Ever since the Edward Snowden revelations began, countries outraged by U.S. intelligence practices have been batting around the idea of forcing countries to store data on their citizens within those countries’ borders. So-called data-localization laws have been discussed in Brazil and Germany and elsewhere, and they very much frighten U.S. technology companies, who worry that they threaten a Balkanization of the internet. They have not, however, been the subject of rigorous study.
In the latest installment of the Lawfare Research Paper Series, Jonah Force Hill—a technology and international affairs consultant—takes a look at data localization laws. The paper, entitled “The Growth of Data Localization Post-Snowden: Analysis and Recommendations for U.S. Policymakers and Industry Leaders,” opens as follows:
Over the course of recent decades, and principally since the commercialization of the Internet in the early 1990s, governments around the world have struggled to address the wide range of logistical, privacy, and security challenges presented by the rapid growth and diversification of digital data. The mounting online theft of intellectual property, the growth of sophisticated malware, and the challenges involved in regulating the flow, storage, and analysis of data have all—to varying degrees—increasingly challenged governments’ ability to respond with effective policy.
Until recently, these data management issues were left to the men and women of computer science departments, advocates for technology companies, and to the few government attorneys and bureaucrats responsible for overseeing Internet and data regulation. In the wake of former NSA contractor Edward Snowden’s disclosures, however, which revealed to the global public the scale and intensity of intelligence collection online, data security and privacy issues have now become front-page headlines and the topics of dinner- table conversation the world over. As a result, governments are increasingly feeling compelled to do something they see as meaningful—if not outright drastic—to protect their citizens and their businesses from the many challenges they perceive to be threatening their nation’s data and privacy.
Of the various responses under consideration, perhaps none has been more controversial—or more deeply troubling to American businesses—than the push to enact laws that force the “localization” of data and the infrastructure that supports it. These are laws that limit the storage, movement, and/or processing of data to specific geographies and jurisdictions, or that limit the companies that can manage data based upon the company’s nation of incorporation or principal situs of operations and management. By keeping data stored within national jurisdictions, or by prohibiting data from traveling through the territory or infrastructure of “untrustworthy” nations or those nations’ technology companies, the argument goes, data will be better protected, and surveillance of the kind orchestrated by the NSA curtailed.
Today, more than a dozen countries, both developed and developing, have introduced or are actively contemplating introducing data localization laws. The laws, restrictions, and policies under consideration are diverse in their strategies and effects. Some proposals would enforce limitations for data storage, data transfer, and data processing; others require the local purchasing of ICT equipment for government and private sector procurements. There are proposals for mandatory local ownership of data storage equipment, limitations on foreign online retailers, and forced local hiring.
Proposals of this sort are not historically unprecedented. Indeed, forms of data localization policies have been actively in place in many countries for years, including in the United States, where sensitive government data, such as certain classified materials, must be maintained within the servers of domestic companies. Broader localization rules, which apply to all citizen data, have tended to be pursued by authoritarian governments such as Russia, China, and Iran, for which data localization laws have been viewed as an effective means to control information and to monitor the activities of their citizens. Post-Snowden, however, even democratic countries are now seriously considering these more expansive data localization measures. Most notably, Brazil, Germany, and India—countries that have witnessed some of the most virulent anti-NSA reactions—are now contemplating enacting significant data localization laws. The EU is also contemplating localization within its area of authority.
This is a deeply troubling development—not just for the technology firms of the United States who stand to lose customers and contracts as a result of these policies, but also for all the nations, firms, and individual Internet users who rely on the Web for economic trade and development, communications, and civic organizing. Not only do data localization policies fail to achieve their stated goals, they introduce a host of unintended consequences. By restricting data flows and competition between firms, localization will likely bring up costs for Internet users and businesses, may retard technological innovation and the Internet’s “generativity,” may reduce the ability of firms to aggregate services and data analytics through cloud services, and will surely curb freedom of expression and transparency globally. Ironically, data localization policies will likely degrade—rather than improve—data security for the countries considering them, making surveillance, protection from which is the ostensible reason for localization, easier for domestic governments (and perhaps even for foreign powers) to achieve. Restricted routing, often a core component of data localization rules, may be technically infeasible without initiating a significant overhaul of the Internet’s core architecture and governance systems, which itself would have significant negative effects. And perhaps most worrying, data localization policies—if implemented on a wide international scale—could have the effect of profoundly fragmenting the Internet,6 turning back the clock on the integration of global communication and ecommerce, and putting into jeopardy the myriad of societal benefits that Internet integration has engendered.
Unquestionably, online espionage, citizen privacy, government overreach, and the protection of fundamental rights are legitimate concerns of states and deserving of appropriate policy responses. Advances in surveillance technologies and offensive cyber capabilities have plainly outpaced the legal, normative, and diplomatic mechanisms needed to protect digital data. For government officials hoping to take meaningful action in response, data localization looks to be a convenient and simple solution. But a close examination reveals that it is not a viable remedy to any of the privacy, security, or surveillance problems governments hope to address. This paper discusses these points and seeks to expose the often dubious and pretextual motivations behind the new push for data localization, to explain how such measures are profoundly imprudent and often self-defeating, and to offer United States businesses and the United States government a few key recommendations for how to counter this problematic trend.