Data Sovereignty—

the Oil and Gas Perspective

February 2019

Data Sovereignty

Autonomous Internet of
Vehicles Things
Automation/
Big Data / Robotics
Analytics

Blockchain
Cloud

AI/Cognitive
Information Computing
Security
Data Sovereignty—
the Oil and Gas Perspective

Contents

Introduction 03
What Has Changed and What Is to Come? 04
Data Sovereignty Laws - an overview of the challenge 05
Data Sovereignty Laws - an overview of the challenge (cont'd) 06
Implications 07
What can be done? 08
What can be done? (cont'd) 09
Data Classification 10
Data Minimisation and Anonymization 11
Managing Third Parties 12
Standards 13
Security and Availability of Data 14
Security and Availability of Data (cont'd) 15
Conclusion 16
Authors 17
Authors (cont'd) 18

2
Data Sovereignty—
the Oil and Gas Perspective

Introduction

When it comes to data, globalization may no longer be the buzzword in many corporate
boardrooms. Companies are increasingly running up against legal barriers to the free flow
and aggregation of data as countries continue to pass so-called data sovereignty laws.

While the internet and new technologies tend to make

the world smaller and break down national borders,
states are exerting ever more control – or sovereignty The companies that will come
- over “their” electronic data. Some of these data
sovereignty efforts, including data localization laws, have out ahead will be those that fully
been introduced to ensure that personal information is understand the developing issue
given appropriate protection no matter where the data
resides. Other reasons, however, are more proprietary— and which develop a risk-based,
if not protectionist. States see value in controlling data
for national security and law enforcement purposes, as
business-focused, and global
well as for economic reasons. regulatory strategy.
In other words, data is becoming like natural resources,
the subject of international competition. Caught in
the middle are international industries, like the oil and
gas industry, which are facing growing compliance
challenges, and who are having to think seriously both
about which countries to do business in and about
where, how and what data to store.

The companies that will come out ahead will be those

that fully understand the developing issue and which
develop a risk-based, business-focused, and global
regulatory strategy. This strategy needs to incorporate
governance reforms, legal and technological solutions,
as well as efforts to highlight the laws’ largely deleterious
effects and often spurious justifications, if a company
is to survive and thrive in this increasingly challenging
regulatory environment.

This white paper discusses the growing challenge of data

sovereignty laws and details practical solutions to help oil
and gas companies meet the challenge.

3
Data Sovereignty—
the Oil and Gas Perspective

What Has Changed

and What Is to Come?

The year 2018 is proving to be a watershed year for

so-called data sovereignty laws, but the race to control
data began in earnest in 2013 as high-profile data Governments have begun to
breaches began making the headlines globally, leading
countries to want to take ownership of their data, or to realize the value of data from
elevate privacy of personal data to a fundamental right an altruistic privacy protection
to be protected by the state. In addition, advances in
Big Data analytics, and the race for advanced Artificial perspective.
Intelligence (AI) capabilities, means the value of data is
rising, as the costs of storing data decline. Governments
have begun to realize the value of data from an altruistic
privacy protection perspective, but also from other more
proprietary perspectives such as national security, law
enforcement, economics and competition in
cutting-edge technologies.

With greater geopolitical instability and the rising value

of data, this problem of data sovereignty is going to be
increasingly challenging for companies in the oil and
gas industry as they find themselves in the middle of
conflicting legal obligations and competing national (if
not nationalistic) demands.

4
Data Sovereignty—
the Oil and Gas Perspective

Data Sovereignty Laws -

an overview of the challenge

Data sovereignty laws, regulations or policies take many
forms and impose varying requirements that require oil
and gas companies to have intricate, multijurisdictional
regulatory strategies. Many are fairly narrow in scope.
In Saudi Arabia, the Cloud Computing Regulatory
Framework (CCRF) issued by the Communications and
Information Technology Commission (CITC)¹ has been
regulating cloud services since it entered into force in
March 2018. These regulations impose restrictions on
transferring information outside Saudi Arabia, requiring
Cloud Service Providers to ensure that no highly sensitive
(that is data identified as Level 3 and 4) customer content
be transferred outside the country, permanently or
temporarily, unless expressly permitted under Saudi
Arabian law or regulation.
More recently (October 2018), the Saudi Arabia National
Cybersecurity Authority (NCA) introduced a new set of
Essential Cybersecurity Controls² (ECC) which apply
to government organizations, their subsidiaries, semi
government, state owned companies and National
Critical Infrastructure (NCI) entities. These controls
mandate that any site utilized for hosting and storing
an organization’s information must be located
inside the Kingdom.
Others data sovereignty laws are aimed more broadly
at personal data of residents, but have fairly low
compliance costs. For example, India and South Korea
generally require consent of the data subject before
personal data can be sent out of the country. An example
is Israel. Under the Privacy Protection (Transfer of Data to
Databases Abroad) Regulations, 5761-2001³, the transfer
of data outside of Israel is subject to conditions which
include data subject consent. In addition, the database
owner must secure a written undertaking from the
recipient of the transferred data that it will take sufficient
precautions to protect the privacy and security
of that data.
Some data sovereignty laws, however, especially those
enacted post-2013, are more onerous. China and Russia
have perhaps the most notable data locational laws,
but Europe’s sweeping privacy law, the General Data
Protection Regulation (“GDPR”) is itself a variant of data
sovereignty law.⁴ Still others, like India’s Personal Data
Protection Bill⁵(which detail restrictions on data storage
and conditions on overseas data transfers) are still
working through the legislative process.
Any organization processing card payments, e.g. for
consumers and forecourt environments, needs to
comply with not only PCI/DSS but also national data
sovereignty laws. For example the new regulations from
the Reserve Bank of India requiring payment companies
to keep transaction data of Indian customers within the
country; or in Turkey the Regulation on Internal Systems
of Banks and Evaluation Process for Efficiency of Internal
Capital, which necessitates that all information systems
of banks (which includes primary backups) are
located in Turkey.

1
Government Agencies’ Guide to Cloud Computing Service issued by the CITC.
2
National Cybersecurity Authority Essential Cybersecurity Controls (ECC – 1 : 2018)
3
www.gov.il/BlobFolder/legalinfo/legislation/en/PrivacyProtectionTransferofDataabroadRegulationsun.pdf
4
Regulation (EU) 2016/679.
5
https://meity.gov.in/writereaddata/files/Personal_Data_Protection_Bill,2018.pdf
5
Data Sovereignty—
the Oil and Gas Perspective

Data Sovereignty Laws -

an overview of the challenge
(cont'd)

The majority of these laws have the effect of requiring
companies to keep certain types of data within the
country’s physical borders – or to meet certain criteria
before that data may be moved across those borders.
Some laws try to maintain government oversight or
control over data that originated in the country, even
after it leaves the country’s borders. Still others are aimed
at giving the government access to data maintained
outside of its borders, regardless of where it originated,
although often in conjunction with an international
agreement between the country seeking the data and
the country where the data is stored.
In 2018, the U.S. took the position that the government
has the ability to access certain data in the possession
of U.S. companies anywhere in the world. Racing to
moot a pending case before the Supreme Court, the U.S.
Congress passed the Clarifying Lawful Overseas Use of
Data (CLOUD Act) to make clear that U.S. authorities can
access certain data extraterritorially, which may include
data stored in the Cloud. It acknowledged the need to
resolve the conflicting compliance burdens multinational
companies face when one country requires data stored
in countries which limit overseas access, but so far no
specific bi-lateral agreements have been reached to
smooth out conflicting compliance burdens.⁶
It remains an open question as to how other nations
will respond to requests from U.S. law enforcement for
requests under the CLOUD Act which are not in their
own national interests.
In a breaking development just prior to publication⁷ the
European Commission has announced that it is planning
to negotiate an EU-wide agreement with the U.S. that
would require service providers on both sides of the
Atlantic to supply requested electronic data in criminal
cases within 10 days. This would aim to streamline the
process of pursuing evidence in criminal proceedings. Oil
and gas companies will need to work closely with their
service providers to manage the release of personnel or
patient data (if requested) under the proposed regime.
On the date of publication the UK's Crime (Overseas
Production Orders) Act 2019 was passed.⁸ This will give
UK law enforcement the ability to access electronic data
stored outside of the UK to support investigations (such
as organised crime and terrorism). This will be subject to
bilateral agreements between the UK and other countries
(with negotiations currently taking place between the
US and the UK). These bilateral arrangements are all
the more important as the UK prepares to leaves the
European Union in March 2019.

6
The CLOUD Act specified procedures which allow U.S. law enforcement to gain access to data stored abroad, but it provides
communications and Cloud service providers with a means to challenge those requests when the service provider believes disclosure
or the data would lead to a conflict of laws. A court could quash the warrant or subpoena in the “interests of justice” based on a multi-
factor test that evaluates the consequences of any legal conflict, the strength of law enforcement’s interests, and ties to the U.S. and
foreign locations. The availability of this procedure, however, is limited to addressing conflicts of law with foreign governments that
have entered into CLOUD Act agreements with the U.S. (known as “qualifying foreign governments”).
7
http://europa.eu/rapid/press-release_MEMO-19-863_en.htm
8
www.gov.uk/government/news/crime-overseas-production-orders-bill-receives-royal-assent
6
Data Sovereignty—
the Oil and Gas Perspective

Implications

In passing these laws, countries are primarily looking to
fulfil their own specific objectives, including: access to
data for national security or law enforcement purposes,
the exclusive capture of data’s economic value, and
the use of data to power advances in AI and other
revolutionary technologies. In addition, data sovereignty
laws tend to support local IT and cloud providers to
the detriment of multinational providers, or to more
broadly support the local economies (e.g. Vietnam’s
new cybersecurity law requires certain multinational
companies to have a local presence in Vietnam).
But regardless of their intent, countries are making
business challenging for oil and gas companies, and the
costs will only mount.
Data sovereignty laws also create other inefficiencies, the
same way other barriers to free trade do. For example,
if oil and gas companies are not able to draw upon
international or regional Cloud hyperscale data-centers,
duplicative expenditures can result, along with the loss of
economies of scale for investment, innovation, security
and resilience. Similarly smaller local vendors may not
be able to draw upon the experience of rolling-out
solutions in other jurisdictions. Even if data localization
laws result in local cloud databases, those databases are
very unlikely to have the full complement of services or
the massive ongoing investment and updates that
hyperscale clouds will.

Security is also often touted as a benefit to data

sovereignty laws; but, in fact, protection of data is a poor
rationale. One research report concluded:

Many policymakers reflexively and mistakenly believe Many policymakers reflexively

that data is more private and secure when it is stored
within a country’s borders. This misunderstanding lies at and mistakenly believe that data is
the core of many data-localization policies. However, more private and secure when it is
in most instances, data-localization mandates do not
increase commercial privacy nor data security.⁹ Far more stored within a country’s borders.
important than the location of a computer system is that
However, in most instances, data-
“that the company involved (either a company with localization mandates do not
its own networks or a third-party Cloud provider) be
dedicated to implementing the most advanced methods
increase commercial privacy nor
to prevent such attacks."¹⁰ data security.

9
INFORMATION TECHNOLOGY & INNOVATION FOUNDATION, Cross-Border Data Flows: Where Are the Barriers, and What Do They
Cost? (May 2017) Available at http://www2.itif.org/2017-cross-border-data-flows.pdf
10
Id.
7
Data Sovereignty—
the Oil and Gas Perspective
What can be done?
At the highest levels, the reality of data sovereignty
laws needs to factor into oil and gas companies’ global
strategic decisions.
Before entering a new market, or acquiring a company
in a different jurisdiction, businesses need to understand
the regulatory environment for data, and they factor in
what it would cost and mean to comply, including at
a very granular level. Something as simple as emailing
a well-site crew list across borders can implicate data
sovereignty laws.
Most, but not all, countries’ data sovereignty laws are
focused on personal data regarding citizens or residents
of the country. For many upstream and midstream oil
and gas companies, where international employees and
contractors are common, that means understanding
and planning for where human resources data is
collected, where it is stored and processed, who needs
access to that data and where they are located, and
the circumstances under which the data may need to
cross international borders. Downstream companies,
particularly those with retail operations, still have their
own staff and contractor data to consider, but also need
to consider where and how they process customer
data and whether international transfers of that data
may be necessary.¹¹
Something as simple as
emailing a well-site crew list
across borders can implicate
data sovereignty laws.
11
Retail customer data often includes payment information, which can implicate non-governmental industry regulations, such as the
Payment Card Industry Data Security Standard (“PCI-DSS”).
But there also has been a trend recently for data
sovereignty laws to reach other types of data. Often
these laws are promoted as protecting vital national
security interests, but they also often have the effect
of protecting or furthering strategic national economic
interests. The laws may be designed in a way that makes
it more difficult for international companies to compete
with local companies, or they may have the purpose
of giving the government, and therefore perhaps the
companies the government owns or sponsors, access
to proprietary, competitive information
and intellectual property.
We set out below some considerations that an oil and
gas company may want to take in to account to address
data sovereignty challenges.
The oil and gas industry, in particular, relies on the
ability to move and share data across borders. Data
from seismic companies needs to flow to exploration
companies’ geologists and reservoir engineers. Oil
field equipment engineering companies need to share
design specifications and drawings with their customers.
Proprietary drilling mud, fracking fluids, and cement
formulas may need to pass between well operators,
drilling contractors, and vendors. Companies may, for
strategic and cost-savings reasons, have centralized
supply hubs where equipment is gathered, assembled
and distributed, and the associated data needs to flow
with the equipment and supplies. Some data sovereignty
laws may try to keep this type of data, or at least a copy
of it, in the country where it was created. Others may try
to take control of the data once it arrives in the country
from another country. Companies must develop a global
strategy that takes these data sovereignty
laws into consideration.
8
Data Sovereignty—
the Oil and Gas Perspective

What can be done? (cont'd)

This global strategy should be supported by good

global data governance that works hand-in-hand with
technological solutions to help manage costs, improves
effectiveness, and enables opportunities. Complying
with the increasingly complex, often overlapping and
sometimes contradictory data sovereignty laws begins
with understanding what data the business collects and
processes, where the data is stored and where it might
need to be used, and who might have access to it. It is
also important to understand how sensitive data may
need to be transmitted or transferred both within the
company and between the company and its customers,
business partners, investors, vendors and contractors,
and regulators.

The more nimble the ability to tag and track data, and the
more location of data can be controlled, the better off
a company will be. In addition, the more modular the IT
architecture and governance structures to add on new
systems or bring on new operations in new countries,
the better.

We set out below some considerations that an oil and gas

company may want to take in to account to address data
sovereignty challenges.

These include:

–– data classification
–– data minimization and anonymization
–– managing third parties
–– data governance and standards
–– ensuring the availability and security of data

We set out considerations in respect of each of those

areas below.

9
Data Sovereignty—
the Oil and Gas Perspective

Data Classification

The first step it to know thyself. Data classification can While data classification can be a difficult undertaking, it is
help an organization more readily and efficiently handle a critical element of the strategy. Technologies that use
specific data streams in accordance with specific country machine learning to detect patterns and correlate different
rules. Different types of data will have differing handling pieces of content may be able assist by automating the
requirements. Some types of data, may, by certain laws, process and therefore reducing errors, increasing consistency
have to be kept on premises with access strictly limited. and lightening the load on both users and those in charge of
Other types of data, for example, data collected from data governance.
already public sources, will have no particular security or
privacy requirements.¹² The more advanced an Oil and Once data classification has been implemented, oil and gas
Gas company’s data classification capabilities, the more companies will likely find the vast majority of their data to be
likely it will be to navigate the various data non-sensitive or general access allowed, and such data will
sovereignty laws. not usually face any barriers to storage in the Cloud or to
international access and transfer.
In general, data classification works best when the
number of classification categories is kept to the
minimum necessary to achieve compliance with
corporate and regulatory requirements. Too much
complexity in a classification scheme can make it
Effective data classification
unwieldy to implement and actually discourage its (assisted by data governance
proper use. However, when effectively implemented, a protocols and the effective
classification scheme, which is built into data governance
(discussed below) can help inform decisions about where deployment of technology
data should be collected, created, stored and used; who tools) can help an organization
should have access to the data, and from where; whether
the data can be processed or managed by third-parties or manage complex data streams in
must only be managed by employees; what controls must accordance with applicable laws
be applied to appropriately manage the data; and whether
the benefits of having and processing the data outweigh and regulation.
the costs of doing so.

12
Although, in limited circumstances, some public data may become subject to privacy or security requirements when combined with other non-public data..
10
Data Sovereignty—
the Oil and Gas Perspective

Data Minimisation
and Anonymization

From a data protection perspective, data minimization
is its own principle that requires compliance; but it is
also a helpful strategy when it comes to navigating and
minimizing the effects of data sovereignty laws.
Data minimization generally refers to collecting and
processing only the types of data that truly has value to
the company. The leaner your data, and the greater the
ability to strip out unnecessary data (including metadata),
especially when faced with production orders, the more
likely a company will be to thread the needle between
separate sovereigns. Accordingly, data minimization
works better the better a company’s data classification
capabilities are.
The compliance costs, especially
because of data sovereignty
laws, are increasing, as are the
noncompliance costs.
The potential consequences of non-compliance with the
GDPR include fines of up to 20 million euros or 4% of a
company’s worldwide annual turnover, whichever is greater.
There are also costs to safeguarding that data, and potentially
enormous costs if that data is breached.
De-Identification and Anonymization
As many data sovereignty laws appear to be focused on
personal data/personally identifiable information, one solution
is to consider whether it is possible to navigate the laws by
moving the data outside of a “regulated” area. In other words,
if the data sovereignty applies to personal data, a company can
de-identify or anonymize as much of the data as possible.
However, companies need to assess technical and regulatory
sufficiency of de-identification or anonymization. The ability to
reverse engineer or figure out the identity from other sources
needs to be considered.

Data minimization often does require a culture shift within

a company. With data storage costs continually decreasing
on a per-byte basis, and with the opportunities to mine value
from data increasing, it is tempting to continue to hoard data,
even where it does not have obvious immediate value. But
increasingly there are costs to data, especially data just sitting
around. The compliance costs, especially because of data
sovereignty laws, are increasing, as are the noncompliance
costs. For example, the GDPR specifies that personal data
must be “relevant and limited to what is necessary in relation
to the purposes for which they are processed.”¹³

13
Regulation (EU) 2016/679, Art. 5(1)(c).
11
Data Sovereignty—
the Oil and Gas Perspective

Managing Third Parties

It is not enough to get your own house in order, but
increasingly it is about making sure you understand and
control how third parties store and process your data. A
central tenet of many data sovereignty laws, including
the GDPR, is that a company cannot contract out of
its regulatory obligations—and sometimes contracting
with third parties can incur additional obligations. For
example, if a third party is located in a country with strict
data sovereignty laws, it may be worth thinking twice
about using that company.
After selection, the work is not done. Companies need to
manage their third parties to ensure compliance, including
potentially auditing and reviewing records of processing
activity. Also, companies may want to limit the access third
parties have to data unnecessary for their task. Segmentation,
compartmentation, access controls and cryptography can be
useful tools to limit and mitigate any adverse data sovereignty
implications of using a particular third party for a
particular task.

The oil and gas industry has long relied heavily on

contractors, joint-venture partners, consultants, service Companies need to understand
companies, suppliers, and other third parties to manage
their day-to-day business. This increasingly includes
how these relationships affect
information technology vendors, such as cloud storage compliance with data sovereignty
vendors, software-as-a-service (“SaaS”) providers, laws, as well as how they impact
cloud computing (sometimes called everything-as-a-
service) providers, and even information security service the confidentiality, integrity and
providers. Data usually flows in many directions between availability of data.
all of these business partners. Companies need to
understand how these relationships affect compliance
with data sovereignty laws, as well as how they impact
the confidentiality, integrity and availability of data.

Indeed, the procurement and contracting process should

include selection criteria and contractual terms that
account for various regulatory environments. Companies
are getting used to due diligence on the basis of security
(and accreditation by third parties (like the ISO/IEC 27001
and 27002 certification) is a useful shorthand); but at
the same time, the data sovereignty implications must
also be assessed on the front end. It is also important to
realize that third-party solutions can aid in compliance
by sharing some of the burden – so long as those service
providers are appropriately vetted.

12
Data Sovereignty—
the Oil and Gas Perspective

Standards

Standards bodies define best practices for data

management which aid organizations endeavoring to
apply a structured approach to the control of data.
An example of such a standard is ISO/IEC 38505. This
standard helps board members understanding that
data has inherent value, risk and constraints as well as
the accountability issues of data and how to develop
a framework for governing its use. The standard uses
a “data accountability map” to describe in very simple
terms the data activities that require oversight
and policies.

As data moves to the cloud there are other standards

that help provide the transparency and trust that is
needed to ensure good governance. ISO/IEC 27018, for
instance, provides heightened privacy requirements for
cloud service providers.

There are standards that help

provide the transparency and trust
that is needed to ensure good
governance.

13
Data Sovereignty—
the Oil and Gas Perspective
Security and Availability
of Data
Data sovereignty laws are often motivated by a desire
of governments to ensure that certain types of data
are readily accessible within the country.¹⁴ Of course,
companies also have a strong interest in ensuring that
important business data is available for use
in the business.
Unintentional or, perhaps worse, malicious destruction of
data has long been a threat. Recently, new threats, such
as ransomware attacks, which make data inaccessible
without destroying the data, have emerged or come
to prominence. A well-designed (and regularly tested
and updated) business continuity and disaster recovery
plan is essential to ensure the availability of critical data
– this applies not only to data which may be targeted
by threat-actors (for example, in the case of WannaCry
Ransomware attacks ) but also in response to natural
disasters (such as the Tōhoku earthquake and tsunami
that hit Japan in 2011). Data sovereignty requirements
may limit where backup data can be stored. But the
backups made for business continuity and disaster
recovery purposes may also be able to serve the dual
purpose of satisfying data sovereignty requirements by
ensuring that a copy of data is maintained in a country,
without necessarily requiring the “live” systems to be
maintained in the country.
The backups made for business
continuity and disaster recovery
purposes may also be able to serve
the dual purpose of satisfying
data sovereignty requirements
by ensuring that a copy of data is
maintained in a country.
14
For example, Belgian tax laws require that tax-related data be accessible on demand at company facilities where the tax submissions are prepared.
Finally, as more nations are eager to use covert means
to get access to data—which could include valuable
intellectual property and other company proprietary
data—sound security is critical. Encrypting data, both in
storage and during transmission, can help.
It is increasingly common for companies to use
encryption everywhere to protect data. Whole device
encryption is built into many modern operating systems
for devices ranging from servers to desktops and laptops
to tablets and even mobile phones. The benefits of
encryption are recognized in many data privacy laws
such that if data is stolen or lost in encrypted form—such
as an encrypted laptop being accidentally forgotten in
the back seat of a taxi—it is not considered to have been
compromised or “breached” unless the encryption key
was also lost or compromised.
Robust key management is important to managing
encryption at an enterprise level. Relying on someone
remembering and not writing down a password for an
encrypted spreadsheet is better than no encryption at
all, but using a public key infrastructure or other robust
automated key management tool is much better and
easier to manage at enterprise scale.
For Cloud-based services, encryption key management
takes on another layer of complexity. Encryption is often
a feature of Cloud services to help keep one company’s
data from being accessible by other companies using
the Cloud service. But this encryption can also keep the
data from nations. The key is to make informed decisions
about who has the decryption capabilities. For some data
it may be appropriate for the Cloud service provider to
manage the keys, but for other data, it might be more
prudent for the company to manage the keys, or even for
the company to maintain complete custody and control
over encryption keys. It is not a matter of trust, but of
limiting potential access by states, which often turns on
where the data will physically reside.
14
Data Sovereignty—
the Oil and Gas Perspective

Security and Availability

of Data (cont'd)

In other words, where the organisation maintains control A related strategy to storage encryption is to use Virtual Private
over Cloud service encryption keys, it not only limits the Networks (“VPNs”) and similar communications encryption
Cloud service provider’s access to the encrypted data, technologies between office locations or between offices
but also can prevent states from bypassing the company and cloud providers, including cross-border communications.
to gain access to the data—for example, by compelling This can prevent easy interception of communications by
the Cloud service provider to disclose the data. both unauthorized private parties and state actors. However,
because VPNs may interfere with government monitoring
of communications, their use may be restricted or even
prohibited by law in some places, and local laws should be
checked before deploying this type of technology.
Relying on someone remembering
and not writing down a password Many cloud service providers use communications
for an encrypted spreadsheet encryption—most commonly Secure Sockets Layer (“SSL”) or
Transport Layer Security (“TLS”)—to encrypt communications
is better than no encryption at between the service provider and its customers. In many
all, but using PKI or other robust instances, this communications encryption relies on
encryption keys controlled by the service provider.¹⁵ Some
automated key management service providers also allow for the customer to control the
tools is much better and easier to encryption entirely from end-to-end. Again, depending on the
sensitivity of the data being transmitted, different approaches
manage at enterprise scale. may be adopted.

This all said, a developing area of the law worth closely

There are trade-offs to each approach to key
management with Cloud service providers, as is often the
case. More control also means more responsibility—such
as having to build, maintain and staff a key management
infrastructure at the company, if the company elects
to control the keys. Organisations should carefully
consider the sensitivity of the data being stored or
processed at the Cloud service provider, based both on
the organisation’s proprietary interest in the data and
regulatory considerations, in choosing which option
best fits the needs of the organisation. It may be possible
to adopt different approaches with the same service
provider, varying by data type.
watching are so-called key escrow requirements, where
countries look to mandate some form of lawful access,
even to encrypted data, and even if that presents significant
technical and security concerns. For example, in the United
States, law enforcement agencies are increasingly requesting
the ability to unlock suspected criminals’ mobile phones or
gain access to encrypted messaging services. At this time,
most countries continue to rely on their power to compel
disclosure of data, rather than use key escrow or other means
to directly access data, but that may change. In fact, Australia
recently passed a data decryption bill.
One final caveat: encryption may not always be unbreakable,
especially when the full force of a government is thrown
against the encrypted data. Oil and Gas companies should
periodically assess the state of their encryption against the
state of art in decryption.

15
Technically, there are both keys controlled by the service provider and keys that are generated dynamically during communications,
but access to the keys controlled by the service provider may allow for interception and compromise of the other keys.
15
Data Sovereignty—
the Oil and Gas Perspective

Conclusion

Ultimately, as important as the free flow and unrestricted

aggregation of data is, oil and gas companies
increasingly need to balance that need against the reality The key for oil and gas companies
of data sovereignty laws, which are designed with often
opposing goals in mind and potentially with unintended is to develop a risk-based,
consequences as eclectic pieces of poorly drafted business-focused, and global
legislation are created using worldwide sources, often
out of context, and/or without consultation with
regulatory strategy to identify,
industry stakeholder. assess and mitigate the effects of
data sovereignty laws.
Companies may choose to lobby against these laws,
but they also need to accommodate the reality of
them. The key is to develop a risk-based, business-
focused, and global regulatory strategy. This strategy
needs to incorporate governance reforms, legal and
technological solutions, in addition to efforts to highlight
the laws’ largely deleterious effects and often spurious
justifications, if a company is to survive and thrive in this
increasingly challenging regulatory environment.

The key for oil and gas companies is to develop a

risk-based, business-focused, and global regulatory
strategy to identify, assess and mitigate the effects of
data sovereignty laws using governance reforms, legal
and technological solutions, and potentially constructive
dialogues with governments.

16
Data Sovereignty—
the Oil and Gas Perspective
Authors
Craig Rogers
Eversheds Sutherland, Partner, London
M: +44 746 491 8422
craigrogers@eversheds-sutherland.com
Craig Rogers is a Partner at Eversheds Sutherland in
London. Craig joined Eversheds after 14 years as an “in-
house” lawyer at IBM, Oracle and KPMG. He advises clients
in the financial services, energy and healthcare sectors on
information management and data security strategies, Cloud
services, strategic outsourcing, IOT, digital platforms and the
technology components of M&A transactions.
Michael Bahar
Eversheds Sutherland, Partner, Washington
M: +1.202.383.0882
michaelbahar@eversheds-sutherland.com
Michael Bahar Co-Leads the global Cyber security and Data
practice for Eversheds Sutherland. Michael, who recently
came from the US House Intelligence Committee and, before
that, the US National Security Council at the White House, is
based in Washington D.C.
Mark Thibodeaux
Eversheds Sutherland, Senior Counsel, Houston
M: +1 281.678.5456
markthibodeaux@eversheds-sutherland.com
Mark Thibodeaux, Deputy Practice Head of the Eversheds
Sutherland (US) Cyber security and Data Privacy team, has
advised companies for more than 25 years on privacy and data
security matters across the country and worldwide. A highly
experienced commercial litigator with a deep IT background,
Mark has helped companies respond to incidents.
Dale Waterman
Microsoft, Senior Corporate Attorney, Dubai
M: +971 50 633 8193
dalewa@microsoft.com
Dale Waterman is the lead lawyer for Industry for the Middle
East & Africa (MEA) region in Microsoft’s Corporate External
and Legal Affairs department. He leads the legal and regulatory
strategy across several industry verticals to facilitate the digital
transformation of customers. Dale previously served as the
MEA headquarters lead, working with senior management in
the business community to manage legal and commercial
issues. Prior to this Dale led the Microsoft Digital Crimes Unit
in the region; a team of lawyers, investigators and technical
analysts working to transform the fight against digital crime.
Ramon Bosch
Microsoft, Principal, Risk and Compliance, Dubai
M: +971 555 38 10 40
ramon.bosch@microsoft.com
Ramon Bosch is a Principal for Risk and Compliance at
Microsoft. Ramon has been helping organizations make better
decisions with regards to building, operating and securing
digital platforms for over twenty years. He advises Microsoft’s
customers in highly regulated industries operating in emerging
markets on aspects related to the Security and Compliance
posture of their digital estate.
17
Data Sovereignty—
the Oil and Gas Perspective
Authors (cont’d)
Nasser Ali Khasawneh
Eversheds Sutherland, Chairman Middle East
and Head of TMT, Dubai
M: +971506553198
naeeraalikhasawneh@eversheds-sutherland.com
Nasser Ali Khasawneh is Eversheds Sutherland’s Middle East
Chairman and Head of the TMT sector group. He has acted
for leading regional and international companies in various
sectors. Nasser has represented some of the world’s largest
information technology, media and consumer companies,
advising them on various commercial, licensing, IP rights,
labour law, and other issues. His practice covers legal issues
around data protection, cloud computing, cyber security and
other facets of digital transformation.
Oguzhan Filizlibay
Microsoft, Enterprise Security Executive, Dubai
M: +971 55 960 2544
Oguzhan.Filizlibay@microsoft.com
Oguzhan Filizlibay has been in the field of systems security
since 1997. He joined Microsoft in 2004 and focused on
Windows networking, with an emphasis on product security,
reliability, security incident response and malware reverse
engineering. During this time, Oguzhan has developed several
tools for network security, malware detection and removal,
and incident analysis. He frequently presents at security events
and workshops across Europe and the Middle East. Oguzhan
is currently an Enterprise Security Executive in Microsoft’s
Cybersecurity Solutions Group for the MEA region.
Simon Crossley
Eversheds Sutherland Partner, Co-Head of
Global IP and Healthcare
M: +44 7785 907 0248
simon.crossley@eversheds-sutherland.com
Simon is a partner in our IP and technology practice, with over
20 years’ experience of advising on emerging international
legal issues driven by technical, digital and scientific
developments. Simon worked in-house in a pharmaceutical
business early in his career and his first degree was in
chemistry/biochemistry. He leads Eversheds Sutherland’s
Health and Life Sciences sector group and advises life
sciences businesses on a range of IP, advertising, compliance,
regulatory and commercial matters
Paula Barrett
Eversheds Sutherland Partner, Co-Lead of Global
Cybersecurity and Data Privacy
M: +44 777 575 7958
paula.barrett@eversheds-sutherland.com
Paula is Co-lead of Global Cybersecurity and Privacy Practice
and specialises in data protection and cybersecurity as her full
time practice area. She is ranked in Chambers and Legal 500
as an expert in this field. Paula’s background in technology law
makes her well placed to help clients interpret the application
of data protection and cyber security laws in the digital
environment within emerging technologies and new product
development and explore new opportunities. Whether its AI
or other analytical tools, IOT and autonomous vehicles or
blockchain and advanced security technology
18
Data Sovereignty—
the Oil and Gas Perspective

Notes

19
©2019 Microsoft Corporation. All rights reserved. As far as the law allows, this document is provided “as-is.” Information and views expressed in this document, including
URL and other Internet Web site references, may change without notice. As far as the law allows, you bear the risk of using it. Some examples are for illustration only and are
fictitious. No real association is intended or inferred. This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may
copy and use this document for your internal, reference purposes.