Anupam Chander is Martin Luther King, Jr. Research Professor and Director of the California International Law Center at UC Davis School of Law. He is the recipient of a Google Research Award supporting related research.
Data localization, a term invented less than a handful of years ago, is getting a lot of attention—both for good and bad. The draft of the Democratic party platform includes a commitment to oppose data localization across the world, so that’s good. The fact that the party has to do so is distressing, indicating that data localization has become increasingly popular in some parts of the world. Opposing data localization should be a bipartisan endeavor, and Republicans this week should speak out against it because data localization harms freedom of speech, economic growth, and a free and open internet.
Data localization is a government requirement that data should physically stay within a particular jurisdiction’s boundaries, perhaps subject to limited and onerous exceptions. For example, Russia passed a data localization law in 2014, requiring that data about Russians be held on a server within that country (though copies of the data can be moved abroad). While the Russian government justified it as necessary to mitigate U.S. spying and defend the country’s “digital sovereignty”, the law seems designed to help Russia’s own intelligence services by keeping information about Russians within their easy reach.
Data localization not only helps local spies, but can be a good way to impede competition from abroad. Foreign companies face three unattractive options: (1) bear the costs of either building out new server facilities or renting space on local servers in each of the countries requiring data localization; (2) quit those markets; or (3) ignore the obligation and hope to escape scrutiny.
These choices harm not only technology companies, but all companies, from General Electric to accounting firms to the local plumber. All companies hold data—about customers, employees, and visitors to their websites or mobile apps. Car companies increasingly receive data from their vehicles—witness Tesla’s remote monitoring of all of its car crashes. The town plumber too may store information about his or her customers often using a foreign cloud-based service. Data localization applies to all companies that gather data on individuals, meaning nearly all large and even small companies operating today. Localizing data in those foreign countries also means segregating data by country of origin, limiting the ability to do cross-country analytics. The largest companies are the ones most likely to be able to build out local data infrastructures; it is the small and medium sized companies who will either withdraw from markets or simply violate the law, unable to afford to comply. Local start-ups will find their choices of cloud and other service providers narrowed, and their expenses increased while their flexibilities are decreased.
Many governments are keen on data localization because it helps them to assert greater control over their domestic citizenry. They can more easily track what their citizens do because their data is held on nearby computers. Governments can also bar foreign services on the ground that they don’t comply with data localization mandates.
Data localization can be used to make it more difficult for their people to use foreign services like Facebook, Google, or Twitter to communicate with their countrymen and women. In May, Iran’s Supreme Council of Cyberspace declared, “Foreign messaging companies active in the country are required to transfer all data and activity linked to Iranian citizens into the country in order to ensure their continued activity.” In the wake of allegations of government corruption, the Turkish government in 2014 sought to ban Twitter entirely, though a Turkish constitutional court reversed the ban. If Turkey adopted a data localization mandate like Russia’s, it would be far easier to either bar Twitter for failing to comply, or to try to delete accounts (based on claims of defamation, etc.) because those accounts would be stored locally.
Data localization proponents argue it is essential to protect data privacy. In reality, data localization reduces privacy for a number of reasons. First, data localization undermines the security of information by multiplying the number of data centers that companies have to monitor. Second, data localization limits our choice of service providers to those operating locally; protectionism, experience teaches, generally reduces the quality of a service. If one believes that one’s information is only safe in one’s home country, then that person should by all means choose a local provider. But data localization makes that choice for all people—telling folks they cannot use a provider using foreign computers even if they think it is more private and secure. Third, as seems to be the case in Russia and elsewhere, data localization increases the exposure of information to local authorities if the local surveillance law authorizes such snooping.
Fundamentally, saying that only information is only safe if it stays within the country is akin to saying that you only trust goods produced in the United States or food produced here. In reality, even foreign goods or food can be safe, and local goods or food can also be unsafe.
Data localization also undermines one of the internet’s greatest gifts: the ability of individuals to communicate with each other across borders and access information. Individuals whose home countries’ media is heavily censored have often employed foreign internet services to circulate and read information about what is happening in their country.
This weekend’s aborted coup in Turkey demonstrates the importance of foreign platforms to the dissemination of information worldwide. After seeking for years to bring foreign Internet services to heel for circulating information the government disfavored, Turkish President Recep Tayyip Erdoğan found himself turning to Apple’s Facetime to communicate with the world. When the military seized control of local media outlets, Erdogan used Facetime to communicate with CNN Turkey. He didn’t need to find a television studio—where he could have been easily located and imprisoned. As Kieran Healy noted in Vox, “In the past, taking control of the national TV or radio stations would have been enough to eliminate the threat of the leader speaking to the nation, at least for the crucial hours of transition.”
The Democratic party is right to see data localization as a threat to both freedom of expression and free trade. Let us hope that both parties can find common ground on this issue.