The concept of data sovereignty is currently a hot topic in Europe. This relatively new idea originated from a series of events and geopolitical changes that began in the early 2000s.
The issue of data control is emerging as a significant consideration, especially for companies strategizing future data management. This is particularly relevant for life sciences companies with global operations, such as clinical trial sponsors managing international multi centric sites or AI health techs building models on international data sources.

As computational power continues to advance (with Moore's law still applicable) and the volume of data expands, becoming crucial for precision medicine, it i's vital to understand the history and possible future directions of how nations plan to oversee and regulate data hosting and overall data management.

Data Sovereignty : History, geopolitics and the emergence of Big Tech

To grasp the origins of data sovereignty, we need to look at recent historical events and geopolitical developments that have shaped the current world :

On September 11, 2001, the United States experienced the most significant terrorist attack in its history, leading to the Bush administration enacting the PATRIOT ACT, initially intended as a four-year temporary measure.This legislation permitted U.S. agencies (FBI,CIA, NSA, Army) to access data of individuals suspected of terrorist links.


On July 10, 2008, the U.S. Government enacted the FISA Amendments Act, which authorized the collection, utilization ,and sharing of confidential data from non-U.S. citizens hosted on U.S. servers, with the only caveat being that the targets couldn't be U.S. citizens.  However, as revealed by Edward Snowden in 2013, these laws underpinned extensive espionage by the U.S. government, far exceeding the original legal permissions.
Despite this, the U.S. continued to implement regulations for data access, like the Clarifying Lawful Overseas Use of Data Act (CLOUD ACT) on March 23, in 2018 under the Trump administration, allowing judicial authorities to access electronic data stored on U.S. company servers overseas. More recently, in December 2023 lawmakers have reached an agreement to temporarily extend the Foreign Intelligence Surveillance Act.

Simultaneously, the global economy has been dominated by a handful of major players known as Big Tech (Google, Amazon, Facebook/Meta, Apple, and Microsoft), all U.S.companies, which together host more than 56% of the world's cloud data. This U.S.-centric data hosting trend, combined with increasingly intrusive U.S. laws, has prompted various countries to reconsider their reliance on this model and acknowledge the vulnerability of their data.

Hence, today, most majority of data are now hosted under the US laws and might be potentially accessible by US authorities without counterparts under the extra-territoriality principle. This leads to the creation of reflections around Data Sovereignty, Data Localization and Data Residency.

Differentiating Data Sovereignty, Data Localization, and Data Residency

The global response to data governance has centered around three fundamental concepts, each surrounded by its own set of regulations:

●   Data Sovereignty: This term refers to the need for data owners or controllers to be aware of and comply with applicable laws to prevent violations in data usage and processing. It requires data owners to account for their data in accordance with the laws of the location where it's held.

●   Data Residency: This concept pertains to the physical or geographical location where data is stored and processed. It emphasizes the importance of adhering to specific legal and regulatory frameworks that apply to the data's physical location. Data residency is particularly significant in cloud computing and international data transfers.

●   Data Localization: This involves the practice of storing and processing data within the borders of a particular country or region. Data localization imposes restrictions or requirements on organizations to keep certain data types within the jurisdiction where they were generated or collected. It is driven primarily by regulatory, security, and national interest considerations.

There is some overlap and ambiguity among these concepts, necessitating a theoretical effort to clarify them. The critical takeaway is that countries and regions are increasingly reluctant to allow foreign entities access to what is now seen as the new gold - data. Control over data is becoming synonymous with the ability to process it and the location of the hardware, which is key in avoiding the extraterritorial application of foreign laws.In essence, computation is becoming the new form of ownership.

Interestingly, while these concepts have been explicitly discussed by EU governments, they were first enacted by the US government - the FISA Amendments Act of 2008 is essentially the first data sovereignty law. The EU, realizing its precarious position between a US-dominated data hosting market and invasive US laws, responded somewhat belatedly.

The EU's approach, focusing on data privacy, led to the introduction of the General Data Protection Regulation (GDPR )in 2018. This regulation limited data flow between the EU and the US by setting higher protection standards for non-EU countries. The European Court of Justice further reinforced this by repealing the Privacy Shield agreement and demanding stronger protections from US data recipients in the Schrems II case.

 

The EU's Current Focus: European Cybersecurity Certification Scheme for Cloud Services (EUCS)

The EU is now aiming to establish the European Cybersecurity Certification Scheme for Cloud Services (EUCS) as part of its broader strategy.Originating from the EU's Cybersecurity Act, this scheme mandates the European Union for Cybersecurity (ENISA)  to develop an EU-wide cybersecurity certification framework for cloud providers. According to a leaked draft from POLITICO in August 2023, the EUCS outlines various compliance levels for Cloud Service Providers(CSPs) operating in the EU, categorized into four "assurance levels" (basic, substantial, high, and high+). These levels, defined by the risk associated with the cloud service's intended use and the sophistication of potential threats, set varying requirements based on the data's location and the governing law. Notably, stringent requirements like data localization would apply primarily to the highest assurance level, which concerns mission-critical data and systems.

The EUCS proposal has sparked intense debates among EU countries over the scope of data localization. France, with its national certification (SecNumCloud) and specific requirements like HDS hosting for French health data, is clashing with more "liberal" countries like the Netherlands and Germany, which are more open to US cloud providers. This situation led French MP  Latombe to criticize Germany for replacing its industrial dependency on Russian gas with a dependency on American digital companies. This ongoing debate has, ironically, benefited US cloud providers, who have quickly introduced new sovereign cloud services featuring technical components, control mechanisms, and security features that allow customers to implement stricter access restrictions.

Legitimate concern or excessive response?

 

Some groups argue that the European Union's concerns are based on an irrational fear, citing the recent U.S.legislation, the Cloud Act, as a point of comparison. Their argument highlights that the Cloud Act has several constraints on its power to demand data from foreign users. A key restriction is that any such demand must adhere to the rigorous requirements of the Stored Communications Act (SCA) and, where relevant, the Fourth Amendment of the U.S. Constitution.

However, these points are largely theoretical. In reality, the latest transparency reports from major technology companies indicate that the U.S. Government is effectively using FISA and CLOUD Act subpoenas.

 

Amazon's 2023 Transparency Report

 

Link to the scheme: https://www.enisa.europa.eu/publications/cybersecurity- certification-eucc-candidate-scheme/

 

Link to AWS’s Sovereign cloud: https://aws.amazon.com/fr/blogs/aws/in-the-works-aws-european-sovereign-cloud/

Consequences for the Life Sciences Industry Amidst Geopolitical and Technological Changes

The ongoing geopolitical and technological shifts pose significant challenges for international companies handling sensitive information, such as health data. While the evolving regulatory landscape currently brings more questions than answers, it is crucial for any company with international ambitions to seriously consider data hosting as a critical aspect of their operations.

●  Challenges for clinical trial Sponsors in the EU: If you are a clinical sponsor setting up sites in the EU, there's a high likelihood your activities will fall under the highest assurance level due to the handling of "particularly sensitive data" like health research data. This necessitates specific EU patient data hosting solutions, complicating data management across different databases (both international and EU-specific). This scenario could significantly increase the complexity for Contract ResearchOrganizations (CROs) in managing global clinical trials.

●  Implications for Healthtech and AI companies: These companies will need to segregate data right from the initial collection or reuse phase and potentially train models differently based on the data's origin. This approach is essential to comply with varying data regulations.

●  Strategic data considerations for all company sizes: Companies, regardless of their size, must adopt a holistic view of data management, thinking strategically and long-term. Factors like data availability, quality, and expertise for extracting insights are critical. Data localization and hosting could emerge as a significant challenge in any basic SWOT analysis.

● Technical challenges due to latency:A key technical issue for companies processing large data sets is latency. This delay in computation occurs when data is stored far from the user, caused by factors such as transmission time, propagation delay (the time taken for data to travel across networks), and routing and switching delays (data's journey through various network points).

 

Navigating these changes is essential for future success in the life sciences industry. The impact of data sovereignty concepts on this sector will be substantial and practical. The multi-million-dollar question is now about gauging the extent of this impact and preparing accordingly.

Seamus Larroque

CDPO / CPIM / ISO 27005 Certified

Home

Discover our latest articles

View All Blog Posts
October 14, 2024
Clinical Trials
Guideline

Analyzing the Similarities and Differences Between ICH-GCP and GDPR in Clinical Trials

ICH-GCP and GDPR are vital for clinical trials, setting standards for participant protection and data integrity, with distinct focuses and enforcement approaches.

September 9, 2024
Biotech & Healthtech
Data Breach
Health Data Strategy

Comprehensive Cyber Insurance for the Life Sciences Industry

Cyber insurance provides coverage to businesses, including those in the life sciences industry, to protect against losses from cyberattacks, such as data breaches, ransomware, and other threats. For life sciences companies, which handle high-value intellectual property and sensitive data, tailored cyber insurance policies offer essential protection against financial, legal, and reputational damage while complementing existing cybersecurity measures.

August 7, 2024
Data Breach

UK data watchdog to fine NHS vendor Advanced for security failures prior to LockBit ransomware attack

The UK data watchdog is set to fine NHS vendor Advanced for security failures that occurred before the LockBit ransomware attack. These security lapses contributed to the vulnerability exploited during the attack.