Sovereign cloud: Protecting data in a complex regulatory environment

As the data economy flourishes, organisations must keep up with laws and regulations impacting data sovereignty and ensure they stay in compliance. Neil Stobart, VP of Global System Engineering for Cloudian looks at the five main data regulations impacting the UK, EU, and US at the moment and how organisations can meet these regulations.


This is a contributed piece by Neil Stobart, VP of Global System Engineering for Cloudian.

With data volumes increasing, it’s now common for data to be shared and stored across multiple jurisdictions. Though this can accelerate innovation and improve how we work, it also brings fresh concerns surrounding data sovereignty – a topic that’s come into the spotlight as we’ve become more aware of how organisations collect and store customer data.

In layman’s terms, data sovereignty is a legal principle which says that data is subject to the laws of the country in which it’s stored. It should be a key consideration for organisations that use the public cloud, as hyperscalers’ data centres can be located anywhere in the world.

A sovereign cloud, on the other hand, is cloud infrastructure that’s architected and built to comply with local laws on data privacy, access, and control – and to avoid any conflicting regulatory demands. In practice, this means storing data in the country it was collected or using ‘virtual data spaces’ to enable cross-border data sovereignty.

Building a sovereign cloud can be an effective way for organisations to comply with often conflicting data regulations.

Which data protection regulations apply to your organisation?

When an organisation operates across borders, complying with ever-changing data privacy regulations can prove challenging, as demonstrated by the current regulatory landscape in the UK, EU, and US.

IDGConnect_graphic_cloudian_suppliedart_data_regulation_global_2401x1201 Cloudian
  1. Schrems II (EU and UK)

Until mid-2020, the US and EU participated in a joint Privacy Shield Agreement. This allowed US companies to receive personal data from the EU if they adhered to EU standards on data protection and privacy. However, in July 2020, the Court of Justice of the European Union invalidated this agreement due to concerns about surveillance by US law enforcement agencies. This landmark ruling is known as Schrems II.

Schrems II requires EU companies to conduct individual assessments of each data transfer to a non-EU country. Although the UK has left the EU, Schrems II currently still applies in this jurisdiction. This compels UK companies to find alternative safeguards to the invalidated Data Protection Shield to protect data flows between the UK and US.

  1. GDPR (EU) and The DPA 2018 (UK)

The EU’s General Data Protection Regulation (GDPR) and the UK’s Data Protection Act (DPA) 2018 are both designed to ensure transparency and security around customer data. As a result, these regulations have implications for data sovereignty.

For example, under GDPR cloud providers must commit to only disclosing personal data based on legal requests made under EU law. For US-based hyperscalers, this creates a clear conflict with the US CLOUD Act (see below). Although hyperscalers can assure customers that their data will be stored within their chosen jurisdiction, they can’t guarantee complete protection from US law enforcement.

  1. The CLOUD Act (USA)

In 2018, the US Clarifying Lawful Overseas Use of Data (CLOUD) Act came into force. This legislation compels US cloud providers to hand over data to government or law enforcement agencies if requested via a warrant, subpoena, or court order – even if the data in question is stored in another country.

  1. The COPO Act 2019 (UK) and Article 49 of GDPR (EU)

It's worth noting that the UK and EU both have equivalent legislation to the CLOUD Act in place. In the UK, this is the Crime (Overseas Production Orders) (COPO) Act 2019, and in the EU it’s Article 49 of GDPR.

The UK's COPO Act contains similar principles to the CLOUD Act. However, it goes even further by enabling authorities to compel any cloud provider operating outside the UK to release data to them – provided that the UK has signed a Designated International Cooperation Agreement (DICA) with the country in question.

It’s likely more countries will enact similar legislation, with international organisations potentially having to juggle conflicting legal obligations.

  1. GAIA-X (EU)

Currently in its implementation phase, the GAIA-X Framework has been developed by businesses, government officials, and scientists across Europe. It provides the foundation for a networked system that links many cloud services providers together, in which data is decentralised and federated using next-generation infrastructure and security standards.

Implementing sovereign cloud

Given this complex regulatory landscape, it’s no surprise that organisations’ interest in sovereign cloud is growing. There are two routes available to them – either turning to a regional storage provider that operates within specific national borders or building their own sovereign cloud using on-premises private cloud storage. However, this doesn’t mean organisations need to give up on hyperscalers. Often a hybrid, multi-cloud strategy – combining private and public clouds – is the best approach. This way, organisations can leverage the right cloud for the right workload and take advantage of the breadth of services offered by different cloud providers.

For organisations that still need to move data between countries, so-called ‘virtual data spaces’ are emerging to enable cross-border data sovereignty. These depend on data relationships between trusted partners – data providers, users, intermediaries, etc. – with the same high standards for storing and sharing data. Crucially, the data in question is stored at its source and is only moved between locations when strictly necessary. 

The role of object storage in creating a sovereign cloud

Whether organisations build their own sovereign cloud or work with service providers that can offer this, the key enabler for these clouds remains the same – object storage.

Why? First and foremost, object storage is significantly more scalable and cost-effective than block or file storage.

What’s more, object storage provides S3 API compatibility. Because the S3 API has become the de-facto cloud standard, sovereign clouds with S3-compatible storage infrastructure can speak the same language as the public cloud, enabling easy data mobility.

Object storage also features automated data protection and, increasingly, protection against ransomware through data immutability and encryption. Data immutability prevents cybercriminals from altering or deleting data, enabling quick recovery of that data in the event of a ransomware attack, without having to pay ransom. Encryption prevents hackers from reading data or making it public in any intelligible way, eliminating the other form of ransomware extortion.

The bottom line? As the data economy flourishes, organisations must keep up with laws and regulations impacting data sovereignty and ensure they stay in compliance. Sovereign clouds with an object storage foundation are the best way to do so. If an organisation lacks the expertise to create its own sovereign cloud, local service providers can fill the gap.


Neil Stobart is VP of Global System Engineering for Cloudian. Stobart has held several senior consulting and leadership roles working with some of the largest technology companies in the industry and providing guidance and advice to major commercial organisations globally, on best practises and economic considerations of data storage technology deployment. Stobart has experience in all aspects of data storage and management technologies including; SAN, NAS, object, business continuity, disaster recovery, backup, storage networking, capacity planning and performance analysis as well as cloud computing, open systems computing, thin client, data networking and application infrastructure design.