Distributed Cloud Storage & Data Residency Laws

  • 25th July, 2022

The world of data has become increasingly complex with the introduction of national data privacy laws. Some countries, such as France, Germany and Russia, require that their citizen data be stored on physical servers within their borders. Countries like the United States require federal agencies to store data only on servers located in the country. In healthcare, patient records often need to be treated differently than financial records, and the rules change depending on where the data actually resides, making it even more complicated.

In recent years, there has been a strong push to move data to the next frontier - namely the major public cloud providers. But these giant providers are global companies with data warehouses spanning many countries, connected entirely by network highways. If everything is connected, how can a company be sure that its data will remain in a particular country and comply with applicable laws? That's impossible.

The bad news for corporate IT and legal departments is that they are ultimately responsible for complying with these laws. While the cloud provider may make some promises about where the data is stored, it is actually the data owner who is responsible.

Take for example the human resources department of a multinational company. Suppose some employees live in Paris, while others live in Munich, and others in Chicago. To comply with local laws, companies should have three separate systems for storing employee data. Not ideal.

The world was wrong when it decided to manage data in the jurisdiction where it was "at rest". A better way to protect data may be to manage where it is created, used and analyzed. But, at rest? One day, our data might just rest on Mars! But today, our data is still in places like Amazon Web Services or Alibaba Cloud. We need to get rid of the mindset of storing our data on the right side of a border in order to comply with the law. Instead, we should focus on making sure our data is only accessible and readable from a certain location, not at rest waiting to be accessed.

Data is treated as if it were a physical object, but it violates the principles of the physical world. Data can be created and destroyed. Data can be reproduced millions of times. Data can be transported at the speed of light to anywhere in the world. Data is not a physical object, it is a virtual presence. So why should we care what magnetic media slot it occupies at any given time, when it can be moved at lightning speed to another physical location?

Consider the difference in how we choose to protect a gold coin (a physical object) and a bitcoin (a virtual presence). A gold coin is placed in a safe box, in a safe vault, in a secure building - with layer upon layer of physical security. In contrast, bitcoins are placed in the public domain without any security and are stored in a ledger that is accessible to everyone. However, access control is reserved only for its owner. Although it is in the public domain, it can only be accessed by its rightful owner.

While the world may not be ready for UN data privacy regulation, there is a way to enforce virtual data laws no matter where the servers are located. Destroy it. If the data is destroyed and inaccessible, it is likely to comply with data protection laws, right? But if the data is destroyed, it is useless. Unless, of course, destroyed data can be recreated. business.

This is exactly how distributed cloud storage works. Distributed data is not in a physical location, it is a virtual location. It doesn't keep everything in one place, but keeps everything in different places. And shards are not usable data but remnants of destroyed data. If the data is completely incomprehensible and does not exist in complete format anywhere in the world, is it compliant with data protection laws? This is a component of Bifrost Cloud storage, where data can exist in a destroyed format and be recreated only by the rightful owner. And the actual location where the data is recreated is important, because as soon as the data is regenerated it must/could/will obey the laws of that location.

So if the data is generated in Toronto, it is subject to Canadian law. If it is later destroyed and its remains are moved to a distributed cloud storage provider such as Bifrost Cloud, where the data does not exist, it should be free from any rules or regulations. If the destroyed data is subsequently recreated in Frankfurt, it can and is subject to German law immediately.

Distributed cloud storage makes sense if the data cannot be recreated by anyone other than the rightful owner. It cannot be recreated by a hacker, cloud provider or government. If control of data truly rests with the sole owner of the data, we can envision a world where the risk of non-compliance would be greatly reduced and possibly even eliminated.

Let's all stop treating data like a physical object and pretend that it must exist somewhere and start thinking about pushing the destroyed data to many places where only the owner can only legally be able to recreate it.

Ready to Start? Get in touch!

Make the migration, its worth it.