- Sovereignty regulation is on the rise across the globe
- AI is likely to result in more stringent regulation
- Enteprises can prepare for shifting sands by thinking ahead and classifying their cloud data according to its sensitivity level
Data’s wild west days are over and done, executives from Google Cloud and Backblaze told Fierce. The name of the game now is data sovereignty, but what exactly that means in practice can depend on where you are. And regulations are only likely to get more stringent with the time and the rise of artificial intelligence (AI), they said.
“There’s no escaping digital sovereignty,” Archana Ramamoorthy, Google Cloud’s Sr. Director for Regulated and Trusted Cloud, said in an interview. She noted that while folks are likely already familiar with the European Union’s sovereignty regulations, movement toward similar regulation is starting to happen in India, Japan, Australia, the Middle East and a number of countries in Africa.
Indeed, data from the United Nations Trade and Development website indicates that 71% of countries across the globe have put into place legislation to protect data and privacy and another 9% are considering such laws.
“To say that interest is increasing is an understatement,” Chris Opat, SVP of Cloud Operations at Backblaze added. These days, the ability to provide data sovereignty has become “an operational table stakes requirement” for cloud players.
But that can be easier said than done. Why? Well, first there’s the issue of terminology. Data residency is different from data sovereignty and that in turn is different from digital sovereignty. The first refers to data’s physical location – that is just one element of data sovereignty, which also covers who controls the data. And data sovereignty is just one part of digital sovereignty policies which cover more than just the data itself, Ramamoorthy explained. Confused yet?
On top of that, you have the letter of the law for each country, which specifies the ways in which the government wants you to achieve residency or sovereignty and the penalties for failure.
As Opat noted, that patchwork can be intimidating for smaller startups like Backblaze, which operates in regulated markets like the Netherlands and Canada but doesn’t exactly have roomfuls of attorneys to comb through these laws. Instead, it relies on third party services to help ensure compliance – and the stakes are high.
Opat pointed to the €1.2 billion ($1.3 billion) fine Facebook parent company Meta received in May for violating the EU’s data privacy laws. “There’s a level of operational excellence you need to have,” he said. “When you look at these numbers, these agencies aren’t kidding around… It’s easy to see how missteps in this domain could potentially put a company out of business so it is something we take extremely seriously.”
Heart of the matter
According to Ramamoorthy, though customers have different definitions of “digital sovereignty” they all tend to have one thing in common: they want control over their assets.
For enterprises looking to do this, she said there are a couple key things they should be thinking about. The first is what industry they’re in and what specific additional regulations might apply to their data (looking at you, financial services and healthcare). The second is the company’s growth plan. Those eyeing expansion into new countries should consider the regulator needs and go with a flexible architecture that will allow them to adjust to meet new requirements as they arise.
Ramamoorthy said looking ahead, digital sovereignty will only become more important – and likely more stringent – with the rise of AI. And it will be interesting to see how governments balance the desire to keep data private with the drive to use AI to advance their economies.
“I think culturally countries are evolving,” she concluded. “Sovereignty is here to stay, it’s not something that’s going to go away, but the definition of sovereignty might change. So customers need to think about the kind of data and assets they’re trying to move to the cloud and classify them accordingly as low sensitivity data, medium sensitivity data and high sensitivity data.” Doing so, she said, will make it easier for them to keep up as the regulatory landscape evolves.