Data Collection

Effective data security begins at the point of data collection. Organizations must ensure that data is collected responsibly, lawfully, and in alignment with privacy principles and regulatory requirements.

The collection limitation principle and considerations around data location and jurisdiction play a critical role in this process.

Collection Limitation Principle

The collection limitation principle states that there should be limits on the collection of personal data. Any such data must be:

  • Obtained through lawful and fair means
  • Collected with the knowledge or consent of the data subject, where appropriate
  • Limited to what is relevant and necessary

Adhering to this principle is not only essential for compliance with privacy regulations but also serves as an important risk management practice. Retaining personally identifiable information (PII) inherently introduces risk, including:

  • Risk of data loss (e.g., breaches or accidental disclosure)
  • Risk of misuse or unauthorized processing

Minimizing data collection reduces the organization’s exposure to these risks.

Data Collection in the Data Lifecycle

Data collection represents the first phase of the data lifecycle and includes:

  • Creating new data
  • Acquiring data from external sources
  • Updating or modifying existing data

During this phase, organizations must:

  • Ensure that personal data is relevant and necessary
  • Specify the purpose of data collection at the time it occurs
  • Restrict the use of collected data strictly to its defined purpose

Additionally, it is critical to:

  • Assign data ownership early in the lifecycle
  • Classify data based on sensitivity and criticality
  • Implement appropriate security controls from the outset

Once data is collected and classified, controls must remain in place throughout the lifecycle to maintain the required level of protection.

Data Residency, Sovereignty, and Localization

The transfer and storage of data across national borders introduce complex legal and regulatory challenges. Three key concepts must be clearly understood:

Data Residency

Data residency refers to the geographical location where data is stored. Organizations may choose specific locations for:

  • Regulatory compliance
  • Tax considerations
  • Organizational policies

Data Sovereignty

Data sovereignty means that data stored in a particular country is subject to the laws of that country. This becomes particularly relevant when:

  • Data is stored in a country different from where the organization operates
  • Governments assert jurisdiction over data within their borders

Although often used interchangeably, data residency and sovereignty are distinct:

  • Residency concerns _where data is stored_
  • Sovereignty concerns _which laws apply to that data_

Data Localization

Data localization refers to laws that require data to be stored and/or processed within the country where it originates.

Examples of data localization requirements include:

  • Mandating that a copy of data be stored locally
  • Restricting cross-border data transfers

For example, Russian data localization laws require that personal data of Russian citizens be stored within Russia’s borders, often to enable government oversight and auditing.

While data residency refers to the location choice, data localization enforces that requirement by law. Organizations comply with localization laws by ensuring data residency within the required jurisdiction.

Cross-Border Data Access and the CLOUD Act

The CLOUD Act (Clarifying Lawful Overseas Use of Data Act) is a United States federal law enacted in March 2018. It allows U.S. law enforcement agencies to compel U.S.-based technology companies to provide access to data, regardless of whether that data is stored within the United States or in a foreign country.

Key aspects include:

  • Applies via subpoenas or warrants
  • Enables transborder access to data
  • Originated from the United States v. Microsoft case (2013), where Microsoft refused to provide data stored in Ireland

The CLOUD Act:

  • Does not override or invalidate foreign laws
  • Provides mechanisms for companies to challenge requests that conflict with foreign privacy regulations

However, it may create legal conflicts, particularly with regulations such as the General Data Protection Regulation (GDPR) in the European Union. For example, a conflict may arise if a U.S. request under the CLOUD Act involves data belonging to an EU resident protected under GDPR.

Conclusion

Data collection and governance must be carefully managed from the earliest stage of the data lifecycle. By applying the collection limitation principle, organizations can reduce risk and ensure compliance with privacy laws. Furthermore, understanding the distinctions between data residency, sovereignty, and localization is essential for managing cross-border data flows. Laws such as the CLOUD Act add additional complexity, requiring organizations to navigate potential legal conflicts while maintaining compliance across multiple jurisdictions.

A well-defined approach to data collection and location ensures that organizations can protect sensitive information while operating effectively in a global environment.