Data sovereignty - how do you deal with customers in multiple jurisdictions?

China recently passed a vague “critical infrastructure and Chinese people’s data must be stored in China” law. Russia did that a couple of years ago. The EU originally lead the way with this.

How are you dealing with data sovereignty compliance? I have a market research SaaS product (so reasonably rich, numerous personal details) and I’m looking down the barrel of:

  • having to implement some sort of database router in my application to comply with all the research subjects’ jurisdictions
  • having databases that do not have the increased protection of only being accessible on internal networks, or alternatively having to layer some sort of API proxy server thingy in front of it
  • stupid latency times

Clearly, the issue of data sovereignty isn’t going away. How is everyone dealing with it?

I assume most deal with it in the usual way: ignore it.

There are at least two other ways (we use one):

  1. Have clear terms of service and state the jursidiction(s) you operate under. It is up to your users to accept these terms, and they have to make sure that they are in compliance with their laws.
  2. Split your app. So have customers from the EU log into EU servers, US into US servers, … That is relatively easy if your customers don’t interact or share the same data. The problem with this is that you now operate under multiple jurisdictions and need to make sure to follow the law.

1 doesn’t work. You’re still not compliant with their laws; most of the data-sovereignty jurisdictions don’t allow users to sign away the data controller’s obligations. Moreover, if you’re B2B, often you’ll be processing another business’ customer data, and the client will expect you to follow those laws.
2 Split your app - yeah, work I would rather not have to do but don’t see a way around at the moment.

The problem with this is that you now operate under multiple jurisdictions and need to make sure to follow the law.

^ In the eyes of those laws you already operate under their jurisdiction once you have a citizen/resident’s data, regardless of your decisions about server location.

Regarding your thought that 1. does not work:

If you offer your service in a specific country, like on a German website or on the German IOS appstore, you will be under German law, even if your company is outside Germany.

If you offer your service on a .com, being a US business and having US TOS, you are not subject to e.g. German (or Russian) law.
If an e.g. German company becomes your client, you still operate under US law. If the German client now uploads citizen data, they are probably in violation of German law.

The data sovereignty laws apply mostly if you have nexus in a state/country where these laws apply. For example all big tech companies have offices/staff/advertising in most countries, and so must operate under their laws, even if their data centers/development is somewhere else. Having nexus is not only about physical presence, but also about if your operations are geared towards a specific jurisdiction.

In practice, it may work for quite a time.

However, the services that do not comply with Russian privacy laws got blocked in Russia. The blocking implementation is still crude and caused a lot ridicule for government agency that does it, but there is no doubt they will learn and implement the better mechanisms.

Note that to the best of my knowledge the Russian laws in particular do not require to store all the data on the Russian datacenters; only the personal information (names, contact info). Hence the technical solution could be to have the account information part of your service extracted into a separate micro-service and host it in Russia for citizens of those countries.

However, I do not know what data are required for local storage in EU or China.

If I was facing this problem, I’d have a separate server instance in each country that has soverignity laws, and stored all the data for their citizens on their respective server. Of course, it makes some functionality (sharing, collaboration) harder to implement, but… a man gotta do what a man gotta do!

The lawmakers see it differently. They say “your service is accessible from Russian territory; hence you should comply with Russian laws; if not, you’ll be blocked”.

Specifically, the personal information of the users should, according to law, be stored on the Russian soil.

You may argue that this is not a logical thing - and many did argue - but this is the law, and not only Russian law but EU and China laws and probably more to come. There is some necessities for sovereign states to have this under control, and so it will be so, like it or not.

The point is moot for majority of people, especially those in the “bootstrapped business” category that this forum is about.

It only matters if you derive material revenues from people living in Russia/China/${some other totalitarian, censorship-happy country}.

It also only matters if you’re big enough to get on ${totalitarian government} radar. China and Russia don’t care whether your time tracking application stores the data according to whatever data retention laws they have.

Russia might censor twitter if people use twitter to complain about their government, but they would shut it down anyway. But they really don’t care about your $10k/month operation with 2 Russian users.

So I’m with @unboot: ignore it until your revenues can be significantly impacted by whatever laws Chine/Russia/EU has, at which point you have enough money to hire a lawyer that specializes in those issue and you don’t have to ask random people on the internet.

1 Like

You forgot EU :wink:

And knowing our friends at NSA, that laws would be first implemented in USA - if not for the fact that all personal data are already stored on US soil, so why bother. :wink:

With that I agree.

However I’m of opinion that every country of importance will implement similar laws in a foreseeable future, and hence it worth to do a mental experiment now on how to deal with it.

When considering if these laws apply, an important question is: who is your user vs who is your customer vs user/citizen data.

e.g. If you are a US company, have a US customer you fall under US law. Even if this US customer happens to store EU/Russian user data on your service. An example could be dropbox where a US person stores an excel sheet with addresses.

That is different from e.g. Twitter, which itself stores data of EU/Russian customers.

The point is moot for majority of people, especially those in the “bootstrapped business” category that this forum is about … ignore it until your revenues can be significantly impacted by whatever laws Chine/Russia/EU has, at which point you have enough money …

Just no, plain and simple. @rfctr is the only one who so far shows understanding of the laws’ scopes, and business problem they present. If your business deals in personal information it is not a moot point. 1.7 billion people currently live in countries with data sovereignty laws, contributing about 40% of the global GDP.

every country of importance will implement similar laws in a foreseeable future, and hence it worth to do a mental experiment now on how to deal with it.

Exactly what I’m getting at, and furthermore it’s not just a mental experiment. As I pointed out originally, you only have the luxury of obscurity when you’re doing small B2C and not storing much personal data. I’m doing B2B and not only are these clients audited by their countries’ data protection authorities every couple of years, but the clients themselves audit their suppliers (me included).

hire a lawyer

I really hate the general implication behind the advice that you don’t have to understand the issue when you hire professional services, the lawyer will just make the problem disappear magically. Imagine turning the tables and you saw a business plan that ended with “and then we’ll hire a guy to code everything and that will take care of our product”.

1 Like

So, as I understand, you need to be compliant with data sovereignty law, because of requirements of your customers.
That is a requirement that comes out of your commercial relationship with your customers.

This is different from the direct applicability of EU/Russian law to your business.

So, as I understand

You don’t understand. It’s not a commercial requirement, it’s a legal requirement. It doesn’t matter how you acquire the data (direct collection or subcontracted processing), these countries deem that their laws apply to any data controller who has personal data on their citizens/residents. Re-read the first post that @rfctr made carefully.

It is your choice to do business with customers in the EU/Russia and store their data. In that sense it is your commercial choice to do that. This then brings in the requirements by law.

You could also make a different choice: don’t do business with these countries.

Here’s why I suggested a lawyer: you keep insisting that EU country has jurisdiction over, say, US company.

That is false and a lawyer would explain the notion of jurisdiction to you. Doing research apparently is not enough.

Unless I’m totally mis-reading this and the hypothetical company you’re describing has presence in China/Russia/EU/wherever, in which I go back to “moot point” (because at that point you should consult professionals and not strangers on the internet).

The idea that a Germany has jurisdiction to enforce German business-related laws over company based in US (or Canada, or Peru or Belgium) is ludicrous.

Even if I sell to Germans, Germany can’t make me put an Impressum information on my website, make me stop selling “Mein Kampf”, make me collect VAT, make me pay German business taxes (all things that German companies must do).

Or make me comply with their data retention laws.

If they tried any of that, US government would put them firmly in place (and vice versa, if US tried to make German businesses comply with, say, DMCA, Germany would put them in place).

I repeat: Germany has no jurisdiction over US business but a clear insanity of such scheme doesn’t seem to stop you from militantly spreading this completely false idea of how law works across borders.

But hey, I’m easily convinced with facts.

Show me a single case of a fully US based company that was successfully prosecuted by government of a country that is not US for not complying with non-US laws.

Show me a single case of a fully US based company that was successfully prosecuted by government of a country that is not US for not complying with non-US laws.

Russia vs Linkedin, ruling of August 2016 and appeal of Nov 2016. Here is the court ruling (in russian):

The Russian data protection authority, Roskomnadzor, brought the action claiming that LinkedIn violated the data localization requirement in addition to other general Russian data privacy laws. Linkedin does not have a legal entity in Russia. Consequently, Roskomnadzor blocked access to the Linkedin website and Apple + Google removed the app from the Russian version of their app stores.

What do I win? :smiley:

The question of jurisdiction might be different than you think.

For example for VAT, the customer in the EU must pay VAT. These customers fall under EU jurisdiction. As an US seller, you are merely required to “collect” VAT for EU customers, you as a seller are not required to pay VAT. But as you have collected it, you must refund it to the EU countries. There are various agreements between the EU tax authorities and e.g. the IRS. In practice US companies must collect VAT for EU customers, and many do (as most of the resellers).
From the point of the EU, the trade between a US seller and a EU customer takes part (at least partially) in the EU, so EU laws apply.

There’s a very popular saying in Russia “the severity of Russian laws is always compensated by the optionality of their execution” because laws in Russia are written with oppression and bribery in mind. Don’t worry unless you’re a target due to some political reasons.

1 Like

:roll_eyes: Please stop pouring propaganda into a business forum.

IT-related laws in Russia are pretty liberal comparing to some other countries. IT for a long time was basically unregulated, because the laws had to catch up.

Even in the case of personal data laws Russia simply follows the example of “unoppressive” entities such as EU.

And this is just not a wise advise.

It is enough to have one complain from an unhappy customer, and you’d be banned. Yeah, why worry?

Used to be ludicrous, true - for the physical economy. Not it is hard to tell where the jurisdiction ends, as on the same computer, within the same transaction, you can use services from a few countries at once.

But that’s not the core of the problem as I understand it:

Imagine Walmart stores the list of their customers on Amazon servers. Not smart, eh? Amazon has a lot of opportunities to peek in and learn the behaviour, statistics, trends - and use them against Walmart.

Now imagine all your country’s population behaviours, connections, intentions and whatnot are stored on servers in a different country. That gives the intelligence of that other country enormous tools for both the analysis and manipulation - with a potential of real-world effect during say election period.

No sane and strategic-thinking government would permit that.

Of course, they cannot move all those data to sovereign servers at once - the situation was ignored for far too long. But step by step the laws will be changed to move more and more of the local data to the local servers.

That is my understanding of the underlying reasons for these laws, anyway.

Uncomfortable truth is not “propaganda” and the business forum discusses politics-related issues right now.

Let’s skip whataboutism, my statement was related only to the goal of laws like this in Russia.

Any significant examples towards non-significant sites?