Data protection and data sovereignty are increasingly important in the digital economy — so much that there is even a Data Privacy Day, celebrated every January 28th.
Why is it so?
Because as data becomes more and more valuable for individuals, organizations and institutions, data sovereignty, protection and privacy have become key aspects for building trust and creating added value.
Due to the leading role of data in our modern economy, data protection and data privacy have become an essential right. As a result, data sovereignty measures have also been adopted around the world to protect citizens’ data. Although it goes without saying that this proactive approach to data management does not only benefit individuals but also companies and nations.
What is data protection?
Data protection refers to the process of safeguarding important, confidential and personal data to avoid it getting corrupted, compromised or lost. It is also known as data privacy and information privacy.
Data protection also consists of ensuring that data is only accessible for authorized purposes and that it can be restored in the event of being rendered unusable or inaccessible for some reason. In this regard, Disaster Recovery solutions are also on the rise.
During the past years, many countries and regions have passed data protection regulations. The European Union’s General Data Protection Regulation (GDPR) is one of the most well-known rules, but there are many others, such as the Privacy Act in Canada or the General Personal Data Protection Law in Brazil (Lei Geral de Proteção de Dados Pessoais in Portuguese).
Data Privacy Day
The Data Protection Day or Data Privacy Day has been celebrated internationally on January 28th, since 2007. Its goal is to promote best practices and raise awareness about the importance of protecting personal and confidential data. This day commemorates the first legally binding international instrument on data protection, adopted in the Council of Europe’s Convention 108 on January 28th, 1981 in Strasbourg.
Convention 108 and 108+
The Convention 108 or “Convention for the protection of individuals with regard to the automatic processing of personal data” is the first legal instrument created to protect individuals against abuses derived from the collection and processing of personal data. It also regulates the transborder transfer of personal data to geographical locations that do not provide an equivalent legal protection. This convention was updated in 2018 as Convention 108+.
What is data sovereignty?
Data sovereignty is a concept that refers to the fact that data processed by an organization is subject to the laws and regulations of the country or region where it is located.
It is to say, businesses must comply with data privacy regulations, guidelines and best practices within their location or the location where they provide their services. Data sovereignty also refers to the organizations’ ability to operate independently and to protect their data against potential interferences.
During the last years, many governments have passed laws regarding how data is stored, protected and used. Not only to protect their citizens’ data, but also to avoid other nations acquiring it. Since data regulations also limit how businesses and organizations can transfer personal data abroad.
On this matter, the European regulatory framework — limiting personal data transfer outside the European Union — has become a standard and is a step forward in respect to data sovereignty.
Data protection and sovereignty are important aspects to consider when migrating to the cloud. When outsourcing their IT infrastructure, companies must know where their data is hosted, as well as relying on services and data centers that enable them to comply with the regulations of the locations they are operating in.
Why is data sovereignty important?
Data sovereignty is important because it helps countries to protect their citizens and companies’ private and confidential data, as well as to avoid other countries acquiring that data. Data privacy protection is more important than ever and companies must ensure their customers and employees’ sensitive data is safe wherever that data is stored and shared.
Data sovereignty vs Data residency
When talking about data sovereignty, the concepts of “data residency” and “data localisation” often come up in the conversation. So, let’s see what’s the difference among data sovereignty, data residency and data localisation.
- Data residency refers to the geographical location where organizations specify their data is collected, processed and stored.
- Data localisation refers to the fact data must stay within the borders of the country or region where it was created.
- Data sovereignty refers to the fact that data is also subject to the laws and regulations of the country or region where it is physically stored.
What is digital sovereignty?
Digital sovereignty, also known as “technological sovereignty”, is the ability of a State or region to control their digital resources, keeping them away from external influences.
Digital sovereignty in the European Union is seen as a strategic matter in order to strengthen the EU’s role in the digital economy, promoting and protecting the Union’s fundamental values. The concept of digital sovereignty is focused on achieving a lower dependence on overseas infrastructures, platforms, Internet access points, etc.
The European Digital Strategy & the Digital Single Market
The EU’s digital strategy is focused on strengthening European digital sovereignty and on setting standards. In order to create a strong, competitive digital economy, the EU Digital Strategy focuses on aspects such as:
- Boosting the growth potential of the digital economy, while adopting technologies that respect European values.
- Empowering citizens to be aware of how they act and interact with data, both online and offline.
- Building a climate-neutral and resource-efficient economy.
- Creating a fair Digital Single Market where businesses can compete on equal terms and individuals’ rights are respected.
- Improving access to digital goods and services across Europe, both for consumers and businesses.
As for the European Union’s Digital Single Market, it is built upon 3 pillars:
- Access. Ensuring better access for consumers and businesses to digital goods and services across Europe.
- Development. Creating the right environment for digital networks and innovative services to flourish.
- Growth. Maximizing the growth potential of the digital economy.
Digital Services Act and Digital Markets Act
The Digital Services Act (DSA) and the Digital Markets Act (DMA) are legislative proposals by the European Commission, playing an important role within the European Digital strategy. The DSA and DMA form a package of new rules applicable across the whole European Union to create a safer, more competitive and open digital space.
The main goals of the Digital Services Act and the Digital Markets Act package are to:
- Create a safer digital space where the fundamental rights of all users are protected — fighting against disinformation, illegal content, etc.
- Ensure users can freely change providers and services, as well as benefit from fair prices.
- Boost and promote innovation, growth and competitiveness within the European Single Market.
- Prevent “gatekeepers” — large online platforms and companies — from abusing their power, thus creating a fairer environment for all businesses.
Europe’s Digital Decade: goals for 2030
The Digital Decade policy program aims to guide the digital transformation of the European Union. To do so, it defines a list of goals to be achieved by 2030. For instance:
- 100% of essential public services should be available online, both for citizens and businesses.
- 100% of European citizens should have access to electronic health records.
- 75% of EU enterprises should use cloud services, Big Data and Artificial Intelligence (AI). It is worth noting that in 2021, the European Union’s cloud adoption rate among enterprises was around 41%.
- At least 80% of Europe’s population should have basic digital skills.
As part of this program, in January 2022, the European Commission also proposed a declaration on digital rights and principles, focused on the following aspects:
- Human-centered digital technologies.
- Freedom of choice and user empowerment.
- Safety and security.
- Solidarity and inclusion.
- Participation and control over data.
- Sustainability and energy consumption awareness.
Data sovereignty laws in the European Union
Following the release of their main regulation in 2016, the General Data Protection Regulation (GDPR), the European Union is a leader in data protection worldwide. After this regulation, the EU has passed other laws such as the free flow of non-personal data (FFD) in 2018 and the EU Cybersecurity Act and the Open Data Directive in 2019.
The General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) unifies data protection regulations within the European Union. It establishes strict rules on how EU citizens’ personal data must be stored, collected and processed; both within and outside the European Union. The GDPR entered into force in May 2016, establishing May 2018 as the deadline for Member States to put it into effect. This regulation replaced the 1995 European Data Protection Directive.
The GDPR applies both to data controllers — organizations using cloud services that process EU citizens’ data — and data processors — organizations providing cloud services that process EU citizens’ data.
This regulation, although flexible for certain aspects, applies to all EU Member States, creating a common data sovereignty and protection framework within the region. Organizations must implement security and data collection and protection measures to protect EU citizens and residents’ private data in order to comply with the GDPR.
The Data Protection Law Enforcement Directive (LED)
The Data Protection Law Enforcement Directive (LED) is a piece of legislation that establishes rules on the processing of personal data by criminal law enforcement authorities and on the free movement of such data. It entered into force in May 2016, establishing May 2018 as the deadline for Member States to put it into effect.
The regulation on the free flow of non-personal data (FFD)
The goal of the regulation on the free flow of non-personal data is to boost the benefits of the data economy. It is applicable from May 2019. The FFD contributes to the creation of a competitive digital economy within the EU. Together with the GDPR, it aims to guarantee the free movement of non-personal data across the Member States of the European Union.
The EU Cybersecurity Act
The EU Cybersecurity Act establishes a UE cybersecurity certification framework for digital products, services and processes. In addition to strengthening the EU Agency for cybersecurity (ENISA).
The Open Data Directive
The Open Data Directive provides a common legal framework to facilitate the reuse of public sector information. It also aims to make high-value data available for reuse and strengthen transparency. It entered into force in July 2019.
The Data Governance Act
The Data Governance Act, adopted by the European Commission in November, 2020, aims to boost data sharing across sectors and Member States to leverage the potential of data for the benefit of EU citizens and organizations.
Some of the Data Governance Act’s goals are to:
- Increase trust in data sharing.
- Strengthen mechanisms to increase data availability.
- Overcome technical obstacles to the reuse of data.
- Support the development of common European data spaces in strategic domains.
To sum up, there is no doubt that data protection and data sovereignty are a priority nowadays. The IT sector is continuously evolving and new trends and technologies such as the cloud, the Internet of Things or AI are becoming increasingly relevant in our daily lives. A clear example of this is how cloud adoption among enterprises in the EU keeps growing. On this matter, the EU is making great efforts to protect digital sovereignty, and boost innovation and competitiveness within the European Union.
At Stackscale, data protection and security are a priority as well. That is why we always develop our products and services with security, privacy, transparency and efficiency in mind. Besides, we are proud to say that we opt for open standards and protocols to develop our Private Cloud solutions, so that customers can keep greater control over their IT environment.