Tatevik Sargsyan, a doctoral candidate at the School of Communication at American University, explores the privacy, human rights, and economic and trade implications of data localization on governments and citizens. In lieu of the recent ‘Safe Harbor’ agreement, Sargsyan considers localization within the contexts of human rights and commercial exchange.
The Court of Justice of the European Union (CJEU) decision to invalidate the Safe Harbor agreement on October 6, 2015, and the subsequent legal uncertainty surrounding data transfer between the United States and European Union (EU), have sparked conversations about data localization. As the US and EU negotiate a new transatlantic data transfer regime and internet companies consider moving data to Europe, it is worth reflecting on the potential consequences of data localization.
Most commonly, “data localization” refers to legal restrictions on data location and export, which mandate online service providers to physically locate servers containing data belonging to a country’s residents within that country’s jurisdiction, and/or ban the export and processing of data elsewhere. China, Indonesia, Vietnam, South Korea, Russia, Canada, and Australia are among the many countries where such restrictions exist or are being considered.
The 2013 revelations about the US National Security Agency (NSA) surveillance PRISM program have particularly pushed countries to turn to data localization as a reasonable solution to privacy and security concerns related to intrusive foreign intelligence. This is the rationale behind German authorities’ proposal to store Europeans’ data on servers inside EU. This is also the claim that Russian authorities used to enforce the Data Localization Law on September 1st of this year.
Despite many countries’ enforcement, or data localization proposals, the practice contains some often overlooked consequences. First, foreign intelligence agencies often focus their surveillance activities abroad, relying on various malware and surveillance technologies that hack into systems. Centralizing data in local servers makes countries more vulnerable to such hacking attacks.
Moreover, many countries that support data localization have their own surveillance programs, many of which have little oversight. For example, the French government has favored creating a local internet infrastructure and engaged in discussions about circumventing US communication networks to avoid NSA’s bulk data collection. Nonetheless, France has extended its own surveillance capabilities via national security laws in addition to existing surveillance programs that allow monitoring data transmission in and out of the country.
Equally important, data localization does not prevent governments from collaborating and regularly sharing data with each other either in order to address threats of terrorism, cyber-attacks, fraud, and cybercrime, as well as for coordinated espionage efforts. Despite the outrage with which German officials responded to the Snowden revelations, German foreign intelligence service and the NSA have extensively collaborated on their surveillance efforts, including spying on Germany’s allies.
Data localization is also likely to increase human rights risks, particularly in environments where legal frameworks are inadequate and provide weak protections for rights such as the freedom of expression and privacy. Storing data on local servers, whether operated by domestic or foreign companies, can make information more accessible to repressive authorities. This increased access to information can, in turn, put minority groups, journalists, and activists at risk. In this capacity, data localization in Europe will establish a dangerous precedent for repressive governments to follow.
Apart from inversely affecting human rights, data localization policies may also erode the value that internet brings to economies. The global free flow of information has been fundamental for international commercial exchange and economic development, and has been recognized as an essential pillar of the Organization for Economic Co-operation and Development (OECD) principles on internet policy making. Restrictions on data transfer may limit the choice of services that online and traditional industries have access to, hurting competition, productivity, innovation, and costs.
For internet companies, building local data centers and employing local computing capabilities will result in added costs and operational complexity. Large companies such as Google and Amazon will be able to invest in data centers, but data localization runs the risk of forcing smaller companies out of markets because maintaining data centers in multiple locations requires large financial investment.
Data localization policies are also incompatible with the universal nature of the web. Millions of people around the world are able to access applications and services provided by global internet companies. To make services globally accessible these companies send and store data across jurisdictions because their data centers are geographically disproportionate. Policies that require data to be stored, processed or accessed in a specific jurisdiction will effectively preclude people from using many digital services, undermining universal access to information and knowledge.
Overall, data localization proposals will likely not achieve their desired data protection outcomes and have negative economic and trade implications, as well as adverse consequences for the universality of the internet and human rights. The potential ramifications of data localization are too high to ignore and require stakeholders to work towards alternative solutions that will address privacy and security concerns of citizens and governments.
Alternatives include privacy and security protections strengthened through technical means such as encryption, anonymization tools, and products designed with privacy functions embedded in them. However, state agencies, motivated by their legitimate concerns about national security and public safety, press for broad surveillance capabilities, weaker encryption standards and backdoors to access data without due process. Under such circumstances, provision of privacy depends both on technical and legal safeguards.
Consequently, it is also necessary to push back against blank prohibitions of encryption systems and continue to advocate for policies that balance the values of privacy and public safety and ensure governments’ access to data is lawful and proportionate. As for the Safe Harbor: any new agreement to replace the regime should ensure that citizens’ privacy rights endure no matter where their data are stored.
About the Author
Tatevik Sargsyan is a doctoral candidate at the School of Communication at American University in Washington, DC. Her dissertation research focuses on private information intermediaries and their privacy policies and practices. She is a 2013 Annenberg-Oxford Summer Institute Alumna.