THOSE DEVOTED TO EVERYBODY ARE DEVOTED TO NOBODY
I am not a fan of politics, I regard big government with grave suspicion, I don’t see it practically possible for career politicians to be representative of anyone but themselves and I certainly don’t believe that politics should permeate into the civics of running things like city policing, fire services and the like. Quite similarly, I don’t believe that religion should either.
The recent incidents in the US have put a spotlight on nationalism, pride and the general discontent of certain factions of society with outcomes that they feel are the result of some invisible foreign power interfering in local matters.
The fact that some constituents chose to attempt a force to change what for many was considered inevitable is certainly regrettable, time will tell, but perhaps incidents like these are just the beginning.
So, in this piece I lay out a view on how data is being regarded with the exact same views of “keep it local, keep it close and keep it mine”.
in Companies that operate and exist internationally often have offices and data sprinkled across the globe and have the need to store data-at-rest in very specific regions to meet regional ‘data residency’ requirements.
Microsoft refers to this as a Multi-Geo capability, something that they offer with Office365. This was introduced in 2017 at Microsoft ignite to help multinationals address regional, industry-specific or organizational data residency requirements when working in Office365.
In March of 2019 multi-geo was offered by Microsoft for Exchange Online and OneDrive.
This need for multi-geo is relatively easily dealt with by companies at the great expense of investing in on-premise hosted applications by simply standing up resources in-country. When it comes to cloud-hosted applications it is actually quite tricky and complicated.
The need for multi-geo or geo-fenced cloud applications is becoming increasingly required as governments, third-party regulators, and corporate compliance requirements are enacted, dictating data residency policy.
These policies effectively provide instructions on the restricting of the free flow of data across borders and require that organizations store data about citizens and entities within defined geographical boundaries.
Implications for digital transformation
In some cases these policies completely preclude the possible use of cloud-based applications because of the absence of logic within the applications to accommodate handling the keep-it-local requirement or because the cloud application is not hosted on infrastructure in any way within a given geography.
These challenges are often presented to multi-nationals who then have to balance the benefits and efficiencies associated with digitally transforming their organizations by cloud-based solution adoption versus meeting the compliance requirements of global data residency needs. Cloud deployments are often viewed as an integral part of corporate digital transformation initiatives and accordingly they may be hampered by such a requirement.
The end result is that many businesses may land up stuck with managing on-premise data centres running isolated applications. The transformation initiatives, then only impact specific regions, business units and employees.
The data and knowledge silos that often exist as a result of localized and regional data and data centres and applications can then never be fully addressed and in the long term may retard innovation and business operations. There is also the added cost of not only hosting these solutions in-region but also supporting and managing the infrastructure.
Though we live in a hyperconnected world and data seems to flow relatively freely between the continents, the significance of data residency really only became a big issue relatively recently, so in many respects it is a new phenomenon.
Suggestions have been made that there was a particularly hard push for data residency policy after the Edward Snowden exposé of US counter-terrorism surveillance programs in 2013.
The many traits of data nationalism
Though there have been a number of restrictions in place in Islamic and communist countries for years (I experienced these in the middle East in the early nineties), many governments have aggressively started putting up more and more barriers and establishing more policies around the free flow of information across borders every year.
This Data Nationalism has often been driven by expressed concerns over personal privacy, security concerns, unauthorized or desired surveillance, and engagements in law enforcement and counter-terrorism. Governmental reactions have been principally to enact legislation that involves erecting virtual borders and logically segmenting the internet.
The first generation of Internet border controls sought to keep information out of the country, pornography, political ideology and copyright infringement. This next generation of Internet border controls seeks not to keep information out but rather to protect and hold data within the geographical borders of a given state.
A piece by Anupam Chander and Uyên P Lê at Emory Law entitled “Data Nationalism” makes interesting reading as it outlines the various restrictions imposed with countries ranging from Australia to Vietnam. Each of them having effected a wide range of different types of restrictions on the free flow of information between geographies.
The borderless medium
As is evidenced by the Microsoft new offerings, the implications of these restrictions and the accompanying logistical headaches are growing.
Many companies would have previously established business models and systems that have them collecting personally identifiable information from a global community and from all countries.
This is a problem if the systems and processes have been established in order to say capture local consumer data and provide service and support from a call center in another part of the world where call centre staffing is of a lower cost.
The general perspective seems to be that though data localization laws are often viewed as National governments’ futile attempts to assert sovereignty over a borderless medium, the reality on the ground is that these are far from futile attempts and they’re being enforced through whistleblower incentives and competitor squealing.
Most data localization laws have a narrow scope.
For example, requiring health or government data to be kept locally or for data to be at the very least replicated so that it can be inspected locally, some looser regulations like the EU’s GDPR directives, actually actively encourage data localization.
As a consequence, some data controllers may be choosing to store and process data within the borders of the EU in order to avoid being in breach of the strict requirements related to transferring personal data to non-EU countries as outlined by the Directive.
These new policies now force a company that collects personal data from customers in any given country to incur new or additional costs to process and house that data within the borders of that country.
A silvery lining
The story is not all bad though, some of the new laws theoretically carry advantages for the countries that enact them. Laws requiring data to be stored in-country might persuade a company to open an office or build or rent infrastructure in-country which would spawn local investment and even local jobs.
Citizen privacy laws often also reflect nationally-ingrained concerns about the use and abuse of personal data. In effect, data localization laws allow countries to assert their own national and cultural priorities over the use of citizen information, especially where there is a concern that these domestic values would be removed if the data was transferred to another country.
While it is often argued that the overly aggressive European privacy laws focus on a fear of facilitating misuse of citizen data by powerful and ideological entities like foreign, fascist or communist governments, forcing local data to be stored in-country may ultimately simply make it easier or more legally possible for governments to access citizen personal information to in fact persecute. marginalized groups in the name of national interests and cybersecurity.
Accordingly, we should be careful about what we wish for, the fear of a hidden hand and unseen enemy may blindside us into failing to recognise the Orwellian dystopia that was so well articulated in his book 1984.
For the product manager, this means special care and attention needs to be applied to considering just what data needs to be stored and where, particularly if the product is a hosted product. If you’re working in global markets the way you architect your application and the nature of the data that you store may force you to consider a model that is not cost optimal.
This is an update to a post I originally made on : it.toolbox in 2019
About the author
Clinton Jones has experience in international enterprise technology and business process on four continents and has a focus on integrated enterprise business technologies, business change and business transformation. Clinton also serves as a technical consultant on technology and quality management as it relates to data and process management and governance. In past roles, Clinton has worked for Fortune 500 companies and non-profits across the globe.