The concept of data sovereignty is currently a hot topic in Europe. This relatively new idea originated from a series of events and geopolitical changes that began in the early 2000s.
The issue of data control is emerging as a significant consideration, especially for companies strategizing future data management. This is particularly relevant for life sciences companies with global operations, such as clinical trial sponsors managing international multi centric sites or AI health techs building models on international data sources.
As computational power continues to advance (with Moore's law still applicable) and the volume of data expands, becoming crucial for precision medicine, it i's vital to understand the history and possible future directions of how nations plan to oversee and regulate data hosting and overall data management.
Data Sovereignty : History, geopolitics and the emergence of Big Tech
To grasp the origins of data sovereignty, we need to look at recent historical events and geopolitical developments that have shaped the current world :
On September 11, 2001, the United States experienced the most significant terrorist attack in its history, leading to the Bush administration enacting the PATRIOT ACT, initially intended as a four-year temporary measure.This legislation permitted U.S. agencies (FBI,CIA, NSA, Army) to access data of individuals suspected of terrorist links.
On July 10, 2008, the U.S. Government enacted the FISA Amendments Act, which authorized the collection, utilization ,and sharing of confidential data from non-U.S. citizens hosted on U.S. servers, with the only caveat being that the targets couldn't be U.S. citizens. However, as revealed by Edward Snowden in 2013, these laws underpinned extensive espionage by the U.S. government, far exceeding the original legal permissions.
Despite this, the U.S. continued to implement regulations for data access, like the Clarifying Lawful Overseas Use of Data Act (CLOUD ACT) on March 23, in 2018 under the Trump administration, allowing judicial authorities to access electronic data stored on U.S. company servers overseas. More recently, in December 2023 lawmakers have reached an agreement to temporarily extend the Foreign Intelligence Surveillance Act.
Simultaneously, the global economy has been dominated by a handful of major players known as Big Tech (Google, Amazon, Facebook/Meta, Apple, and Microsoft), all U.S.companies, which together host more than 56% of the world's cloud data. This U.S.-centric data hosting trend, combined with increasingly intrusive U.S. laws, has prompted various countries to reconsider their reliance on this model and acknowledge the vulnerability of their data.
Hence, today, most majority of data are now hosted under the US laws and might be potentially accessible by US authorities without counterparts under the extra-territoriality principle. This leads to the creation of reflections around Data Sovereignty, Data Localization and Data Residency.
Differentiating Data Sovereignty, Data Localization, and Data Residency
The global response to data governance has centered around three fundamental concepts, each surrounded by its own set of regulations:
● Data Sovereignty: This term refers to the need for data owners or controllers to be aware of and comply with applicable laws to prevent violations in data usage and processing. It requires data owners to account for their data in accordance with the laws of the location where it's held.
● Data Residency: This concept pertains to the physical or geographical location where data is stored and processed. It emphasizes the importance of adhering to specific legal and regulatory frameworks that apply to the data's physical location. Data residency is particularly significant in cloud computing and international data transfers.
● Data Localization: This involves the practice of storing and processing data within the borders of a particular country or region. Data localization imposes restrictions or requirements on organizations to keep certain data types within the jurisdiction where they were generated or collected. It is driven primarily by regulatory, security, and national interest considerations.
There is some overlap and ambiguity among these concepts, necessitating a theoretical effort to clarify them. The critical takeaway is that countries and regions are increasingly reluctant to allow foreign entities access to what is now seen as the new gold - data. Control over data is becoming synonymous with the ability to process it and the location of the hardware, which is key in avoiding the extraterritorial application of foreign laws.In essence, computation is becoming the new form of ownership.
Interestingly, while these concepts have been explicitly discussed by EU governments, they were first enacted by the US government - the FISA Amendments Act of 2008 is essentially the first data sovereignty law. The EU, realizing its precarious position between a US-dominated data hosting market and invasive US laws, responded somewhat belatedly.
The EU's approach, focusing on data privacy, led to the introduction of the General Data Protection Regulation (GDPR )in 2018. This regulation limited data flow between the EU and the US by setting higher protection standards for non-EU countries. The European Court of Justice further reinforced this by repealing the Privacy Shield agreement and demanding stronger protections from US data recipients in the Schrems II case.
The EU's Current Focus: European Cybersecurity Certification Scheme for Cloud Services (EUCS)
The EU is now aiming to establish the European Cybersecurity Certification Scheme for Cloud Services (EUCS) as part of its broader strategy.Originating from the EU's Cybersecurity Act, this scheme mandates the European Union for Cybersecurity (ENISA) to develop an EU-wide cybersecurity certification framework for cloud providers. According to a leaked draft from POLITICO in August 2023, the EUCS outlines various compliance levels for Cloud Service Providers(CSPs) operating in the EU, categorized into four "assurance levels" (basic, substantial, high, and high+). These levels, defined by the risk associated with the cloud service's intended use and the sophistication of potential threats, set varying requirements based on the data's location and the governing law. Notably, stringent requirements like data localization would apply primarily to the highest assurance level, which concerns mission-critical data and systems.
The EUCS proposal has sparked intense debates among EU countries over the scope of data localization. France, with its national certification (SecNumCloud) and specific requirements like HDS hosting for French health data, is clashing with more "liberal" countries like the Netherlands and Germany, which are more open to US cloud providers. This situation led French MP Latombe to criticize Germany for replacing its industrial dependency on Russian gas with a dependency on American digital companies. This ongoing debate has, ironically, benefited US cloud providers, who have quickly introduced new sovereign cloud services featuring technical components, control mechanisms, and security features that allow customers to implement stricter access restrictions.
Legitimate concern or excessive response?
Some groups argue that the European Union's concerns are based on an irrational fear, citing the recent U.S.legislation, the Cloud Act, as a point of comparison. Their argument highlights that the Cloud Act has several constraints on its power to demand data from foreign users. A key restriction is that any such demand must adhere to the rigorous requirements of the Stored Communications Act (SCA) and, where relevant, the Fourth Amendment of the U.S. Constitution.
However, these points are largely theoretical. In reality, the latest transparency reports from major technology companies indicate that the U.S. Government is effectively using FISA and CLOUD Act subpoenas.
Amazon's 2023 Transparency Report
Link to the scheme: https://www.enisa.europa.eu/publications/cybersecurity- certification-eucc-candidate-scheme/
Link to AWS’s Sovereign cloud: https://aws.amazon.com/fr/blogs/aws/in-the-works-aws-european-sovereign-cloud/
Consequences for the Life Sciences Industry Amidst Geopolitical and Technological Changes
The ongoing geopolitical and technological shifts pose significant challenges for international companies handling sensitive information, such as health data. While the evolving regulatory landscape currently brings more questions than answers, it is crucial for any company with international ambitions to seriously consider data hosting as a critical aspect of their operations.
● Challenges for clinical trial Sponsors in the EU: If you are a clinical sponsor setting up sites in the EU, there's a high likelihood your activities will fall under the highest assurance level due to the handling of "particularly sensitive data" like health research data. This necessitates specific EU patient data hosting solutions, complicating data management across different databases (both international and EU-specific). This scenario could significantly increase the complexity for Contract ResearchOrganizations (CROs) in managing global clinical trials.
● Implications for Healthtech and AI companies: These companies will need to segregate data right from the initial collection or reuse phase and potentially train models differently based on the data's origin. This approach is essential to comply with varying data regulations.
● Strategic data considerations for all company sizes: Companies, regardless of their size, must adopt a holistic view of data management, thinking strategically and long-term. Factors like data availability, quality, and expertise for extracting insights are critical. Data localization and hosting could emerge as a significant challenge in any basic SWOT analysis.
● Technical challenges due to latency:A key technical issue for companies processing large data sets is latency. This delay in computation occurs when data is stored far from the user, caused by factors such as transmission time, propagation delay (the time taken for data to travel across networks), and routing and switching delays (data's journey through various network points).
Navigating these changes is essential for future success in the life sciences industry. The impact of data sovereignty concepts on this sector will be substantial and practical. The multi-million-dollar question is now about gauging the extent of this impact and preparing accordingly.
Sign up for our newsletter
We like to keep our readers up to date on complex regulatory issues, the latest industry trends and updated guidelines to help you to solve a problem or make an informed decision.
UK's NHS says hackers have published data stolen in ransomware attack
The UK's National Health Service (NHS) has confirmed that data stolen in a ransomware attack on Synnovis, a medical diagnostics service, has been published online, and the extent of the breach and its impact on patients is under investigation.
FTC Completes Updates to Health Breach Notification Rule for Health Apps
The Federal Trade Commission announced it has finalized changes to the Health Breach Notification Rule (HBNR) that will strengthen and modernize the rule by clarifying its applicability to health apps and other similar technologies and expanding the information that covered entities must provide to consumers when notifying them of a breach of their health data.
