2015 is going to be a major year for cloud computing. As the growth in cloud usage continues, governments are taking more and more interest in security of personal data.
Herein lies a problem. It has become almost impossible to stop data from crossing over the lines on maps that separate one political entity from another. However, politicians want to be seen as exerting their will over important issues, and data sovereignty has become one such issue.
The EU's General Data Protection Regulation (GDPR) is due to roll out across member countries during 2015. The GDPR defines what is deemed to be personal data and sets fines for such data being compromised by any company with operations in the EU. The fines could reach up to 100 million Euros or 5% of worldwide revenues for the offending company. All data breaches will need to be fully documented and disclosed to the EU regulator, and a breach may include the transfer of such data outside of the EU.
In the US, data breach disclosure requirements are already in place. However, via the Patriot Act, FISA (and FISAAA) and the use of disclosure warrants, the US is attempting to extend its reach beyond its shores into other territories. Such actions would obviously break the EU's GDPR.
Although Asia operates essentially as a collection of separate countries, 2014 showed a marked move towards a more European style of data security. As the growing economies of China, South Korea, Malaysia and others drive existing economies of Singapore, Japan, and Australia to change how they operate, each country is adopting data protection laws that they believe will enable them to compete effectively on the global stage.
So, where does this leave data sovereignty? It still looks like the overriding concern should be to partner with a cloud provider that has demonstrable capabilities around data security. Once that decision has been made, the need to maintain data in a specific geographic location can follow on. It's important to find a provider that understands technologies like data caching and content delivery networks (CDNs), which may violate data sovereignty rules.
Overall, data protection laws are still some way behind the actuality of data processing needs. Expect more change, and choose a provider that is prepared to deal with such change.