Decrypted | Insights from Virtru to Unlock New Ideas

Data With Borders: The Future of Digital Sovereignty

Written by Matt Howard | Jul 20, 2022 8:41:25 PM

Denmark’s data protection agency ruled last week that Google Workspace suite — which includes Gmail, Google Docs, Calendar, and Google Drive — does not meet the requirements of the European Union’s GDPR data privacy regulations.  Specifically, regulators found that Google's data processor agreement (terms and conditions) allowed for relevant data to be transferred back to the US for the purpose of providing support, even though it is normally stored in one of Google’s EU data centers.  As a result of the ruling, Danish school systems will be prohibited from using Google Workspace to educate students, coordinate curriculums with teachers, and share information with parents.

Products like Google Workspace are fundamental to educating students in the modern world.  Furthermore, Google Workspace is an amazing platform that delivers tremendous value to thousands of schools worldwide, including Sussex Learning Trust, The Kemnal Academies Trust, and world-class universities like Brown University.  So, why did Denmark suspend Google Workspace from its schools?  Well, it's a complicated situation that comes down to two simple facts:

  1. The era of borderless data is ending.
  2. The era of digital sovereignty is beginning.

The Era of Borderless Data Is Ending

For many years, as the internet experienced explosive growth, data itself existed in a world without borders.  It was a highly dynamic and lightly regulated environment that enabled hyper-scalers like Google, Amazon, and Microsoft to create cloud platforms that delivered infrastructure and application services to billions of people around the world.  Eventually, other countries became uncomfortable with the fact that a small number of US-based cloud operators had control over massive amounts of data that originated from inside of their borders.  So they decided to do something about it.  And now, the era of borderless data is ending.

Today more than 50 countries are accelerating efforts to control the digital information produced by their citizens, government agencies and corporations.  Driven by security and privacy concerns, as well as economic interests and national pride, governments are increasingly setting rules and standards about how data can and cannot move around the globe.  The simple goal is to gain sovereignty over data, representing a tectonic shift in the global economy.  But, this shift did not happen overnight.  

Indeed, the era of borderless data began to decline in 2016 when the EU first enacted GDPR data privacy regulations.  These new regulations set into motion several years of sausage making which involved the US and its EU counterparts negotiating different "data sharing agreements" under which data could be legally transferred across sovereign borders from the EU to the US without violating the rights of European citizens.  Along the way, we witnessed Max Schrems, an Austrian privacy activist, persuade European Courts to strike down the EU-US "safe harbor" in 2015 (Schrems I).  Then, again, in July 2020, we saw Schrems convince the EU court that its successor agreement, the Privacy Shield, was also illegal (Schrems II).

The Era of Digital Sovereignty Is Beginning

Helped in part by GDPR and Schrems, "digital sovereignty" is an idea that has become increasingly popular over the past decade -- not only in western democracies, but in most countries around the world.  Indeed, in a world that can't agree on very much, most people seem to agree that citizens of sovereign countries should have ownership over their own data.  Simply stated, digital sovereignty is about respecting data – and carefully considering how other people's information and digital assets are treated.  The result is that countries around the world are taking steps to implement "digital borders" designed to enhance privacy and help them govern data as a sovereign asset.  These efforts have the following consequences: 

  • They create distinct legal environments whereby data is capable of being regulated by the country in which it was created, and 
  • They serve as an incentive for cloud service providers and technology innovators to build new data centers and develop new and innovative controls that make it easier to create clearly defined borders around data.

So are leaders in the technology industry listening?  The short answer is yes.

What the Hyperscalers Are Doing to Advance Data Sovereignty

Google

Despite yesterday's decision by Danish regulators, Google is actively responding to market demand for enhanced sovereign data controls.  One example is the recent introduction of innovative data encryption called Google Workspace Client Side Encryption (CSE).  This new capability helps customers strengthen the confidentiality of their data stored in the Google Cloud while addressing a broad range of data sovereignty and compliance requirements.  With CSE, Google gives customers direct control of encryption keys and the identity service of their choice to access those keys.  As a result, customer data stored in Google Cloud is indecipherable to Google, yet customers can continue to take advantage of Google’s world-class cloud-based collaboration suite.

Microsoft

In another example of large tech players heeding calls for advanced cloud controls to foster digital sovereignty, Microsoft yesterday launched a new service called, Microsoft Cloud for Sovereignty.  Microsoft states that this new solution will enable governments to operate workloads in the Microsoft Cloud in a manner that provides greater control over data so they can meet specific requirements for data governance, security controls, privacy of citizens, and data residency associated with regulations like GDPR.

AWS

Amazon AWS is also responding to the rise of digital sovereignty and market demands for improved data controls.  Specifically, in order to help European customers comply with GDPR, Amazon announced last year that it was strengthening commitments to challenge law enforcement requests for customer data that conflict with EU law.  Additionally, Amazon launched in July 2021 two new online resources to help customers complete data transfer assessments more easily and comply with GDPR. Collectively, these “Privacy Features for AWS Services" make it easy for AWS customers in other countries to understand whether their use of AWS services involve any type of data transfer.

How Innovation from Virtru Advances Data Sovereignty

Large cloud providers alone can not enable digital sovereignty without incremental capabilities supplemented by trusted third parties.  For example, in the context of Google CSE, the keys that are required to encrypt/decrypt data can not be managed by Google.  Otherwise, Google would have the power to decrypt and inspect the customer's data.  Therefore, in order to separate cloud data storage from data encryption,  Google has partnered with Virtru to provide key management services to joint customers.  Working together, Google and Virtru give organizations confidence that their data is always encrypted and Google itself would never have access.

More broadly, Virtru offers a collection of innovative data encryption and access control products that make it remarkably simple for people to share data without sacrificing privacy, ownership, or control.  Used by more than 7,000 customers worldwide, Virtru's end-to-end data encryption products are integrated elegantly into Google Workspace and Microsoft Office365 and enable organizations based in the EU to simultaneously adopt cloud computing and still meet guidance put forth by the European Data Protection Board (EDPB) for “sufficient supplementary protection to meet data sovereignty requirements". 

In summary, with Virtru end-to-end encryption and data access controls, customers can: 

  • Adopt global cloud services while meeting data sovereignty requirements.
  • Share data freely with third-parties without sacrificing ownership or privacy rights.
  • Maintain proper control of data that has been shared with them by others.
  • Ensure that sensitive data is accessed only by intended parties, and no one else.