Global hybrid cloud infrastructures make it all the much harder to protect data. Organizations are looking to AI-based approaches that give them insights to support data sovereignty.
Technology organizations with global reach face a unique challenge when it comes to their data: Making use of it without running afoul of the complex web of data privacy laws. Between the CLOUD Act, GDPR, and developments within the EU to build a federated, multi-cloud environment for its citizens called GAIA-X, the bar for protecting user privacy has never been higher.
These laws are built on the idea of data sovereignty, which dictates data is subject to the laws and regulations of the nation or jurisdiction where it’s collected, is the answer. If you collect data from those living within the US, they’re not subject to laws created by the EU, and vice versa, but considering that each nation has different—and oftentimes competing—ideas for what “privacy” and “security” mean, there’s no single data storage configuration that just works for all jurisdictions.
For example, under the GDPR, organizations can only disclose personal data for legal requests made under EU law. If a US organization was storing US and EU user data in the same public cloud infrastructure, and the US government subpoenaed them for the data for an EU user, they’re suddenly stuck between a rock and a hard place. Do they hand over the data and annoy EU regulators? Or do they refuse to comply with the US order to stay on the Europeans’ good side?
And unfortunately, the answer for these organizations isn’t just to transfer user data into another location where they can’t be “touched”—that would violate the data localization policies included in most of these laws.
Their viable choices are limited. They can stick with the public cloud and attempt to leverage the plethora of geographical locations for their data centers to meet sovereignty laws. They might be able to encrypt user data in a way that doesn’t make it susceptible to another nation’s prying eyes.
They can also just adopt the strictest data protection requirements globally, but that’s easier said than done.
Another viable option today is to work with a regional storage provider in each jurisdiction to deploy multiple on-premises private cloud storage. The data from each nation’s customers stay within that nation, but it’s still part of your global hybrid cloud infrastructure. Again, it’s possible, but not without an enormous headache for IT.
Artificial intelligence on the edge, often referred to as edge AI, could be a new solution to data sovereignty—powerful enough to run the analysis that large organizations require and contained enough to satisfy even the pickiest of regulators in Brussels.
How might it work?
- An organization starts with its existing cloud infrastructure, which is low-cost, scalable, and fault-tolerant—but not immediately in compliance with various data sovereignty laws.
- It deploys edge computing devices with adequate computing power, energy efficiency, and internet connectivity to perform basic AI workloads.
- It develops a machine learning (ML) algorithm for their edge computing use case in the cloud, leveraging cheap storage and nearly-infinite utilization.
- The organization deploys developed ML models to their newly-deployed edge devices.
- Edge devices analyze incoming streaming data from customers and respond based on the stored ML mode.
- Before transferring it back to the primary cloud infrastructure, edge devices also process the data, anonymizing or encrypting any sensitive information.
In theory, edge AI offers the best of all worlds, empowering organizations to respond to customers quickly while still adhering to the local laws. And unlike large on-premises private storage, there’s far less infrastructure to maintain and manage—or break. Edge devices are also highly available, with active internet connectivity, not a requirement.
The ability to scrub data before being stored centrally, which can then be used to improve the existing ML models, also provides the right benefits without putting the organization at risk of the CLOUD Act, GDPR, and dozens of other rules.
Let’s use a highly personal example to highlight the benefits: wearable health tracking devices, like those from Apple, Fitbit, and Whoop. These devices collect a plethora of data—locations, heart rate, overall stress, activity history, heart health, sleep habits, and more. Maybe this information isn’t personally identifiable the same way an address, phone number, and birthday might be, and it’s still subject to data sovereignty laws.
Some of these devices are capable of simple on-device analysis, but they presumably send additional data beyond the device for further analysis. If the organization selling these devices employs an edge AI network across each nation where their customers live, they’re able to run AI workloads on stress data, for example, without having to centralize and store the data at all.
Customers get the experience they’re paying for, data stays where it belongs, and organizations stay off regulators’ radar—a win for everyone.