Documente Academic
Documente Profesional
Documente Cultură
Data Sovereignty
Autonomous Internet of
Vehicles Things
Automation/
Big Data / Robotics
Analytics
Blockchain
Cloud
AI/Cognitive
Information Computing
Security
Data Sovereignty—
the Oil and Gas Perspective
Contents
Introduction 03
What Has Changed and What Is to Come? 04
Data Sovereignty Laws - an overview of the challenge 05
Data Sovereignty Laws - an overview of the challenge (cont'd) 06
Implications 07
What can be done? 08
What can be done? (cont'd) 09
Data Classification 10
Data Minimisation and Anonymization 11
Managing Third Parties 12
Standards 13
Security and Availability of Data 14
Security and Availability of Data (cont'd) 15
Conclusion 16
Authors 17
Authors (cont'd) 18
2
Data Sovereignty—
the Oil and Gas Perspective
Introduction
When it comes to data, globalization may no longer be the buzzword in many corporate
boardrooms. Companies are increasingly running up against legal barriers to the free flow
and aggregation of data as countries continue to pass so-called data sovereignty laws.
3
Data Sovereignty—
the Oil and Gas Perspective
4
Data Sovereignty—
the Oil and Gas Perspective
Data sovereignty laws, regulations or policies take many Databases Abroad) Regulations, 5761-2001³, the transfer
forms and impose varying requirements that require oil of data outside of Israel is subject to conditions which
and gas companies to have intricate, multijurisdictional include data subject consent. In addition, the database
regulatory strategies. Many are fairly narrow in scope. owner must secure a written undertaking from the
In Saudi Arabia, the Cloud Computing Regulatory recipient of the transferred data that it will take sufficient
Framework (CCRF) issued by the Communications and precautions to protect the privacy and security
Information Technology Commission (CITC)¹ has been of that data.
regulating cloud services since it entered into force in
March 2018. These regulations impose restrictions on Some data sovereignty laws, however, especially those
transferring information outside Saudi Arabia, requiring enacted post-2013, are more onerous. China and Russia
Cloud Service Providers to ensure that no highly sensitive have perhaps the most notable data locational laws,
(that is data identified as Level 3 and 4) customer content but Europe’s sweeping privacy law, the General Data
be transferred outside the country, permanently or Protection Regulation (“GDPR”) is itself a variant of data
temporarily, unless expressly permitted under Saudi sovereignty law.⁴ Still others, like India’s Personal Data
Arabian law or regulation. Protection Bill⁵(which detail restrictions on data storage
and conditions on overseas data transfers) are still
More recently (October 2018), the Saudi Arabia National working through the legislative process.
Cybersecurity Authority (NCA) introduced a new set of
Essential Cybersecurity Controls² (ECC) which apply Any organization processing card payments, e.g. for
to government organizations, their subsidiaries, semi consumers and forecourt environments, needs to
government, state owned companies and National comply with not only PCI/DSS but also national data
Critical Infrastructure (NCI) entities. These controls sovereignty laws. For example the new regulations from
mandate that any site utilized for hosting and storing the Reserve Bank of India requiring payment companies
an organization’s information must be located to keep transaction data of Indian customers within the
inside the Kingdom. country; or in Turkey the Regulation on Internal Systems
of Banks and Evaluation Process for Efficiency of Internal
Others data sovereignty laws are aimed more broadly Capital, which necessitates that all information systems
at personal data of residents, but have fairly low of banks (which includes primary backups) are
compliance costs. For example, India and South Korea located in Turkey.
generally require consent of the data subject before
personal data can be sent out of the country. An example
is Israel. Under the Privacy Protection (Transfer of Data to
1
Government Agencies’ Guide to Cloud Computing Service issued by the CITC.
2
National Cybersecurity Authority Essential Cybersecurity Controls (ECC – 1 : 2018)
3
www.gov.il/BlobFolder/legalinfo/legislation/en/PrivacyProtectionTransferofDataabroadRegulationsun.pdf
4
Regulation (EU) 2016/679.
5
https://meity.gov.in/writereaddata/files/Personal_Data_Protection_Bill,2018.pdf
5
Data Sovereignty—
the Oil and Gas Perspective
The majority of these laws have the effect of requiring In a breaking development just prior to publication⁷ the
companies to keep certain types of data within the European Commission has announced that it is planning
country’s physical borders – or to meet certain criteria to negotiate an EU-wide agreement with the U.S. that
before that data may be moved across those borders. would require service providers on both sides of the
Some laws try to maintain government oversight or Atlantic to supply requested electronic data in criminal
control over data that originated in the country, even cases within 10 days. This would aim to streamline the
after it leaves the country’s borders. Still others are aimed process of pursuing evidence in criminal proceedings. Oil
at giving the government access to data maintained and gas companies will need to work closely with their
outside of its borders, regardless of where it originated, service providers to manage the release of personnel or
although often in conjunction with an international patient data (if requested) under the proposed regime.
agreement between the country seeking the data and
the country where the data is stored. On the date of publication the UK's Crime (Overseas
Production Orders) Act 2019 was passed.⁸ This will give
In 2018, the U.S. took the position that the government UK law enforcement the ability to access electronic data
has the ability to access certain data in the possession stored outside of the UK to support investigations (such
of U.S. companies anywhere in the world. Racing to as organised crime and terrorism). This will be subject to
moot a pending case before the Supreme Court, the U.S. bilateral agreements between the UK and other countries
Congress passed the Clarifying Lawful Overseas Use of (with negotiations currently taking place between the
Data (CLOUD Act) to make clear that U.S. authorities can US and the UK). These bilateral arrangements are all
access certain data extraterritorially, which may include the more important as the UK prepares to leaves the
data stored in the Cloud. It acknowledged the need to European Union in March 2019.
resolve the conflicting compliance burdens multinational
companies face when one country requires data stored
in countries which limit overseas access, but so far no
specific bi-lateral agreements have been reached to
smooth out conflicting compliance burdens.⁶
It remains an open question as to how other nations
will respond to requests from U.S. law enforcement for
requests under the CLOUD Act which are not in their
own national interests.
6
The CLOUD Act specified procedures which allow U.S. law enforcement to gain access to data stored abroad, but it provides
communications and Cloud service providers with a means to challenge those requests when the service provider believes disclosure
or the data would lead to a conflict of laws. A court could quash the warrant or subpoena in the “interests of justice” based on a multi-
factor test that evaluates the consequences of any legal conflict, the strength of law enforcement’s interests, and ties to the U.S. and
foreign locations. The availability of this procedure, however, is limited to addressing conflicts of law with foreign governments that
have entered into CLOUD Act agreements with the U.S. (known as “qualifying foreign governments”).
7
http://europa.eu/rapid/press-release_MEMO-19-863_en.htm
8
www.gov.uk/government/news/crime-overseas-production-orders-bill-receives-royal-assent
6
Data Sovereignty—
the Oil and Gas Perspective
Implications
In passing these laws, countries are primarily looking to Data sovereignty laws also create other inefficiencies, the
fulfil their own specific objectives, including: access to same way other barriers to free trade do. For example,
data for national security or law enforcement purposes, if oil and gas companies are not able to draw upon
the exclusive capture of data’s economic value, and international or regional Cloud hyperscale data-centers,
the use of data to power advances in AI and other duplicative expenditures can result, along with the loss of
revolutionary technologies. In addition, data sovereignty economies of scale for investment, innovation, security
laws tend to support local IT and cloud providers to and resilience. Similarly smaller local vendors may not
the detriment of multinational providers, or to more be able to draw upon the experience of rolling-out
broadly support the local economies (e.g. Vietnam’s solutions in other jurisdictions. Even if data localization
new cybersecurity law requires certain multinational laws result in local cloud databases, those databases are
companies to have a local presence in Vietnam). very unlikely to have the full complement of services or
the massive ongoing investment and updates that
But regardless of their intent, countries are making hyperscale clouds will.
business challenging for oil and gas companies, and the
costs will only mount.
9
INFORMATION TECHNOLOGY & INNOVATION FOUNDATION, Cross-Border Data Flows: Where Are the Barriers, and What Do They
Cost? (May 2017) Available at http://www2.itif.org/2017-cross-border-data-flows.pdf
10
Id.
7
Data Sovereignty—
the Oil and Gas Perspective
At the highest levels, the reality of data sovereignty But there also has been a trend recently for data
laws needs to factor into oil and gas companies’ global sovereignty laws to reach other types of data. Often
strategic decisions. these laws are promoted as protecting vital national
security interests, but they also often have the effect
Before entering a new market, or acquiring a company of protecting or furthering strategic national economic
in a different jurisdiction, businesses need to understand interests. The laws may be designed in a way that makes
the regulatory environment for data, and they factor in it more difficult for international companies to compete
what it would cost and mean to comply, including at with local companies, or they may have the purpose
a very granular level. Something as simple as emailing of giving the government, and therefore perhaps the
a well-site crew list across borders can implicate data companies the government owns or sponsors, access
sovereignty laws. to proprietary, competitive information
and intellectual property.
Most, but not all, countries’ data sovereignty laws are
focused on personal data regarding citizens or residents We set out below some considerations that an oil and
of the country. For many upstream and midstream oil gas company may want to take in to account to address
and gas companies, where international employees and data sovereignty challenges.
contractors are common, that means understanding
and planning for where human resources data is The oil and gas industry, in particular, relies on the
collected, where it is stored and processed, who needs ability to move and share data across borders. Data
access to that data and where they are located, and from seismic companies needs to flow to exploration
the circumstances under which the data may need to companies’ geologists and reservoir engineers. Oil
cross international borders. Downstream companies, field equipment engineering companies need to share
particularly those with retail operations, still have their design specifications and drawings with their customers.
own staff and contractor data to consider, but also need Proprietary drilling mud, fracking fluids, and cement
to consider where and how they process customer formulas may need to pass between well operators,
data and whether international transfers of that data drilling contractors, and vendors. Companies may, for
may be necessary.¹¹ strategic and cost-savings reasons, have centralized
supply hubs where equipment is gathered, assembled
and distributed, and the associated data needs to flow
with the equipment and supplies. Some data sovereignty
laws may try to keep this type of data, or at least a copy
Something as simple as of it, in the country where it was created. Others may try
to take control of the data once it arrives in the country
emailing a well-site crew list from another country. Companies must develop a global
across borders can implicate strategy that takes these data sovereignty
laws into consideration.
data sovereignty laws.
11
Retail customer data often includes payment information, which can implicate non-governmental industry regulations, such as the
Payment Card Industry Data Security Standard (“PCI-DSS”).
8
Data Sovereignty—
the Oil and Gas Perspective
The more nimble the ability to tag and track data, and the
more location of data can be controlled, the better off
a company will be. In addition, the more modular the IT
architecture and governance structures to add on new
systems or bring on new operations in new countries,
the better.
These include:
–– data classification
–– data minimization and anonymization
–– managing third parties
–– data governance and standards
–– ensuring the availability and security of data
9
Data Sovereignty—
the Oil and Gas Perspective
Data Classification
The first step it to know thyself. Data classification can While data classification can be a difficult undertaking, it is
help an organization more readily and efficiently handle a critical element of the strategy. Technologies that use
specific data streams in accordance with specific country machine learning to detect patterns and correlate different
rules. Different types of data will have differing handling pieces of content may be able assist by automating the
requirements. Some types of data, may, by certain laws, process and therefore reducing errors, increasing consistency
have to be kept on premises with access strictly limited. and lightening the load on both users and those in charge of
Other types of data, for example, data collected from data governance.
already public sources, will have no particular security or
privacy requirements.¹² The more advanced an Oil and Once data classification has been implemented, oil and gas
Gas company’s data classification capabilities, the more companies will likely find the vast majority of their data to be
likely it will be to navigate the various data non-sensitive or general access allowed, and such data will
sovereignty laws. not usually face any barriers to storage in the Cloud or to
international access and transfer.
In general, data classification works best when the
number of classification categories is kept to the
minimum necessary to achieve compliance with
corporate and regulatory requirements. Too much
complexity in a classification scheme can make it
Effective data classification
unwieldy to implement and actually discourage its (assisted by data governance
proper use. However, when effectively implemented, a protocols and the effective
classification scheme, which is built into data governance
(discussed below) can help inform decisions about where deployment of technology
data should be collected, created, stored and used; who tools) can help an organization
should have access to the data, and from where; whether
the data can be processed or managed by third-parties or manage complex data streams in
must only be managed by employees; what controls must accordance with applicable laws
be applied to appropriately manage the data; and whether
the benefits of having and processing the data outweigh and regulation.
the costs of doing so.
12
Although, in limited circumstances, some public data may become subject to privacy or security requirements when combined with other non-public data..
10
Data Sovereignty—
the Oil and Gas Perspective
Data Minimisation
and Anonymization
From a data protection perspective, data minimization The potential consequences of non-compliance with the
is its own principle that requires compliance; but it is GDPR include fines of up to 20 million euros or 4% of a
also a helpful strategy when it comes to navigating and company’s worldwide annual turnover, whichever is greater.
minimizing the effects of data sovereignty laws. There are also costs to safeguarding that data, and potentially
Data minimization generally refers to collecting and enormous costs if that data is breached.
processing only the types of data that truly has value to
the company. The leaner your data, and the greater the De-Identification and Anonymization
ability to strip out unnecessary data (including metadata), As many data sovereignty laws appear to be focused on
especially when faced with production orders, the more personal data/personally identifiable information, one solution
likely a company will be to thread the needle between is to consider whether it is possible to navigate the laws by
separate sovereigns. Accordingly, data minimization moving the data outside of a “regulated” area. In other words,
works better the better a company’s data classification if the data sovereignty applies to personal data, a company can
capabilities are. de-identify or anonymize as much of the data as possible.
However, companies need to assess technical and regulatory
sufficiency of de-identification or anonymization. The ability to
reverse engineer or figure out the identity from other sources
The compliance costs, especially needs to be considered.
because of data sovereignty
laws, are increasing, as are the
noncompliance costs.
13
Regulation (EU) 2016/679, Art. 5(1)(c).
11
Data Sovereignty—
the Oil and Gas Perspective
It is not enough to get your own house in order, but After selection, the work is not done. Companies need to
increasingly it is about making sure you understand and manage their third parties to ensure compliance, including
control how third parties store and process your data. A potentially auditing and reviewing records of processing
central tenet of many data sovereignty laws, including activity. Also, companies may want to limit the access third
the GDPR, is that a company cannot contract out of parties have to data unnecessary for their task. Segmentation,
its regulatory obligations—and sometimes contracting compartmentation, access controls and cryptography can be
with third parties can incur additional obligations. For useful tools to limit and mitigate any adverse data sovereignty
example, if a third party is located in a country with strict implications of using a particular third party for a
data sovereignty laws, it may be worth thinking twice particular task.
about using that company.
12
Data Sovereignty—
the Oil and Gas Perspective
Standards
13
Data Sovereignty—
the Oil and Gas Perspective
Data sovereignty laws are often motivated by a desire Finally, as more nations are eager to use covert means
of governments to ensure that certain types of data to get access to data—which could include valuable
are readily accessible within the country.¹⁴ Of course, intellectual property and other company proprietary
companies also have a strong interest in ensuring that data—sound security is critical. Encrypting data, both in
important business data is available for use storage and during transmission, can help.
in the business.
It is increasingly common for companies to use
Unintentional or, perhaps worse, malicious destruction of encryption everywhere to protect data. Whole device
data has long been a threat. Recently, new threats, such encryption is built into many modern operating systems
as ransomware attacks, which make data inaccessible for devices ranging from servers to desktops and laptops
without destroying the data, have emerged or come to tablets and even mobile phones. The benefits of
to prominence. A well-designed (and regularly tested encryption are recognized in many data privacy laws
and updated) business continuity and disaster recovery such that if data is stolen or lost in encrypted form—such
plan is essential to ensure the availability of critical data as an encrypted laptop being accidentally forgotten in
– this applies not only to data which may be targeted the back seat of a taxi—it is not considered to have been
by threat-actors (for example, in the case of WannaCry compromised or “breached” unless the encryption key
Ransomware attacks ) but also in response to natural was also lost or compromised.
disasters (such as the Tōhoku earthquake and tsunami
that hit Japan in 2011). Data sovereignty requirements Robust key management is important to managing
may limit where backup data can be stored. But the encryption at an enterprise level. Relying on someone
backups made for business continuity and disaster remembering and not writing down a password for an
recovery purposes may also be able to serve the dual encrypted spreadsheet is better than no encryption at
purpose of satisfying data sovereignty requirements by all, but using a public key infrastructure or other robust
ensuring that a copy of data is maintained in a country, automated key management tool is much better and
without necessarily requiring the “live” systems to be easier to manage at enterprise scale.
maintained in the country.
For Cloud-based services, encryption key management
takes on another layer of complexity. Encryption is often
a feature of Cloud services to help keep one company’s
The backups made for business data from being accessible by other companies using
the Cloud service. But this encryption can also keep the
continuity and disaster recovery data from nations. The key is to make informed decisions
purposes may also be able to serve about who has the decryption capabilities. For some data
the dual purpose of satisfying it may be appropriate for the Cloud service provider to
manage the keys, but for other data, it might be more
data sovereignty requirements prudent for the company to manage the keys, or even for
by ensuring that a copy of data is the company to maintain complete custody and control
maintained in a country. over encryption keys. It is not a matter of trust, but of
limiting potential access by states, which often turns on
where the data will physically reside.
14
For example, Belgian tax laws require that tax-related data be accessible on demand at company facilities where the tax submissions are prepared.
14
Data Sovereignty—
the Oil and Gas Perspective
In other words, where the organisation maintains control A related strategy to storage encryption is to use Virtual Private
over Cloud service encryption keys, it not only limits the Networks (“VPNs”) and similar communications encryption
Cloud service provider’s access to the encrypted data, technologies between office locations or between offices
but also can prevent states from bypassing the company and cloud providers, including cross-border communications.
to gain access to the data—for example, by compelling This can prevent easy interception of communications by
the Cloud service provider to disclose the data. both unauthorized private parties and state actors. However,
because VPNs may interfere with government monitoring
of communications, their use may be restricted or even
prohibited by law in some places, and local laws should be
checked before deploying this type of technology.
Relying on someone remembering
and not writing down a password Many cloud service providers use communications
for an encrypted spreadsheet encryption—most commonly Secure Sockets Layer (“SSL”) or
Transport Layer Security (“TLS”)—to encrypt communications
is better than no encryption at between the service provider and its customers. In many
all, but using PKI or other robust instances, this communications encryption relies on
encryption keys controlled by the service provider.¹⁵ Some
automated key management service providers also allow for the customer to control the
tools is much better and easier to encryption entirely from end-to-end. Again, depending on the
sensitivity of the data being transmitted, different approaches
manage at enterprise scale. may be adopted.
15
Technically, there are both keys controlled by the service provider and keys that are generated dynamically during communications,
but access to the keys controlled by the service provider may allow for interception and compromise of the other keys.
15
Data Sovereignty—
the Oil and Gas Perspective
Conclusion
16
Data Sovereignty—
the Oil and Gas Perspective
Authors
Craig Rogers is a Partner at Eversheds Sutherland in Dale Waterman is the lead lawyer for Industry for the Middle
London. Craig joined Eversheds after 14 years as an “in- East & Africa (MEA) region in Microsoft’s Corporate External
house” lawyer at IBM, Oracle and KPMG. He advises clients and Legal Affairs department. He leads the legal and regulatory
in the financial services, energy and healthcare sectors on strategy across several industry verticals to facilitate the digital
information management and data security strategies, Cloud transformation of customers. Dale previously served as the
services, strategic outsourcing, IOT, digital platforms and the MEA headquarters lead, working with senior management in
technology components of M&A transactions. the business community to manage legal and commercial
issues. Prior to this Dale led the Microsoft Digital Crimes Unit
in the region; a team of lawyers, investigators and technical
analysts working to transform the fight against digital crime.
Michael Bahar Co-Leads the global Cyber security and Data Ramon Bosch is a Principal for Risk and Compliance at
practice for Eversheds Sutherland. Michael, who recently Microsoft. Ramon has been helping organizations make better
came from the US House Intelligence Committee and, before decisions with regards to building, operating and securing
that, the US National Security Council at the White House, is digital platforms for over twenty years. He advises Microsoft’s
based in Washington D.C. customers in highly regulated industries operating in emerging
markets on aspects related to the Security and Compliance
posture of their digital estate.
Mark Thibodeaux
Eversheds Sutherland, Senior Counsel, Houston
M: +1 281.678.5456
markthibodeaux@eversheds-sutherland.com
17
Data Sovereignty—
the Oil and Gas Perspective
Authors (cont’d)
18
Data Sovereignty—
the Oil and Gas Perspective
Notes
19
©2019 Microsoft Corporation. All rights reserved. As far as the law allows, this document is provided “as-is.” Information and views expressed in this document, including
URL and other Internet Web site references, may change without notice. As far as the law allows, you bear the risk of using it. Some examples are for illustration only and are
fictitious. No real association is intended or inferred. This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may
copy and use this document for your internal, reference purposes.