Cross-Border Data Restrictions and Your Cloud Strategy
Companies with customers, supply chains, partners, and offices in multiple countries must understand the cross-border data restrictions of each country they are involved with.
A dizzying number of country-by-country (or country-union-by-country-union) data laws and standards have appeared since 2015, when an EU court threw out the idea that U.S. companies could self-certify their adherence to EU data protection standards. World leaders are still scrambling to understand the complications that the cloud introduces to the global nature of business today.
Multiple Regulations Add to Confusion
Without widespread standards, each country has adopted a profile of regulations. These are based on the perception of how internal data residency affects jobs and protection of citizens’ data. The U.S., for example, does not have a nationwide data protection law, but it does impose rights upon non-U.S. data in-country through the Patriot Act.
Government can be an imposing extra participant in the relationship between company and cloud provider, and its regulations can put a company in a no-win situation. For example, a government might request data from a company, but per the agreement with the cloud provider, a government may be seen as a third-party to which user data cannot be provided without individual consent.
Some countries require some data captured by public institutions to be localized. Others require citizen consent before their personal data can leave the country. Some countries extend this to all data. Some countries allow a free flow of data as long as it does not contain personally identifiable information (PII).
For the rest of the article, please see link.