The coronavirus tracking apps introduced by governments worldwide to curtail the spread of the disease - and the ownership of the data they generate in particular - has sparked many new conversations among my peers around the sovereignty of data.

It’s a complex issue that is causing significant challenges for businesses, but at the same time exciting growth opportunities for data center operators in countries subject to increasingly stringent data laws.

With conversations becoming more frequent, HDR | Hurley Palmer Flatt Group set the stage – or rather, a virtual round table - for thought leaders to debate this complex topic more formally.

barbwire-1027029_1920 Erdenebayar Pixabay.jpg
– Pixabay / Erdenebayar

Data sovereignty goes mainstream

The debate around COVID-19 apps has made the fairly esoteric topic of data sovereignty much more mainstream. Critically, this is helping businesses understand, or at least give more thought to, where the data they collect is stored and which country’s laws it is subject to, especially as cloud services migrate across borders.

The proliferation of cloud services and apps means that businesses have to take a risk-first approach. They have to ask the questions, ‘Where is our data? Where is it being stored? What is it being used for? How is it to be used and who controls and governs it?’

A number of countries - particularly Russia, China, India, and parts of the UAE - have put in very draconian sovereignty laws, where data cannot go outside of their country; In the UK, the principle of the GDPR is that the data stays in the EU; And then you have this overlap on the rest of the world in the U.S. CLOUD Act, which is very difficult to fully comprehend.

As for the tracing apps, it is hugely significant that countries including the UK and Australia initially decided against but instead hoped to pool – and control - the information locally. Later the problems raised by this caused the UK to make a very public U-turn and opt for the Google-Apple technology.

As for the tracing apps, it is hugely significant that countries including the UK (originally, now changed in a government U-turn) and Australia have decided against using technology developed by Google and Apple, but to instead pool – and control - the information locally.

What is interesting is that they have deliberately tried to make sure they don't get bound up by data sovereignty and privacy issues. That’s the government saying, ‘We don't want this huge store of data going back to the US, we're going to try and keep it local’.

It potentially sets a worrying precedent. I suspect other developers of apps will look at this and say, ‘well, if we can make our data agnostic and independent of being clawed back by other countries in a similar way, then let's do it too’.

For our virtual round table, I was joined by some great minds across the other side of the world: my colleague in Australia, Peter Gaston, director of HDR Hurley Palmer Flatt; Matthew O'Rourke, National Regulatory Manager, Macquarie Telecom Group; Guy Danskine, Managing Director in Australia for Equinix; and David Vaile, Teaching Fellow in the Faculty of Law at the University of New South Wales.

Macquarie Data Centres, a subsidiary of Australian data center, cloud cyber security, and telecom business, Macquarie Telecom Group, has just announced the building of its latest facility, Intellicentre 5, in Canberra. It will serve the requirements of the Australian government as dependency on cloud services reaches an all-time high.

Embedded in the facility’s security considerations is data sovereignty, the company confirming in its media commentary that it has these bases covered by ensuring Australian control and access only by Australian government-cleared specialists.

Other countries are also looking to maintain stricter control of their data, and as such are creating new hotspots for data center development.

“In the APAC region we’ve seen a huge drive for both cloud providers and other data center colocation providers to expand into emerging markets,” said my colleague Peter Gaston. “It’s a twofold drive: one is to service those emerging markets and get a piece of that pie. But secondly, those safe havens where people traditionally built their data centres may no longer be appropriate because of requirement under data sovereignty for businesses to store their data in areas it originates. I think this is something that potentially we’re only just seeing the very beginning of.”

‘Edge’ data centers could also help businesses navigate sovereignty challenges by providing an alternative storage solution for businesses, or governments that want to split their data between facilities, he added.

“You might just have one rack with a bunch of servers that just deals with a small amount of data that cannot move anywhere else possibly because of ownership issues off site (while everything else could go into a cloud elsewhere). Sovereignty is undoubtedly one of the biggest things driving it.”

Guy Danskine, of Equinix, a major industry player with data centers in 55 markets worldwide, agreed, said ‘edge’ data centers presented a “huge opportunity as well as something to be thoughtful about.”

He said: “The greater the number of endpoints that organisations are trying to manage, the greater the surface area of risk. And that's why data sovereignty continues to present itself, especially as these endpoints need to aggregate in a certain location or certain region. You need to be considerate of the information that those endpoints may be carrying, or even just where it's traversing.”

Meanwhile, Matthew O’Rourke, from Macquarie Government, another subsidiary of Macquarie Telecom, said small businesses are increasingly moving away from co-location data centers in favor of cloud data storage, while enterprises are taking a hybrid approach, holding certain workloads in a public cloud, and more valued data sets in a sovereign cloud environment, within an Australian data center

Meanwhile, government data is decided on a department basis, with rigorous risk assessments conducted on the implications of going to a global cloud provider, he said.

However, the Australian government was forced to defend its decision when it launched its COVID-19 tracing app, with legal experts warning the contracted cloud provider could be subject to U.S. subpoenas under the CLOUD Act.

Matthew said “One of the biggest challenges we face as this issue develops is raising the capabilities of buyers to assess the technical risk that exists when there is a loss of sovereignty over sensitive government data.”

Lawyer and respected data privacy advocate David Vaile, left us with plenty to think about by the end of the round table, urging business to take a collaborative approach to weighing up sovereignty risk.

“You need three tribes: the lawyers, reluctantly, because they've got a big part to play in going through the fine detail; uou need the technologists; but you also need the people who are trying to make all this work - whether it's at the governance level, or the business opportunity level. You've got to be able to communicate between them all,” he said.