Data Localization Laws as a Threat to Network Innovation
On September 2016, Russia started to enforce a new legislation requiring that all personal data of Russian citizens should be stored in servers located inside the country.[1] This meant that any company or a service (digital or analog) that wanted to operate in Russia using personal information like names, address or phone numbers of Russian users should use servers located within the boundaries of the country and refrain from copying or moving them abroad at any time. According to their proponents in the parliament, this legislation would help the Russian Government to enforce the national laws regarding privacy and data protection from hacking and to disallow companies from using its global facilities to law compliance. Unsurprisingly, some companies either couldn’t afford the technology costs or were unwilling to do so. Among them was the social network for professional environments LinkedIn, who didn’t comply with the new regulation and was subsequently the target of a blocking mandate issued by a Russian court on November 2016.[2]
LinkedIn’s Russian misfortune is not an isolated event but a recurrent nightmare of technology companies operating globally. Beyond the rationality or the necessity for establishing such kind of rules, data localization mandates are playing an important role in any market forecast for the next ten years. This papers discusses how laws that force Internet companies to locate content within the boundaries of a country present a threat to the deployment of new network infrastructure models. From this perspective, I believe that a good policy design will become central to ensuring a network growth capable of matching the rising market demands. As this paper explains, the consequences of not addressing timely this policy concerns could be devastating to the network in the future.
1. Towards a floating network infrastructure
Cloud Computing is in itself a new way of thinking about servers. However, the recent appeal of a more responsive network infrastructure isn’t just a technical trend. The rise of cloud networks is an organic response to the increasing diversity of devices and users connected to the net. Over the following years, this trend will continue to rise unquestionably. As the streaming demand of 4K and Virtual Reality content start to take over the way most people consume multimedia, the amount of data that the average user exchanges with the network will grow exponentially. Likewise, the increase and sophistication of the usage of Internet connected devices with a low tolerance for latency like self driving cars and smart appliances will increase the demand for timely delivery of resources and optimal quality of service in the network.
The recent introduction of services like Facebook Instant Articles and Google Accelerated Mobile Pages demonstrate how the question of how to deliver an asset over a network is not about where it was originated or it is store but how it can be more efficiently carried over the network to the consumer. With the surge of content delivery networks, we’ve already seen how even the geographical location of a server has become fluid: a movie on Netflix is not just on one place at one time but in multiple locations over certain periods and the decision to locate certain contents on particular regions has also started to be made automatically. This model will most likely keep expanding towards other kinds of usages, like using geographically distributed servers for different kinds of processes like databases or back end services. In the near future, the exact geographical location of a content in a server could become fluid by design and systems administrators will be completely unaware of where is a particular resource located in a network.
This change will bring positive effects for system administrators and users too. For the owner of the cloud, moving towards an architecture on which the location of their assets is fluid and interchangeable could bring more redundancy, flexibility, and reliability to the network. It could also cut costs dramatically by allowing the owner to locate or prefer servers located in places with low energy consumption or lower temperatures anywhere in the world. For many users, the location of a particular asset on the network is already irrelevant as long as it is promptly delivered upon request. Moving into a network with a fluid location of assets, users will experience improved quality of service and higher data speeds.
It is worth noting that ownership of cloud infrastructure starts to concentrate among a handful of players, as remarked by Professor Chou in his November 29 lecture. Under this scenario, cloud location irrelevance is already a reality for small and medium companies leasing servers from big companies like Amazon while remaining completely unaware of where exactly those servers are located and indifferent to the possibility of changing their physical setting.
2. Data Localization Laws
As referenced by Steve Case in this October 18 lecture, Public Policy is becoming an integral factor of the development of the Internet of the future. Good and measured policies may enable innovation, like the policy decision taken decades ago of freeing certain portions of the spectrum that allow the experimentation that gave us Bluetooth and WiFi. On the other hand, precautionary principles and doomsday thinking may had played a role in controversial policy proposals like mandating government backdoors in encryption software, among others.
In this regard, one recent policy trend seems to be in direct contradiction with the evolution path I described in the previous section: data localization laws. Such legislative provisions force Internet companies to geographically locate within the boundaries of a country all the data and information pertaining to the users of that country. Sometimes, they also mandate physical separation (not virtual) between the servers that handle personal data of users to the rest of the network. While most countries do require companies to inform and request consent from users whenever they’re exporting their personal data, the trend of data localization laws intends to overwrite that possibility to strictly prohibit such operations. To date, they not only exist in authoritarian countries like China or Russia but also can be found in Australia, India or South Korea.
Not every data localization law is as absolute as the Russian or Chinese ones. In India, for instance, the law only requires server localization for all data collected using public funds. In a similarly narrow scenario, Australia restricts the exportation of any personally identifiable health information.
According to the policymakers behind such proposals, they would be the only way on which law enforcement objectives like the protection of personal data and the prosecution of cybercrimes can be guaranteed.[3] Such assumptions, however, reveal an over simplistic understanding of the real nature of some of those harms. Personal and financial information can equally be stolen when it’s located outside of the country than inside of it, and some national server facilities and databases may have lower capacity and safeguards than international ones. Compliance with the national laws can be assured through more careful approaches like international normalization of the regulation and safe harbor certification networks that allow companies to confidently transact between each other within the boundaries of the law.
Some commentators had also read into data localization laws a hidden intention to harm external competition or to develop government surveillance networks. Given the reality in many countries that the major information technology players are foreign (mostly, based in the United States), this kind of regulation could effectively work as a burden for international companies to start to operate in a particular country. The same skepticism show those who believe that, particularly in authoritarian countries, the mandates to keep all data and their transactions within the national borders of a country are an insurance policy that allows state agents to tap, seize or possibly take control of any asset within the network simply through executing their national power.
3. Consequences
Data Localization Laws are the perfect example of a policy being developed without a prior understanding of how the nature of what is being regulated works nor its future. In this regard, there’s much education that Internet companies still need to do between policy makers to help them understand the potential ramifications of their decisions. The following is a non-exhaustive list of potential negative effects that the generalization of such regulations could have in the future.
This kind of regulation will definitely pose a higher cost for entry to the market for Internet companies, particularly to those that handle large amounts of data from their users (notably wearables, health appliances, and social networks). This could potentially translate into higher prices for consumers of their products and services, who now will have to foot the bill for the additional spending in national servers built almost always with imported hardware and powered by highly priced energy.
A rise in the cost of operation won’t be a deal breaker for established players like Google or Microsoft. However, most likely will deter the expansion of new companies unable to offer their services in countries with data localization laws within their limited budgets. In turn, this lack of new entrants won’t do much good to competition in those national markets and, hence, most likely will be reflect in surging prices and monopolistic practices.
More importantly, this laws could pose a risk to innovation as a process within a country or a region of the world. Given the need to comply with these regulations, many services and companies will never go beyond their conception. The real risk behind this situation becaming common is not the misfortune of their funders but, as a whole, the innovation that we as a society lost in the way.
Policy makers and laws are expected and have a duty to pursue valuable objectives such as protecting users’ privacy or safety online. However, they also have a duty to make responsible policy decisions aware of the ever-changing nature of the Internet. An absolutist approach towards mandating data localization for every case and for every market seems like a step in the wrong direction.
[1] Vladimir Kozlov, “Russian Personal Data Law Set to Come into Force despite Fears,” ComputerWeekly, accessed December 8, 2016, http://www.computerweekly.com/feature/Russian-personal-data-law-set-to-come-into-force-despite-fears
[2] Ingrid Lunden, “LinkedIn Is Now Officially Blocked in Russia,” TechCrunch, accessed December 8, 2016, http://social.techcrunch.com/2016/11/17/linkedin-is-now-officially-blocked-in-russia/
[3] Stephen Dockery, “Data Localization Takes Off as Regulation Uncertainty Continues,” WSJ, June 6, 2016, http://blogs.wsj.com/riskandcompliance/2016/06/06/data-localization-takes-off-as-regulation-uncertainty-continues/
