By Anupam Chander
Governments around the world are trying to keep information about their people from leaving their borders. Citing concerns about foreign surveillance, privacy and security, and the needs of domestic law enforcement and economic development, governments are banning data from being exported.
What is the “data” that might be affected? Australia says that health data about Australians cannot be taken offshore. Brazil is considering a law that would give the executive the power to designate what information cannot leave the country. Vietnam wants all data about its citizens, from their Facebook updates to their lists of friends, to remain available on computer servers in the country.
Governments argue that by keeping data at home, they are improving the privacy and security of their citizens. The reality, however, is that efforts for data localisation will be unlikely to achieve these goals, and are likely to undermine them. The underlying assumption of governments is that data kept abroad is data kept unsafe. But like money stored under a mattress, the reality is that data kept at home may in fact be less safe than data stored on services subject to global competition. There is little reason to believe that data kept on a government computer in Vancouver is any more safe than data kept on IBM computers just a few miles further south in Seattle.
After all, criminal hackers are quite good at operating across borders. The code used to break into the computer systems of the American retailer Target, for example, appears to have been written partly in Russian. Keeping information at home does not keep it hidden from the prying eyes of foreign governments either. In fact, the US National Security Agency has far fewer constraints when it operates abroad than when it operates at home. For example, the NSA does not need prior approval of the Foreign Intelligence Surveillance Court for a foreign operation.
Governments also assume that global services faced with data localisation mandates will simply build local infrastructures, thereby stimulating local investment. But many services may find it too expensive or too risky to do so, and avoid the jurisdiction entirely. Yet other services may simply ignore the mandate, and continue to serve the local population. Most worrisome for these countries, companies may intentionally avoid locating their operations in countries with cumbersome data localisation requirements. Rather than stimulate investment, such measures may thus steer it elsewhere.
Not only will these measures likely fail to accomplish their objectives, they threaten some of the most important innovations made possible by the Internet. In an Information Age, data is the lifeblood of commerce. Efforts to corral that data within borders dramatically alter the way that the Internet works. One fundamental problem with these measures is that they largely defeat the possibility of the astonishing new kinds of trade made possible by the Internet. Because of the Internet, individuals and companies from Silicon Valley to Bangalore can supply their services to the world without needing the resources or the visas to set up shop across the world. Data localisation requirements will undo this possibility. Furthermore, data localisation may make it difficult to use cloud-based services such as Dropbox or Apple’s iCloud, or even new fitness trackers such as Samsung’s Gear Fit.
By increasing government control over their residents’ online activities, data localisation raises yet an additional worry — the possibility of government abuse. The internet gave people the ability to share information using services based outside the country. Such foreign services were less directly subject to either local censorship or surveillance. But data localisation, if enforced, would hand control over information back to the government. Rather than protecting citizens, data localisation might be used to cement control over them.
There was a time when people might have refused to buy food from abroad as too risky, but we have long realised that international trade in food is sensible, if we insist on health standards for the food put on the shelves of our grocery stores. We should recognise that trade in the digital world is sensible as well, and not erect counterproductive barriers to it.
Anupam Chander, Director of the California International Law Center and professor of law at the University of California, Davis, is the author of The Electronic Silk Road: How the Web Binds the World Together in Commerce, published by Yale University Press. A graduate of Yale College and UC Davis Law School, Uyen Le is a free speech and technology fellow at UC Davis.