Data Localization and the Limits of “Everything from Everywhere”
Monday, February 22, 2021

The internet broke barriers.  Some countries are fighting to reverse this trend and erect digital barriers on the internet.  Most of those countries are authoritarian regimes who insist on controlling information flows to their people. Some are governments trying to protect their people from the dangerous world outside their borders. In all cases, these barriers hurt U.S. businesses.

Erecting barriers on the internet is called data localization. The movement to localize some or all of internet data has grown over the past five years as countries introduce new laws restricting data flows, and others try to boost local businesses by placing burdens on international competition. Freedom on the Net surveys from Freedom House shows fifty countries in the categories of ‘not free’ or ‘partly free’ by 2018, with only 15 countries listed in the category of ‘free.’ Some of this lack of freedom represents data localization requirements by governments.

Authoritarian governments use both formal and informal means of data localization to control what information their people can see and what data is being produced by their people. The formal rules are easy to catalogue. In 2013, Nigeria instated the Guidelines for Nigerian Content Development in Information and Communications Technology, which required Nigerian data to be processed in-country.  Since 2016, Russia’s Federal Law Number 242-FZ has required that all databases containing personal data of Russian citizens be located in Russia. Since 2011, China, through a series of laws, requires that “important data” concerning “critical information infrastructure” be held within China, and these laws have been interpreted broadly to relate to all major aspects of a Chinese resident’s everyday life.

But many countries – especially those with little pretense of a society based in law and not the whims of the leaders or ruling party – don’t bother with restrictive laws to implement data localization. They simply use technological, structural, surveillance or policing efforts to shut dissent and foreign ideas from their populations. U.S. companies have fought for years to bypass the “Great Firewall” of China, which required companies like Facebook and Google to limit information to Chinese people and to provide surveillance to Chinese police. As reported by the Guardian, “Under [current president] Xi [Jinping], the government has also developed new technology that has enabled it to exert far greater control over the internet. . . In spring 2015, Beijing launched the Great Cannon. Unlike the Great Firewall, which has the capacity to block traffic as it enters or exits China, the Great Cannon is able to adjust and replace content as it travels around the internet. . . But perhaps Xi’s most noticeable gambit has been to constrain the nature of the content available online. In August 2013, the government issued a new set of regulations known as the ’seven baselines’. The reaction by Chinese internet companies was immediate.” The Government uses Chinese internet service providers to shut down accounts that Xi’s government would find problematic. China’s 2017 Cybersecurity Law does allow critical infrastructure operators and network operators to export “important data” if the operators are able to pass a deep and stringent government “security assessment.” 

North Korea requires government authorization for any of its people to simply own a computer and all computers are registered with the police like guns. The country allows a small web of officially sanctioned internet connections, and only a small core of elites has access to the real internet, and then only on a limited basis. Iran runs a program of censorship over the internet managed by the General Staff of the Armed forces and the Supreme Council of Cyberspace, both controlled by the Supreme leader. In 2012, the supreme leader initiated a national internet that could be better controlled by the government. Other countries with similar internet restrictions and digital surveillance regimes for their own citizens include Belarus, Cuba, Ethiopia, Indonesia, and Egypt.

Some countries like India and Pakistan endorse a watered-down version of data localization in their current and proposed laws.  The lower house of India’s bicameral Parliament, Lok Sabha, introduced the Personal Data Protection Bill of 2019 (PDPB). This law reduces the required data localization in previous versions of the law, likely due to pressure of more open internet-friendly societies like the U.S. and Europe. On April 9, 2020 Pakistan’s Ministry of Information Technology and Telecommunication released its fourth draft of the Personal Data Protection Bill 2020 (“PDPB”), which requires localization of certain data. The PDPB establishes a personal data protection authority, which will be responsible for determining which data may be allowed to leave Pakistan and to which countries it may transit.

But data localization is rapidly extending beyond the community of authoritarian rulers. Australia, British Columbia, Nova Scotia and India also have laws that restrict data exportation within certain sectors, such as healthcare. In these cases, the governments are concerned with sensitive information of their citizens falling into the hands of other governments and potentially dangerous private actors.  The best way to protect sensitive resident data, for these governments, is to maintain localized control of the information. The existence of these restrictions means that American cloud companies like Amazon Web Services, Salesforce.com and countless smaller entities must consider building infrastructure in places like Nova Scotia or risk either forgoing business from this province or violating the law. 

Of great concern to American business is the recent movement of the European Union toward localizing its data. The EU uses data restrictions to support its high standards of personal privacy protection for its residents. The controls on personal data sent to a country outside of the European Economic Area are meant to make sure that individuals have the same level of protection and rights over their personal data as if that personal data had remained in the EEA. Data protection and privacy was written into the EU Charter in the 1980s and is now regulated in the EU by the landmark General Data Protection Regulation (GDPR) law. The EU limits the transfer of data outside the borders of the EU and the European Economic Area. Article 45 of the GDPR allows the transfer of personal data from the EU to a third country when the third country ensures an “adequate level of protection.” In determining “adequacy,” the GDPR provides specific factors to consider including the country’s respect for human rights, the effectiveness of its data protection authority, and its pre-existing obligations to other countries. 

Adequacy decisions are subject to periodic review (minimally, every four years) and requires ongoing monitoring. The European Commission has so far recognized Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay as providing adequate protection. Countries that have not received a blanket adequacy ruling may rely on several more transaction-specific methods, like EU government approved standard contract clauses, intra-company transfers, binding corporate rules or specific permission of data subjects. 

Given the enormous amount of trade between the U.S. and EU, effective EU data localization could lead to significant impediments to internet, cloud and software-as-a-service companies. The EU has negotiated, and then abrogated two different adequacy safe-harbor systems with the U.S.  The last one was called the Privacy Shield, which was struck down as a means of transferring data from the EU to the U.S. by the European Court of Justice last summer.  

Given the enormous amount of trade between the U.S. and EU, effective EU data localization could lead to significant impediments to internet, cloud and software-as-a-service companies.

But recently, the push toward EU data localization has grown more urgent. The UK is exiting the EU without having reached an adequacy decision, creating new risks for companies transferring data from the EU to the UK. EU internal market commissioner Thierry Breton claims he wants to make Europe “the most data-empowered continent in the world” in part by cutting its data off from the rest of the world. Breton has said EU rules need to state “European highly sensitive data should be able to be stored and processed in the EU.” Breton told a French newspaper that the EU should use privacy regulation as a weapon against U.S. tech companies, requiring data to be physically stored and processed in Europe.  He called an open internet “naïve.”

In this interview Breton said, “We must go further and demand that European data be stored and processed in Europe, in accordance with procedures that Europe will have set. In other words: it is necessary to structure the information space, as we have organized in the past the territorial space, the maritime space, and the air space. The GAFA [Google, Amazon, Facebook, and Apple] tried to make digital a “no man’s land” whose law they would write. It’s over. It is time to relocate this information space by opting for processing our data on European soil.” So he has re-characterized an open internet – which has been an aspiration for democracies and free societies around the world – as a digital no man’s land that must be divided into protectionist chunks.

Breton, France’s former Finance Minister, wants laws to help European businesses resist subpoenas from the U.S. and elsewhere. According to TechCrunch his governance proposals “will include a shielding provision — meaning data actors will be required to take steps to avoid having to comply with what he called ‘abusive and unlawful’ data access requests for data held in Europe from third countries.” According to Politico, “leaked documents outlining Europe’s grand digital strategy include talk about fostering an environment that will “lead to more data being stored and processed in the EU,” as well as an “assertive approach to international data flows. Not only would [EU data localization] undermine the EU’s own insistence on free data flows in negotiations with trade partners, it would also put the bloc in a league with authoritarian regimes in Russia and China, which use localization rules to clamp down on the circulation of information — splintering the notional worldwide web into country-sized shards.”

To this end, the EU in recent months proposed new rules on data governance to benefit EU companies. The new rules create nine “data spaces” including industry, energy, and health care. The official press release from the EU makes clear that the EU plans to use these rules to cripple American tech companies by forcing EU data into government-operated data pools to benefit European businesses. 

The recent Schrems II decision from the European Court of Justice eliminated the U.S./EU Privacy Shield that encouraged and allowed data to flow from the EU to the U.S. This decision placed into question whether any of the current agreed methods of data protection and transfer would allow information to be moved from the EU to the U.S.

Citing Schrems II, the Data Commissioner in Berlin suggests that local companies storing personal data in the US immediately transfer the data to Europe and stop sending EU personal data to the U.S. under current US law.  The Hamburg data authority welcomed Schrems II castigation of the U.S. and wrote that the EU-drafted Standard Contract Terms under which many businesses transfer data across the Atlantic are equally unsuitable to the Privacy Shield. The Dutch privacy authority states that the clauses were ruled valid, but also notes they are only valid in places that adequately protect data under EU standards and the U.S. is not such a place. Even Ireland, where many U.S. tech companies are headquartered or have a significant corporate presence, saw its data protection commissioner question whether the Standard Contract Terms or other transfer mechanisms were still available for transfers to the U.S.  OneTrust publishes a chart of EU Data Protection Authority reactions to Schrems II, complete with links, as does the IAPP.

Many of the various data protection authorities wrote in a more business-friendly and conciliatory tone, including the UK, which at the time stood in a legal data limbo regarding EU policy after Brexit. But the logic of Schrems II is unavoidable: The U.S. government is willing and able to access private data, so EU data should not be placed within the U.S. government’s reach. Under this logic, there could be nothing that a U.S. company could do to adequately protect personal data collected in the EU because that data will always be subject to U.S. government intrusion.

For any business wanting to avail itself of the EU marketplace, data localization will be like another tax – there may be specific data-focused taxes as well. But this will be an extra set of costs in organizing technology infrastructure and meeting new regulations that will drain profitability from any such venture. In addition, EU Commissioner Briton has pushed forward a plan for companies collecting information in the EU to share with the European governments and with competitors. The EU rules already stand for the proposition that the data you collect on your own transactions does not belong to you, and may soon stand for the proposition that your valuable business data should be shared with people who want to hurt your company.

Importantly, if the EU moves toward data localization, other countries and regions would be empowered to do the same. The U.S. and the EU have been discouraging trading partners from closing off, and the concept that a free and fair internet helps everyone is one of their best arguments for openness. Closing down significant data movement from the EU would ruin this point, and others would react. At the moment, primarily those companies aspiring to iron political control over all information are completely localizing their data.  But if Brazil, Japan, or even Australia thought that it could broadly localize its internet to protect its own local companies, then the business internet would quickly be closed off into discrete rooms encouraging local business. U.S. companies looking to expand into other markets would suffer through additional regulation, costs, and in some cases, partial or complete restriction from competing in these markets.

The U.S. government understands that data localization is a threat to American businesses, and it has begun building safeguards against data localization into its treaties like the U.S.-Japan trade deal, the Trans Pacific Partnership and the United States-Mexico-Canada Agreement (USMCA), which renegotiated and updated NAFTA. According to the U.S. International Trade Commission, “protection from localization laws is essential for U.S. carriers seeking to manage data processing and network management functions from a centralized location.” In estimating USMCA’s economic impact on the United States, the same commission notes that “USMCA’s Digital Trade chapter, along with provisions related to investment and e-commerce, contribute significantly to the model’s estimated 0.17 percent increase in U.S. services sector output and 1.2 percent increase in services exports to the world.”

"Protection from localization laws is essential for U.S. carriers seeking to manage data processing and network management functions from a centralized location."

In a world where we seem to be able to order and receive everything from everywhere, many countries are placing restrictions by dividing the world wide web into intricately managed slivers.  This trend will be a problem for American digital businesses, who benefit from openness and free transfer of data.

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins