Forced data localisation, which can be summed up as the concept of having IT businesses store their data in the country they operate in rather than on servers anywhere, has seen a surge of attention in the aftermath of Edward Snowden’s revelations of mass surveillance. Governments around the world have proposed bills and policies that attempt to create “national” internets. Lawmakers usually argue that such measures will ensure the data’s safety and boost the economy due to the required expansion of local IT infrastructure. This post will unpack some of the misconceptions and explore the impact of forced data localisation measures on fundamental rights and civil liberties.
A tool to target dissidents
Through the adoption of forced data localisation laws, a government can increase control over its residents’ online activities, raising the possibility of abuse and putting at risk citizens’ right to privacy and freedom of expression. Russia, for example, which already has one of the most pervasive surveillance programs in the world (the System for Operative Investigative Activities aka SORM), has recently approved a draft law on forced data localisation. If the Russian government is actually able to force service providers such as social media companies to store data locally, civil rights organizations, opposition members, investigative journalists, LGBT rights activists, and other groups at risk, will face an even more severe crackdown as sensitive, personally identifying information about them is exposed to the Russian government.
Some countries have already succeeded in adopting forced data localisation laws. This is the case in Vietnam, for example, where a combined censorship/forced data localisation law was introduced in September 2013. This law has made it mandatory for every online service provider to keep a copy of virtually all Vietnamese data on a local server, so national authorities can access it if needed. A few months later, in January 2014, the Indonesian government proposed a draft regulation going one step further; if adopted, this new law would mandate all data carriers including foreign banks operating in Indonesia to establish local data centres. The adoption of such laws in these two particular countries is especially worrisome given the high number of human rights violations already happening there.
Forced data localisation also means forced jurisdiction. If providers need to locate servers in a country, they also need to give up the legal protections they and their users have under other jurisdictions. The right to privacy, freedom of expression, and many more rights are at risk here. For instance, a European citizen’s fundamental right to data protection might not be ensured if some of his or her data is stored locally under a jurisdiction outside of the EU.
While one jurisdiction should not automatically trump another, in some contexts, forced data localisation can severely curtail access to information. For instance, in the recently adopted Marco Civil, Brazil removed the highly criticised requirement on forced data center localisation and included instead a provision asserting Brazilian jurisdiction over data and services offered in Brazil. Considering that Brazil lacks of a comprehensive data protection framework and has an expansive defamation law that doesn’t recognize truth as a defence against defamation, this forced jurisdiction requirement puts fundamental rights at risk. However, it remains to be seen how and whether US tech giants will comply with the new law.
Keeping our data safe?
The increasing number of legislative proposals for forced data localisation laws shows that countries are moving away from silent resistance to U.S. companies’ control of traffic flows. However, both U.S. data flow agreements and forced data localisation laws fail to ensure citizens’ fundamental rights.
In the past, proposals on forced data localisation put forward were abandoned for endangering fundamental rights. For instance, back in 2011, the EU proposed “a virtual Schengen border” to create a single secure European cyberspace and block “illicit” web material at the borders. At that time, the proposal was heavily criticised and later rejected due to its severe interference with freedom of expression. Pointing to the Snowden revelations of mass surveillance, several countries are pushing for the implementation of forced data localisation laws to ostensibly ensure data security and the privacy of their citizens. However, many governments stated concern for privacy can be used as a convenient excuse for a state to extend control over people’s personal information and adopt legislation that was previously rejected.
As for actual data “security,” storing bits and bytes locally doesn’t put them out of harm’s way. If the revelations have made one thing clear, it’s that intelligence agencies like NSA or GCHQ can target you virtually anywhere in the world. More specifically, the internet is a shared global resource, and communications today are inherently global in nature. Even if a user’s email account was stored only within the borders of a given country, the second that user emails someone in a different country, their information will almost assuredly traverse international fibre optic cables that the Snowden revelations have revealed are being tapped by the NSA, GCHQ, and other intelligence agencies.
Furthermore, forced data localisation cannot prevent black hat hackers from tampering with data or IT infrastructure which has been demonstrated by the attacks on the servers of American retailer Target (where some of the code was written in Russian) and other cybercrime.
Finally, local storage does not automatically mean safe storage in terms of data integrity. The loss of local, unmirrored data, e.g. due to a natural disaster, may be a permanent loss.
A boost for the economy?
Governments have argued that the creation of local data centres will have a positive impact on the national economy as it will lead to greater investment in the IT infrastructure. However, the creation of local data centres is not just expensive in the sense that they need to be built physically, but also computationally complicated. Essentially it requires significant changes in technical architecture. Right now, most companies keep multiple copies of user data across multiple data centres allowing for load balancing and the most efficient delivery of content. A key factor of the internet’s success is that internet traffic flows through the most efficient route possible. Forcing traffic to go through a specific country will slow internet speeds and lead to fragmentation of the internet.
Forced data localisation is also likely to deter foreign investment, especially in developing countries and could force cloud companies to change their business model. By creating barriers, forced data localisation could make companies’ operations incredibly difficult and expensive and could quickly lead to a denial or suspension of services. The economic impact would also be particularly severe on small and medium enterprises due to their lack of resources to adapt to the regulatory changes, thus undermining their development and potential for growth.
Finally, forced data centre localisation would harm innovation by increasing costs and barriers to entry for start-ups. Particularly for jurisdictions that only have forced data centre localisation for companies of a certain size, this would further deter small and medium enterprises from growing beyond the point where they would be subject to this kind of legislation.
More forced data localisation measures to come?
Despite those risks, more data localisation projects are in the making, for instance in Western Europe. While the Government in Paris likes to invest in a “cloud souverain,” German Chancellor Angela Merkel has recently encouraged the idea of creating a European Internet cut off from Transatlantic connections — a project oddly similar to the 2011 virtual Schengen border.
Neither ensuring security nor privacy, the adoption of forced data localisation measures could have a corrosive effect on human rights and the open, global nature of the internet. While many states have a knee-jerk desire to bring their citizens’ data within their borders, a better way to protect users is this: Adopt high standards for privacy and data protection, speak out against surveillance operations that undermine the integrity of fibre optic cable systems, and advocate for rights-respecting surveillance policies and practices in line with the International Principles on the Application of Human Rights to Communications Surveillance.