Data Sovereignty - who controls consumer data?
Data sovereignty specifies who has what control about who can do what with data.
Much of the discussion about user data control and privacy revolves around data ownership. However, this term can be misleading.
The notion of ownership evolved over hundreds of years in the physical world where it applies to physical objects. These objects are well defined, can be created, traded, used, and destroyed. When they are replicated, the replicas acquire separate ownership as part of the creation.
Data differ in many ways. They can be replicated and transferred without impacting the original copy and often out of the control of the creators. On most data transfers, the originators lose control, and the data can then be used in ways with which the creators may or may not agree. This makes it difficult to define data ownership in the classical sense.
The term data sovereignty is more appropriate.
Data sovereignty has many facets and is far from legally settled. For businesses, access to data from consumer devices and the ability to exploit them creates tremendous value. For consumers, exposure of their data often involves the risk of serious privacy violations and identity theft when services’ web sites are hacked. Data collected from IoT devices usually are subject to complex privacy policies. These policies often appear to be written in ways to make consumers avoid reading them and to confuse them when they do. And most don’t give consumers choices, insisting on a “take it or leave it” approach.
There are few legal protections for personal data. Generally, data are subject to the laws of the country where they are collected and processed. Some countries require that data about their citizens are stored in-country, and local laws apply. The European General Data Protection Regulation (GDPR) is an example. Others are the California Data Privacy Act and the Australia Consumer Data Right. However, international conflicts can arise. The EU allows data to be transferred only to countries that have equivalent protections. An EU court recently decided that the US protections are not equivalent, invalidating the US_EU data privacy shield, the governing data transfer agreement. US law on the other hand gives its courts access to data managed by US companies regardless of where the data is stored, insisting on extraterritorial reach. The handling of personally identifiable (PII) data involves other complexities: Someone could create PII data about somebody else. According to the GDPR, the creator has no right to the data, and the subject person would not even know the creation.
Clearly, data sovereignty is an evolving concept!