Public cloud has become an indispensable tool for enterprises to scale efficiently and store data. Because of globalization, however, enterprise data can be stored in datacenters situated in other geographic regions. This means data is not only governed by different regional laws, but it is also susceptible to cybersecurity attacks depending on the vulnerability of the datacenter.
In 2016, the European Union adopted the General Data Protection Regulation (GDPR), which later became enforceable in 2018. As it is a regulation and not a directive, the GDPR is malleable with each member state of the union having a different version of the directive. The GDPR was an important steppingstone that guaranteed data privacy to EU citizens; since its enforcement, regional governments across the EU have collected fines of over €1 Billion. It has also served as a framework to nations outside the EU to guarantee data privacy and security. The sovereign cloud builds on GDPR by enhancing the sovereignty of data originating from inside the region.
On July 16, 2020, the Court of Justice of the European Union (ECJ), in its Case C-311/18 Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (called “Schrems II case”), invalidated the EU-U.S. Privacy Shield with immediate effect. In March 2022, both regions agreed with the court’s decision about new principles for "Privacy Shield 2" with the adoption of proportionate surveillance activities and an independent adjustment mechanism. However, many organizations based in Europe and the U.S. lacked a legal basis for their transfers of personal data.
The ISG white paper Exposure of Data in the Cloud Induces Greater Risk of Data Corruption and Data Theft explores the idea of a sovereign cloud and what enterprises, public institutions and service providers can do to protect themselves and their data in the cloud-first era.Download this white paper.