The EU has implemented momentous data privacy laws since 1995 when the Data Protection Directive became law. In April of 2016, the EU adopted the General Data Protection Regulation (GDPR), four years after its proposal.

    (to be completed)

    References

    Data residency Wikipedia
    (Text) CC BY-SA