Five data sovereignty developments: how to manage the risk

Who should read this

If you are a European company official looking for ways to manage international data transfer risk, this article is relevant to you. It identifies five data protection trends for risk and security managers to consider. 

Data sovereignty and uncertainty

Data sovereignty is at the heart of many governments’ data protection concerns. Data sovereignty is the principle that data is subject to the legal protections and regulations of the country in which it is physically stored.

Five key trends for data-related risk are outlined in this article.

Key data protection trends

Customers increasingly care about how their personal data is used

Studies show that people increasingly feel a loss of control over their data and their ability to prevent companies from collecting information on them 1. One survey shows that a third of consumers were willing to switch companies over data or data-sharing policies 2. Many consumers increasingly care where their data is hosted and processed, and who has access to it.  

Businesses should decide how much they want to nurture customer loyalty and trust by protecting the security of their customers' data. They need to be open about how they use personal data. Businesses can no longer hide behind legal jargon buried in their terms and conditions.

Internet fragmentation is threatening international data transfers

Since 2019, the World Trade Organization (WTO) has also been trying to negotiate rules governing cross-border data flows. However, widespread concerns about the disruption caused by free-flowing data have meant that to date half the 184 member nations have chosen not to participate in talks. These nations are not ready to develop shared rules.

International data flows will continue, but until a worldwide approach to privacy data regulation and exchange, we will have to make do with a patchwork of competing regulations.

Businesses should accept that international data flows involve risk, which they can minimize by:

  • using the European Commission’s revamped Standard Contract Clauses (SCCs) for international data transfers
  • minimizing data flows to countries that provide inadequate data protection
  • conducting Transfer Impact Assessments for countries operating inadequate data protection laws.

Data privacy law enforcement will return to a more punitive attitude

European Supervisory Authorities are baring their teeth. GDPR fines have increased. The five biggest GDPR fines in 2021, were:

  • Amazon – €746 million
  • WhatsApp – €225 million
  • – €10.4 million 
  • Austrian Post – €9.5 million
  • Vodafone España – €8.15 million 3.

Companies not adhering to GDPR face harsh consequences, including hefty fines, which need to be factored into their data transfer risk calculations. 

Businesses can manage this risk by documenting and communicating their security policies, and monitoring compliance.

Legal ambiguity will nudge companies towards more local data processing

On July 16 2020, the European Court of Justice (ECJ) struck down the EU-U.S. Privacy Shield, a framework that facilitated the transfer of data between EU and US businesses. The decision to strike down the Privacy Shield stemmed from concerns over US surveillance systems.

Recent declarations made by EU and US officials at the end of 2021 are reasons to hope that the adoption of a new Privacy Shield (Privacy Shield 2.0) is imminent, but unless and until the EU Court of Justice rules in its favor, organizations are unlikely to adhere to it as it has so much legal uncertainty.

Considering the huge amount of ambiguity regarding international data transfers, businesses should question how necessary international data transfers are and move toward more localized data processing.

The US could get a GDPR-inspired federal privacy law

The IT market is dominated by US companies. US data privacy law comprises a patchwork of sector and state-specific laws.  

After decades in the making, a federal data privacy bill was released in June 2022. It resembles GDPR in its universal ambition, albeit one with loopholes and exemptions. Experts are optimistic that it may be adopted in within two years 4. It would then have to apply to the EU Commission to be granted the adequacy status. This could take years, if it happens at all. 

Businesses should question how necessary international data transfers are and move toward more localized data processing.

Data globalization versus protectionism

Data sovereignty is caught between the forces of data globalization, which drive international data flows, and data protectionism (the creation of competing regional spheres of influence), which inhibit international data flows. These forces are depicted in Figure 1.

Figure 1: The forces of data globalization and data protectionism

“Companies design, produce, sell, and maintain the digital ecosystem, and states are dependent on these firms. But states have the power to regulate the digital space.” 
Luciano Floridi, Professor of Philosophy and Ethics of Information, University of Oxford 5

Predicting which forces will prevail is fraught with uncertainty. 

Reaching a global agreement on personal data protection standards is critical to international data flows, but we are progress at a geological pace. EU/US data transfer will continue to be problematic for many years to come.

Summary recommendations for minimizing risk

European businesses should manage international data transfer risk by:

  1. minimizing and simplifying data flows 

  2. using the EU-approved SCCs for transferring personal data.

  3. consider whether it is worth developing for EU approval, Binding Corporate Rules (BCRs) which need only to be approved, once.  

  4. Lobby the European Commission to speed up the approval process currently takes 3-4 years, without any deadline commitment 6.

If you are interested in managed service solutions that eliminate data transfer risk, come and talk to us.  

Important legal notice

The author of this paper has gold prospecting, baking, satellite imaging and cyber security experience in abundance, but no legal training. Every legal statement made in this paper should be verified.