Data Sovereignty: Threat to Cloud?
On June 22, Senegal’s President Macky Sall launched a national data centre which will host Senegal’s all government data and digital platforms in an effort to strengthen its digital sovereignty. The 70 million Euro data center has been financed with a Chinese loan and built with Huawei providing equipment and technical support. The first phase of the facility will be opened in six months’ time and it will offer hosting services to enterprises and other public bodies. The data centre will also tap into global networks through an undersea cable as well as the country’s own 6,000-km fibre optic network.
The new data center will be located at the Digital Technology Park in the city of Diamniadio. It will be managed by the state’s IT firm, State Informatics Agency (ADIE). The facility has a hosting capacity of 500 m².
On the 20 of May 2021, Telecom Paris and Netexplo officially launched the Technologies & Digital Sovereignty observatory, which aims to bring together companies and startups as well as political players. During the launch event, Digital Minister Cédric O said “There is no sovereignty without technological sovereignty”. The Minister will oversee the observatory and he also highlighted the national strategy for a “sovereign cloud” launched by the government earlier in May.
Digital sovereignty is becoming an increasingly important issue all over the world especially because the pandemic has accelerated the use of technology which has also led to people to be more aware of data protection and privacy issues.
In Kenya, the discussion on data sovereignty is still ongoing but the National Information Communications and Technology Policy Guidelines, 2020 paint a picture of the government’s direction. The first policy objective is to create the infrastructure conditions for use of always-on, high speed, wireless, internet across the country. This will be done by the government which promises investments in the infrastructure needed for work such as data centres.
The policy focuses on 4 key areas, namely: Mobile First, Market, Skills and Innovation then Public Service Delivery. On the Public Service Delivery front, the policy requires that Kenyan data remains in Kenya, and that it is stored safely and in a manner that protects the privacy of citizens to the utmost. The policy also states that all centres that hold public data must be a minimum of a level 2 Data Centre.
The Kenya Data Protection Act of 2019 has a chapter on conditions where a data controller or data processor may transfer personal data to another country. The conditions are:
- Adequate proof of safeguards has been given to the Data Commissioner with respect to the security and protection of the personal data
- The Data Commissioner have been given proof of the appropriate safeguards including jurisdictions with commensurate data protection laws
- Where the transfer is necessary according to the provisions of the Data Protection Act
The Act also states that the Cabinet Secretary may prescribe, based on grounds of strategic interests of the state or protection of revenue, certain nature of processing that shall only be
effected through a server or a data centre located in Kenya. This is where the provisions in the National Information Communications and Technology Policy Guidelines, 2020 come to play.
Data sovereignty is defined as the concept that data stored in the cloud is subject to the laws and regulations of the country or other jurisdiction that has authority over the relevant cloud infrastructure. It matters because of the issue of laws that apply to where the data is stored. An example is a company based in Burundi that uses public cloud servers located in Uganda will have its data subject to Ugandan law such the Data Protection and Privacy Act, 2019.
This brings forth complications especially with the wake of countries seeking data sovereignty. These efforts will definitely complicate business for cloud vendors. In continents such as Africa where there is no regional data protection law such as the General Data Protection Regulations (GDPR), vendors have a hard time complying with every country’s requirements. While a cloud vendor may ideally set base in a country with the most business friendly regimen such as Ireland in Europe, lack of uniform laws makes cross border data sharing harder.