Data protection and data sovereignty are increasingly important in the digital economy — so much that there is even a Data Privacy Day, celebrated every January 28th, since 2007.
Why is it so?
Because as data becomes more and more valuable for individuals, organizations and institutions, data sovereignty, protection and privacy have become key aspects for building trust and creating added value.
Due to the leading role of data in our modern economy, data protection and data privacy have become an essential right. As a result, data sovereignty measures have also been adopted around the world to protect citizens’ data. Although it goes without saying that this proactive approach to data management does not only benefit individuals but also companies and nations.
What is data protection?
Data protection refers to the process of safeguarding important, confidential and personal data to prevent it from getting corrupted, compromised or lost. It is also known as data privacy and information privacy.
Data protection also consists of ensuring that data is only accessible for authorized purposes and that it can be restored in the event of being rendered unusable or inaccessible for some reason. In this regard, Disaster Recovery solutions are also on the rise.
During the past years, many countries and regions have passed data protection regulations. The European Union’s General Data Protection Regulation (GDPR) is one of the most well-known rules, but there are many others, such as the Privacy Act in Canada or the General Personal Data Protection Law in Brazil (Lei Geral de Proteção de Dados Pessoais in Portuguese).
Data Privacy Day
The Data Protection Day or Data Privacy Day has been celebrated internationally on January 28th, since 2007. Its goal is to promote best practices and raise awareness about the importance of protecting personal and confidential data. This day commemorates the first legally binding international instrument on data protection, adopted in the Council of Europe’s Convention 108 on January 28th, 1981 in Strasbourg.
Convention 108 and 108+
The Convention 108 or “Convention for the protection of individuals with regard to the automatic processing of personal data” is the first legal instrument created to protect individuals against abuses derived from the collection and processing of personal data. It also regulates the transborder transfer of personal data to geographical locations that do not provide an equivalent legal protection. This convention was updated in 2018 as Convention 108+.
What is data sovereignty?
Data sovereignty is a concept that refers to the fact that data processed by an organization is subject to the laws and regulations of the country or region where it is located.
It is to say, businesses must comply with data privacy regulations, guidelines and best practices within their location or the location where they provide their services. Data sovereignty also refers to the organizations’ ability to operate independently and to protect their data against potential interferences.
During the last years, many governments have passed laws regarding how data is stored, protected and used. Not only to protect their citizens’ data, but also to avoid other nations acquiring it. Since data regulations also limit how businesses and organizations can transfer personal data abroad.
On this matter, the European regulatory framework — limiting personal data transfer outside the European Union — has become a standard and is a step forward in respect to data sovereignty.
Data protection and sovereignty are important aspects to consider when migrating to the cloud. When outsourcing their IT infrastructure, companies must know where their data is hosted, as well as relying on services and data centers that enable them to comply with the regulations of the locations they are operating in.
Why is data sovereignty important?
Data sovereignty is important because it helps countries to protect their citizens and companies’ private and confidential data, as well as to avoid other countries acquiring that data. Data privacy protection is more important than ever and companies must ensure their customers and employees’ sensitive data is safe wherever that data is stored and shared.
Data sovereignty vs Data residency
When talking about data sovereignty, the concepts of “data residency” and “data localisation” often come up in the conversation. So, let’s see what’s the difference among data sovereignty, data residency and data localisation.
- Data residency refers to the geographical location where organizations specify their data is collected, processed and stored.
- Data localisation refers to the fact data must stay within the borders of the country or region where it was created.
- Data sovereignty refers to the fact that data is also subject to the laws and regulations of the country or region where it is physically stored.
What is digital sovereignty?
Digital sovereignty, also known as “technological sovereignty”, is the ability of a State or region to control their digital resources, keeping them away from external influences.
Digital sovereignty in the European Union is seen as a strategic matter in order to strengthen the EU’s role in the digital economy, promoting and protecting the Union’s fundamental values. The concept of digital sovereignty is focused on achieving a lower dependence on overseas infrastructures, platforms, Internet access points, etc.
Digital sovereignty vs data sovereignty
Both concepts highlight the importance of protecting data and digital assets against potential external interference. However, while digital sovereignty focuses on the ability to keep control of digital and technological resources, data sovereignty focuses on the compliance with data regulations and guidelines within the geographical locations businesses operate in.
EU Digital Strategy
The EU’s digital strategy is focused on strengthening European digital sovereignty as well as on setting standards. In order to create a strong, competitive digital economy, it focuses on aspects such as:
- Boosting the growth potential of the digital economy, while adopting technologies that respect European values.
- Empowering citizens to be aware of how they act and interact with data, both online and offline.
- Building a climate-neutral and resource-efficient economy.
- Improving access to digital goods and services across Europe, both for consumers and businesses.
- Supporting the development, deployment and adoption of a trustworthy Artificial Intelligence.
Europe’s Digital Decade
Europe’s Digital Decade framework aims to guide the digital transformation of the European Union, focusing on four areas: connectivity, digital skills, digital businesses and digital public services. Thus enabling everyone to leverage the opportunities and benefits of the digital society. The framework includes:
- Targets or measurable goals regarding the aforementioned areas. The main goals can be summarized as follows:
- A digitally skilled population and highly skilled digital professionals.
- Secure and sustainable digital infrastructures.
- Digital transformation of businesses.
- Digitalisation of public services.
- Objectives that help guide Member State actions.
- A policy programme to allow reaching the Digital Decade targets and objectives, enabling collaboration between the EU and Member States.
- Multi-country projects to allow Member States to pool investments and launch cross-border projects.
- Rights and principles that reflect European Union values.
Goals for 2030
The list of goals to be achieved by 2030 includes, but is not limited to:
- 100% of essential public services should be available online, both for citizens and businesses.
- 100% of European citizens should have access to electronic health records.
- 75% of EU enterprises should use cloud services, Big Data and Artificial Intelligence (AI). It is worth noting that in 2021, the European Union’s cloud adoption rate among enterprises was around 41%.
- At least 80% of Europe’s population should have basic digital skills.
Digital Services Act and Digital Markets Act
The Digital Services Act (DSA) and the Digital Markets Act (DMA) are legislative proposals by the European Commission, playing an important role within the European Digital strategy. The DSA and DMA form a package of new rules applicable across the whole European Union to create a safer, more competitive and open digital space.
EU Data sovereignty regulations
Following the release of their main regulation in 2016, the General Data Protection Regulation (GDPR), the European Union is a leader in data protection worldwide. After this regulation, the EU has passed other laws such as the free flow of non-personal data (FFD) in 2018 and the EU Cybersecurity Act and the Open Data Directive in 2019.
The General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) unifies data protection regulations within the European Union. It establishes strict rules on how EU citizens’ personal data must be stored, collected and processed; both within and outside the European Union. The GDPR entered into force in May 2016, establishing May 2018 as the deadline for Member States to put it into effect. This regulation replaced the 1995 European Data Protection Directive.
The GDPR applies both to data controllers — organizations using cloud services that process EU citizens’ data — and data processors — organizations providing cloud services that process EU citizens’ data.
The Data Protection Law Enforcement Directive (LED)
The Data Protection Law Enforcement Directive (LED) is a piece of legislation that establishes rules on the processing of personal data by criminal law enforcement authorities and on the free movement of such data. It entered into force in May 2016, establishing May 2018 as the deadline for Member States to put it into effect.
The regulation on the free flow of non-personal data (FFD)
The goal of the regulation on the free flow of non-personal data is to boost the benefits of the data economy. It is applicable from May 2019. The FFD contributes to the creation of a competitive digital economy within the EU. Together with the GDPR, it aims to guarantee the free movement of non-personal data across the Member States of the European Union.
The EU Cybersecurity Act
The EU Cybersecurity Act establishes a UE cybersecurity certification framework for digital products, services and processes. In addition to strengthening the EU Agency for cybersecurity (ENISA).
The Open Data Directive
The Open Data Directive provides a common legal framework to facilitate the reuse of public sector information. It also aims to make high-value data available for reuse and strengthen transparency. It entered into force in July 2019.
The Data Governance Act
The Data Governance Act, adopted by the European Commission in November, 2020, aims to boost data sharing across sectors and Member States to leverage the potential of data for the benefit of EU citizens and organizations.
The AI Act
The AI Act is focused on establishing rules for ensuring a trustworthy Artificial Intelligence that respects fundamental rights and democracy, while enabling businesses to leverage the opportunities and benefits it can bring.
To sum up, there is no doubt that data protection and data sovereignty are a priority nowadays.
The IT sector is continuously evolving and new trends and technologies such as cloud, IoT or AI are becoming increasingly relevant in our daily lives. A clear example of this is how cloud adoption among enterprises in the EU keeps growing. On this matter, the EU is making great efforts to protect digital sovereignty, and boost innovation and competitiveness within the European Union.
At Stackscale, data protection and security are a priority as well. That is why we always develop our products and services with security, privacy, transparency and efficiency in mind. Besides, we are proud to say that we opt for open standards and protocols to develop our Bare Metal and Private Cloud solutions, so that customers can keep greater control over their IT environment.