In the wake of revelations that the U.S. and UK governments regularly monitor private communications — including Internet usage, GPS data, and cell information — a number of countries are considering a new type of law called “data localization.”
In the simplest of terms, data localization laws would require that businesses that operate on the Internet — including Internet service providers, companies with data operations, and cloud services that control and maintain digital data for business and individuals, including redundant backups — store that data within the country where the businesses are located, rather than on servers in other countries.
Internet businesses that do not comply could be barred from doing business in that country or fined millions of dollars. So far, Brazil is the only country where data localization laws are now pending, but other countries are considering such laws.
Data Localization Will Transform the Internet
Google and many other Internet businesses have expressed concern that data localization may change the Internet as we know it. In November 2013, Richard Salgado, Google’s director of law enforcement and information securit, testified before the US Senate in support of the Surveillance Transparency Act of 2013. He made the following statement: If data localization and other efforts are successful, then what we will face is the effective Balkanization of the Internet and the creation of a ‘splinternet’ broken up into smaller national and regional pieces, with barriers around each of the splintered Internets to replace the global Internet we know today.
Until data localization laws are passed and implemented, Google’s point is, of course, theoretical.
Where Should Data Be Stored?
If data localization becomes widespread, determining what data belongs in which country may be easier said than done. People generally reside in one country, but many people work, travel and study in various countries. So when a person travels from Brazil to the U.S. to work for a year — or goes on vacation for a month — which data should be localized, and where?
If data were produced in the U.S. and emailed to Brazil, or the individual were using a Brazil service to text in the U.S., which country would keep the data? And for how long? Should the data in the U.S. be transferred when the person returns to Brazil?
Of course, data localization for a company is more complex, because so many companies operate in a number of countries. For instance, Toyota is headquartered in Japan, but it has subsidiaries around the world. Does that mean under data localization laws all of Toyota’s data would have to be stored in Japan by cloud services and ISPs it used to manage its digital operations?
Or should localized data be stored in the country of each Toyota subsidiary? Does country of incorporation matter, or just the country where the particular office or employee is located? For the moment, there are more questions than answers.
Microsoft Supports Customer Choice
In a recent interview with the Financial Times, Microsoft’s general counsel Brad Smith said its customers should be able choose where their data is stored, that is, “an informed choice of where their data resides.”
Smith went on to say the following:Technology today requires that people have a high degree of trust in the services they are using… . The events of the last year undermine some of that trust … . That is one of the reasons new steps are needed to address it.However, it is unlikely that Microsoft, which is both an ISP and cloud service, will build data centers in every country in the world for either complying with the customer’s choice or data localization laws.
Impact on Cloud Providers
Since so many businesses and individuals rely on cloud services, data localization could change Internet usage dramatically.
For example, data localization laws could require that cloud companies change the way they conduct business and in what countries they store data to optimize their cloud operations, Forrester suggested. They might no longer be able to service customers in every country in the world.
In the next three years, the cloud computing industry could lose US$180 billion — 25 percent of its revenue.
Clearly, ISPs and cloud providers have a vested interest in a less-restrictive Internet without data localization, so that they might manage expenses — and therefore profits. This interest needs to be balanced with the need for government access of Internet data to protect citizens from terrorists.