Through which legal jurisdictions does it pass?
Even if systems are not storing data, or we're not sure if they're storing it, we should be mindful of the ‘citizenship’ of data. Depending on where data is gathered, manipulated, and/or consumed, different rights may apply. Sometimes those rights are even applied retroactively by policymakers who didn’t anticipate present usages.
This is where examples like GDPR (global data protection regulations) or California's privacy laws come in. These policies afford certain rights to the generators or disclosers of the data and impose restrictions on that data’s use. Companies who did not store metadata on where data came from, or who did not establish consent or have the ability to reaffirm user consent had to abandon or destroy data in their systems.
Some jurisdictions award or grant their citizens a “right to be forgotten” or revoke their data. But what if you're Google and you have data about someone in thousands, or even millions, of locations around the world? How do you revoke that data, bring it back, and properly delete or dispose of it? While there are technical solutions, they only work if there is accurate data taxonomy and logging.
The critical question to ask here is: "What sovereignties does our data pass through, and what are their laws?"
When acquiring and distributing data, it is important to note the legal jurisdictions the data might 'pass through' or where it may be stored. This concept is referred to as Data Sovereignty, and requires thinking about data in the cloud as an object, passing from physical server to physical server.
There are several parties interested in maintaining proper data security, governance, and individual privacy, among them:
Governments have a vested interest in the governance of data that passes through their jurisdictions—partly to guard against fraud (and therefore protecting economic interest) but also to protect the civil liberties of their citizens.
This ensures that their citizens' data is housed only within their legal jurisdiction to ease the process of criminal investigations.
Businesses generally carry the labor of Data Sovereignty and have several economic interests in doing so. Transparently broadcasting the care with which you handle your user's data can build trust with your customer base, while failure to comply with the obligations of each sovereignty through which the data passes can be expensive.
Last year, Google was fined an enormous 50 million euros (approximately $57 million)—not for selling or leaking information, but for failing to properly give users information about and agency of their personal data. No company is too big to comply.
There are several guiding principles that dictate different country's and government's versions of Data Governance, and they often mirror the following areas, paraphrased from the EU's General Data Protection Regulations.
Be truthful about your intended uses at the point of collection, and be explicit in gathering consent. Implied consent does not exist in this (or any other) context.
Don't use that information for purposes other than stated. Omitting the truth is still lying.
Take what you need and ignore what you don't. In addition to cost and processing time overrun, it can also be a potential legal liability to collect data you don't intend to use.
Make reasonable efforts to ensure that the information you collect is correct and up to date. While this provides obvious advantages in later analysis, this also ensures that the data can be recalled and destroyed if necessary.
Data must be physically stored inside the jurisdiction it's disclosed in, and should only be stored for a limited time.
Every step of the data supply chain must be adequately protected against malicious or accidental loss or processing. In short: data at rest must be secure, and data in motion must be encrypted.
Any person or entity holding data is ultimately responsible for protecting and respecting it.
Laws and policies at global, regional, and local levels govern how information about users may be stored and accessed, and by whom. Each law and policy has embedded within it certain ways of thinking (or mental models) which do not necessarily translate well across borders.
Another layer of complexity is added because some of the laws attempt to dictate what must happen in another jurisdiction, causing predictable confusion and conflict. The most notable of these laws is the GDPR. While personal data protection legislation has existed since the 1990s, the GDPR was ratified to harmonize various data governance policies throughout the EU.
What sets GDPR apart from previous legislation is that it crosses borders, setting a precedent that information was property and remained personal property, regardless of its current handler or location.
Effective November 1st, 2021, China is implementing the Personal Information Protection Law (PIPL), which shares many characteristics with GDPR.
There are similar restrictions on where and how the data must be securely stored and removed. However, PIPL is even more strict on aspects of user consent and 'lawful cause' -- the business reasons a company is even allowed to retain user data. In addition to gaining consent for retaining user's data, separate user consent must be gained if the information crosses into other data governance jurisdictions. Additionally, to even begin the process of data collection, the company or service must have a legally permissible basis for processing that data (lawful cause), such as:
Countries are not the only entities exercising sovereignty over their citizen's data. In 2018, California passed the Consumer Privacy Protection Act (CCPA), which is similar to the GDPR. While they both ensure the user's rights to be informed, to access the collected data, and to delete it on request, the CCPA also allows a user to opt-out of data collection and demands more notices of any collection attempts. Additionally, whereas GDPR affects anyone that collects data, the CCPA is primarily concerned with businesses that meet a certain threshold of size or reach. (In a further twist, San Francisco, a Californian city, enacted their own data protection regulations—but with language which appears to sometimes conflict with Californian law). California is not the only state enacting its own privacy laws. Over half of the United States is in the process of drafting and ratifying privacy protection regulation.
Implementation of these various laws depends on the jurisdiction in which data is housed and where that data originated. This can mean restrictions for companies regarding which physical servers they use to store the user's data.
In response to an administrative review of The Patriot Act's interactions with personal information, Canada implemented a data governance policy known as The Personal Information Protection and Electronic Documents Act (PIPEDA). This policy dictates companies must keep Canadian users' information on Canadian servers. This information includes basic data about the user like name, age, and income. But it also includes data the user produces -- such as comments and opinions produced online, credit and transaction records, and employment information on job seeking sites. Some provinces go further and restrict the flow of highly sensitive data like health and banking information from freely leaving the province.
Additionally, data governance laws can dictate what happens in other countries. GDPR obliges any entity doing business in the EU to strictly abide by their data governance laws regardless of where that data is housed or processed. Failure to comply can result in millions of dollars in fines or restrictions on their ability to conduct business within Europe. Similarly, the PIPL requires companies have a business entity present within China before they can begin the process of data collection.
While protecting user data and ensuring secure business transactions has apparent benefits, complying with these requirements can be difficult—especially for smaller companies and individuals unfamiliar with basic metadata and data attributes. Non-compliance can lead to fines, lost labor, and the exposure of sensitive data resulting in embarrassment and fraud.
Additionally, as more countries and municipalities enact their own privacy restrictions, operating within the parameters of overlapping and sometimes conflicting directives becomes increasingly difficult. For this reason, it is essential to know from the start where your data is coming from and where it will reside.
However, it's not impossible. To operate in a global digital context, it is crucial to understand what data is and the difference between data at rest and data in motion. Understand that your user's information is their personal property, treat it respectfully, and operate in good faith.