Bordering states: data localization and its relationship to cyber sovereignty in Russia and Estonia

Note: I wrote this in March 2019 for POL354: Russian Politics and Society at the University of Toronto.

Introduction

In recent years, the Snowden revelations, Cambridge Analytica scandal, and other incidences of whistleblowing have shed light on widespread and complex global surveillance regimes in cyberspace which implicate states and private actors alike. In response to these disclosures, efforts to protect and keep data within national borders have risen on the agenda of governments the world over. Among these efforts is ‘data localization’, which can be simply defined as measures intended to restrict the free flow of data across national borders. Governments enacting data localization requirements typically offer four main justifications: (1) “avoiding foreign surveillance”; (2) “promoting users’ security and privacy”; (3) “bolstering domestic law enforcement”; and (4) “securing domestic economic development”. In Russia, these political and economic justifications coalesce under the argument that data localization is necessary to strengthen the state’s digital or cyber sovereignty. Data localization necessarily implicates notions of sovereignty because it is fundamentally about the construction and moderation of borders in cyberspace.

This paper will compare the conceptions of cyber sovereignty in Russia — a state with a global reputation for enacting restrictive regulation and policies with regard to cyberspace — and Estonia — a state globally regarded as one of the most open and advanced digital societies in the world. Specifically, it will examine how digital borders are constructed or deconstructed through the states’ respective positions on data localization and whether this is rooted in their notions of political and economic security in relation to sovereignty. Russia and Estonia are interesting case studies for this analysis due to both their historical relationship as former members of the Soviet bloc and the related conflict between these two states along their physical and virtual borders.

Discussing these states’ approaches to data protection, this analysis will consider how each state’s choice to implement or oppose localization requirements was influenced by their comparative political and economic contexts as shaped by their varying transitions out of Communism. I argue that Estonia’s pursuit of liberal internationalism has culminated in their deconstructing virtual borders through data openness whereas Russia’s tendency towards nationalism has resulted in the construction of virtual borders through restrictive data protection. Estonian cyber sovereignty is, therefore, premised on the open global internet, whereas Russian cyber sovereignty demands a closed and nationalized internet.

The regulatory landscapes of data localization

Data localization can assume several meanings and forms. First, it can be categorized by the data flow to which it applies. It can refer to localized data hosting, wherein “national governments compel Internet content hosts to store data about Internet users in their country on servers located within the jurisdiction of that national government” and or localized data routing “national governments compel Internet service providers to route data packets sent between Internet users located in their jurisdictions across networks located only within their jurisdiction”. Further, data localization restrictions can be broken down by severity. A strict restriction regime might impose a local storage requirement, local processing requirement, local access requirement, or a combination of all three. Alternatively, a conditional restriction regime might be established where conditions apply to the recipient country or where they apply to the data controller or data processor. Among the described forms of data localization, narrower options such as conditional restriction regimes applying to data hosting are most common, with only a few states (such as Russia and China) having adopted wider localization policies.

Russia

Russia’s data localization regime was constructed in multiple stages, beginning with the introduction of amendments to the Federal Law “On Banks and Banking Activities” in 2013. These amendments mandated that financial institutions operating under a license from the Central Bank of Russia record their transactions in electronic databases and store this information for at least 5 years; later iterations required that these databases be located in Russia.

Data localization provisions expanded with the adoption of Federal Law №97-FZ (Bloggers Law) in May 2014. This statute amended Federal Law №149-FZ “On Information, Information Technologies and Protection of Information” (Law on Information) — the main regulation concerning information technologies in Russia. The Bloggers Law introduced a new legal status — Organizer of dissemination of information in Internet — defined very broadly as “any person, facilitating functioning of information systems and/or computer programs, which may be used and/or are used for receipt, transfer, delivery and/or processing electronic messages of the users in Internet. (Article 10.1 of the Law on Information)”. This status confers obligations on the Organizer to notify the Roskomnadzar (the Russian Federal Service for Supervision of Communications, Information Technology and Mass Media) before commencing operation, store certain user data (including traffic data) for six months, and grant Russian Law Enforcement agencies access to information as well as the ability to install wiretaps upon request. Failure to comply can result in fines and or the blocking of the Organizer’s service or website by the Roskomnadzar.

The Decree on Data Retention narrows the definition of the Organizer, however, to only apply to providers of services that allow Internet users to communicate with one another. According to the Decree, three forms of data are subject to data localization requirements: “i) data about user; ii) data about electronic communications occurred and iii) information about electronic payment transactions. Actual content of the communications is exempted from data storage requirements”. Yet some suggest that the content Organizers must store under Blogger’s Law exceeds basic personal data such as registration data and rather includes “photos, text messages, user profiles and so on; in other words, anything that might potentially help to identify the user”. Notably, it does not bar the processing of stored data outside Russia, it only requires that a copy is stored locally.

The scope of Russian data localization was further broadened in July 2014 with the signing of Federal Law №242 (amending Federal Law №152 “On Personal Data”) to prohibit the storage of Russians’ personal information outside the Russian Federation. Article 18(5) of this law requires that “from 1 September 2015 operators collecting personal data about Russian citizens through electronic communications (including over the Internet) must ensure that databases located in the territory of the Russian Federation are used to ‘record, systematize, accumulate, store, amend, update and retrieve’ that data.” Where Federal Law №97 (Blogger’s Law) implemented a “regime of partial local storage of personal data”, Federal Law №242 insists on the fully local storage and processing of Russian citizens’ personal data.

According to the aforementioned typology, Russian data localization can be characterized as a strict restriction regime applying to localized data hosting, however, recent announcements suggest that this regulation is intensifying and may soon encompass localized data routing as well. Russia is currently (as of March 21, 2019) experimenting with disconnecting itself from the global internet to test the feasibility of a proposed “sovereign internet” law; if passed, this legislation will require Russian Internet Service Providers (ISPs) to only use exchange points sanctioned by the Roskomandzar. This is significant because it would result in all data being routed internally, giving the Russian government almost unilateral control over its citizens’ access to information and services online. The forced creation of a Russian national internet would bring about many profound social, political, and economic consequences which will be discussed later.

Estonia

Estonia is a globally unique state in that nearly all of its core government functions and public services are not only digitized but premised upon the openness and free-flow of data; in essence, it operates ‘government as a data model’. At the basis of this model is a secure and interoperable data sharing network called the X-Road which enables citizens, public and private entities to access and manage their own data, as well as records of who has viewed their data. The X-Road operates as a decentralized system, in that there is no one server, data controller, or place where all of an individual’s information is held, nor is data duplicated across sources, it is rather shared among those connected. It is not only the backbone of Estonia’s public and private digital services, but a technological system which Estonia has helped install in other states including Finland, Kyrgyzstan, Namibia, Faroe Islands, Iceland, Ukraine, and other countries to develop an ecosystem for safe and secure cross-border data exchanges.

As a member of the European Union (EU), data protection legislation in Estonia is technically governed at a supranational level, mainly through the General Data Protection Regulation (GDPR), which entered into force on May 25th 2018. GDPR imposes very minimal to no localization requirements in that it requires the explicit consent of the data subject for cross-border data transfer. Although some argue that this constitutes a conditional flow regime, I would argue that it cannot necessarily be properly defined as a localization regime, since the intention is not to purposefully keep data within national borders, but rather to give the data subject greater control over their personal data and privacy. Aside from the GDPR and other EU-level regulations, Estonia possesses a Personal Data Protection Act (enacted in December 2018) which establishes exceptions, in compliance with GDPR, to the principle of obtaining consent for the processing of personal data for specific research and journalistic purposes.

Estonia, by all accounts, strongly opposes data localization and is in fact, spearheading efforts within the EU to promote the free movement of data across all member states — something the government considers “one of the most important aspects in building a digital Europe”. As a part of its digital single market policy, the EU is even moving to ban data localization restrictions altogether through an agreement in the European Parliament which will remove any restrictions instituted by member states, unless justified by public security concerns.

Together, Estonia’s open and decentralized public digital infrastructure in tandem with EU data protection has created a regulatory environment that actively opposes data localization.

The political and economic construction of cyber sovereignties

Of the four main justifications for data localization outlined within the introduction, three are mainly political — avoiding foreign surveillance, promoting users’ security and privacy, and bolstering domestic law enforcement — and one is economic — securing domestic economic development. Analysis of these arguments, particularly, the means by which the Russian and Estonian governments either mobilize or reject them in order to implement or eschew data localization restrictions is revealing. It demonstrates how their respective political and economic contexts innately shaped their conceptions of cyber sovereignty and, in turn, produced certain regulatory outcomes.

The divergence between Russian and Estonian notions of cyber sovereignty began well before their differing stances on data localization, and arguably before the internet connectivity of either state. Instead, it originates with disputes pertaining to borders, nationalities, and statehood. Following the collapse of the Soviet Union in 1991, Russia and Estonia experienced contestation and conflict along both their physical and virtual borders. Their historically unsettled border was and is a source of dispute between the two states. While a border agreement was reached in March 1999, Russia signed on in May 2005 and subsequently withdrew from it — making Estonia the last Baltic state to formalize its border with the former USSR by treaty in February 2014. This treaty, however, remains unratified. Russian-Estonian relations, especially this border dispute, are fraught with tensions related to the treatment of cultural Russians within Estonia. An issue which originates with their historical placement during Soviet occupation to promote ‘Russification’ or cultural and territorial assimilation. Such tensions, in fact, also fuelled the contestation of Estonia’s virtual borders via the 2007 distributed denial of service (DDoS) attacks which saw ‘hacktivists’ target the government, public officials, law enforcement, financial institutions, ISPs, media, small businesses and others. This event, which largely immobilized Estonian digital infrastructure, was prompted by the government’s movement of a bronze statue commemorating the Soviet liberation of Estonia from Nazi occupation — a move viewed as discriminatory among cultural Russians. Although technical experts at the European Commission and NATO were unable to find evidence of the Russian government’s coordination or participation in these cyberattacks, Estonian officials were quick to accuse Russia of perpetrating them.

Interpretations of the border conflict between Estonia and Russia sometimes consider the border to be “a marker for the larger issue of Estonia’s desire to “draw the line” against Russian interference, domestic and international” — an observation which rings true with regard to their differentiation in cyber politics. Both states are inclined to fiercely protect their cyber sovereignty, albeit with different motivations and methods.

Since its independence, Estonia has broadly sought alignment with Western states and the firmament of its border with Russia. It achieved this by rejecting its history of Soviet occupation and instead “stressing the European nature of Estonian identity” — a shift most embodied by its membership in the EU. Becoming an EU state carries with it the obligation to engage in shared sovereignty in exchange for a free trade environment and a high degree of influence over domestic politics. As such, Estonia has by joining the European community embraced a more international or globalized conception of state sovereignty.

By contrast, Russia has largely developed a reputation in the international community for belligerence, nationalism, and authoritarianism underpinned by its annexation of Crimea, role in the Syrian conflict, allegations of electoral interference in 2016 US Presidential election, and reported lack of democratic elections, amongst other concerns.

This juxtaposition of Estonian internationalism and Russian nationalism represents the most prominent fault line between the two state’s approaches to cyber sovereignty. It is highly visible in their demarcation of nationality and borders online as they apply both to the political nation and economic markets.

For example, as a pillar of its digital strategy, Estonia offers an ‘e-residency’ status which allows non-Estonian nationals and businesses to participate in its digital economy and gain access to the EU market. This is presented as a means of proving both “the exportability of Estonia’s digital solutions”, as a leading global digital society and economy, and “the extendibility of ‘e-Estonia’ beyond the national borders of the country”. In tandem with Estonia’s advocacy for the free flow of data — domestically via the X-Road, and internationally via the EU — e-residency can be conceived of as a measure to dismantle digital borders viewed as inhibitive to the power of data both as a political asset and an economic good.

The Russian government’s actions also indicate that it considers data to be politically and economically valuable, however, in such a way that it is perceived as a threat to Russia’s national security and sovereignty if not controlled. This is apparent in the origins of data localization in Russia, as it was first raised in response to the summer 2013 revelations of widespread foreign surveillance conducted by the United States’ NSA. At this time, Sergei Zheleznyak, a deputy speaker of the lower house of the Russian parliament and a member of the Committee on Information Policy and Information Technology and Communications, called for the fortification of “digital sovereignty” through “legislation requiring e-mail and social networking companies [to] retain the data of Russian clients on servers inside Russia, where they would be subject to domestic law enforcement search warrants.” Further, the subsequent wave of data localization provisions enacted in 2014 were, in fact, part of “a legislative response to the terrorist acts committed in Russian city [of] Volgograd in the end of 2013”. The abject purpose of these reforms, particularly Federal Law №97 which amended the Law on Information, was to strengthen law enforcement and or investigatory activities by reducing jurisdictional complications. Alternative data retention obligations were considered insufficient because, without the imposition of localization requirements, Russian law enforcement would lack the desired enforceability in situations where data is stored abroad. The intention of Russian data localization to preserve national security by increasing the enforceability of control over data and information within its borders illustrates that “absent other efficient enforcement mechanisms, localization of such data becomes an essential element of national sovereignty”. This is compounded by the fact that current data localization requirements are triggered by the personal information of Russian citizens, and thereby, attempt to apply a nationality principle to data collection. A principle which in the Roskomandzor’s practice is applied via the proxy of residence.

Data localization in Russia is clearly deeply rooted in the protection of national security in political terms, however, the divergence of the Estonian and Russian approaches can also be explained by their varying economic structures. The transition of the Eastern European bloc and the Soviet Union out of communism produced varieties of capitalist underdevelopment. Among these states, each continues to have “a higher level of state ownership and economic control than their Western counterparts”. While Estonia and a few other states developed market economies comparable to their OECD counterparts, the Russia economy and many others can be characterized as ‘hybrid state/market uncoordinated capitalism’ and are considered to lack “the psychological, political and societal underpinning of modern capitalism”. In recent years, Estonia has outperformed both Russia and the EU in annual GDP growth, at 4.9% compared to 1.5% and 2.4% respectively in 2017. Further, Estonia’s push towards internationalization and economic liberalism combined with an influx of foreign direct investment enabled it to build on its existing industries to develop a strong comparative advantage in the telecommunications sector. High technology exports comprise approximately 16% of Estonia’s total exports, whereas they account for around 11.5% of Russian exports.

Comparative analysis of the economic conditions of Estonia and Russia indicates that Russia is at a disadvantage with regard to global competitiveness in Internet services such as data hosting, which may also explain its choice to introduce strict data localization. Data localization is widely acknowledged, however, to be a protectionist measure which “leads only to small gains for a few local enterprises and workers, while causing significant harms spread across the entire economy”. Data localization is considered economically harmful because it inhibits access to technological innovation through narrowing market choices and increasing costs — hampering potential productivity gains — in addition to providing an insignificant source of employment since data server farms require few employees. Accordingly, many modern trade agreements, including the TPP, TTIP, and TISA, have included clauses limiting or banning data localization.

Taken all together, these findings reveal several important insights as to how the respective political and economic conditions of Russia and Estonia, as well as their relationship to one another, produced varying conceptions of cyber sovereignty and in turn, differing stances on data localization as expressions of that sovereignty. Estonia’s political and economic disposition towards liberal internationalism, as shaped by its membership in the EU and comparative advantage in telecommunications, gave way to a transnational conception of cyber sovereignty premised upon the free flow of data both as a political and economic asset. Contrastingly, Russia’s political and economic disposition towards nationalism, as evidenced by its fixation on the preservation of national security in tandem with its comparative disadvantage in the Internet economy, is demonstrative of a nationalist conception of cyber sovereignty premised on the restriction of data and informational flows. These differing conceptions of cyber sovereignty embodied by Russia and Estonia ultimately both resulted in and are reinforced by their opposing policy positions on data localization.

Conclusion: Comparative insights and their consequences for the global internet

Data has infamously been called ‘the new oil’ in an attempt to capture its growing significance within the global political economy.

First and foremost, however, data is the lifeblood of the Internet. Chander and Le, who wrote a seminal work on data localization entitled “Data Nationalism”, rightly point out that data localization fundamentally contradicts both the ethos and the architecture of the internet. The creation of national barriers to data not only undermines the core function of the World Wide Web to share information across the globe without restriction but is even incompatible with Internet protocols and cloud computing which largely do not take heed of national borders. As such, data localization innately challenges Internet architecture which has come to define our interconnected world.

Although this paper has focused on the interplay between two sets of domestic policies, data localization restrictions are evidently consequential for the entirely of the global internet, the fate of which is also determined by the global realm of internet governance. Julien Nocetti, who wrote about the politicization of Internet issues by Russia within such fora, said that “in many respects, the battle over the vision of internet governance cannot be characterized entirely accurately as between authoritarian, undemocratic states and liberal, freedom-loving states; it is also, and indeed more centrally, a conflict between long-established, cosmopolitan states and newer states that do not yet feel safe in their sovereignty.”

This paper illustrates how two states, despite sharing some overlapping history, can very meaningfully diverge along these axis resulting in opposing conceptions of cyber sovereignty — one which supersedes borders by promoting data openness in line with the nature of the global internet, and one which seeks to construct borders through data restrictions to the effect of creating a nationalized internet. While in some ways centrally a conflict between internationalism, or transnationalism, and nationalism, it also highlights how these formational trajectories of cyber sovereignty are rooted in political and economic determinants of security.

As we bear witness to the further evolution of the Internet and digital spaces, if we wish to maintain and improve their global openness, we must give greater thought to these trajectories. Specifically, we must further explore how the national identities implicated in cyber sovereignty, which are socially, culturally, politically, and economically determined, are moderated through borders, now digitally.

Works cited

“2018 Reform of EU Data Protection Rules.” European Commission — European Commission. April 01, 2018. Accessed March 29, 2019. https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en.

Chander, Anupam and Le, Uyen P., Data Nationalism (March 13, 2015). Emory Law Journal, Vol. 64, №3, 2015. Available at SSRN: https://ssrn.com/abstract=2577947

Dobryakova, Natalia, and Igor Stroganov. “Privacy in the Russian Legislation.” University of Washington Law Review, August 24, 2015. Accessed March 29, 2019. https://www.law.uw.edu/media/1394/russia-intermediary-liability-of-isps-privacy.pdf.

Drahokoupil, Jan. “After transition: Varieties of political-economic development in Eastern Europe and the former Soviet Union.” Comparative European Politics 7, no. 2 (2009): 279–298.

“Estonia’s EU Presidency: Digital Europe and the Free Movement of Data — E-Estonia.” E-Estonia. April 05, 2018. Accessed March 29, 2019. https://e-estonia.com/estonias-eu-presidency-digital-europe-and-the-free-movement-of-data/.

“Federal Law №97-FZ (Bloggers Law).” WILMAP. May 5, 2014. Accessed March 29, 2019. https://wilmap.law.stanford.edu/entries/federal-law-no-97-fz-bloggers-law.

Ferracane, Martina, Restrictions on Cross-Border Data Flows: A Taxonomy (November 18, 2017). ECIPE Working Paper №1/2017. Available at SSRN: https://ssrn.com/abstract=3089956

“GDP Growth (annual %).” World Bank. 2019. Accessed March 29, 2019. https://data.worldbank.org/indicator/NY.GDP.MKTP.KD.ZG?end=2017&locations=EE-RU-EU&start=1989&view=chart.

Herlihy, Peter. “‘Government as a Data Model’ : What I Learned in Estonia.” Government Digital Service. October 31, 2013. Accessed March 29, 2019. https://gds.blog.gov.uk/2013/10/31/government-as-a-data-model-what-i-learned-in-estonia/.

Herzog, Stephen. 2017. Ten years after the Estonian cyberattacks: Defense and adaptation in the age of digital insecurity. Georgetown Journal of International Affairs 18, (3) (Fall): 67–78, http://myaccess.library.utoronto.ca/login?url=https://search-proquest-com.myaccess.library.utoronto.ca/docview/2087296804?accountid=14771 (accessed March 17, 2019).

“High-technology Exports (% of Manufactured Exports).” World Bank. 2019. Accessed March 29, 2019. https://data.worldbank.org/indicator/TX.VAL.TECH.MF.ZS?locations=EE-RU.

Jee, Charlotte. “Russia Wants to Cut Itself off from the Global Internet. Here’s What That Really Means.” MIT Technology Review. March 22, 2019. Accessed March 29, 2019. https://www.technologyreview.com/s/613138/russia-wants-to-cut-itself-off-from-the-global-internet-heres-what-that-really-means/.

Merritt, Martha. 2000. “A Geopolitics of Identity: Drawing the Line between Russia and Estonia.” Nationalities Papers 28 (2): 243–262. doi:10.1080/713687468. http://resolver.scholarsportal.info/resolve/00905992/v28i0002/243_agoidtlbrae.

“Moscow: Border Treaty Won’t Be Ratified If Estonia Doesn’t Change Conduct.” ERR. May 23, 2018. Accessed March 29, 2019. https://news.err.ee/833760/moscow-border-treaty-won-t-be-ratified-if-estonia-doesn-t-change-conduct.

“Päivikki Ala-Honkola.” European Council. June 29, 2018. Accessed March 29, 2019. https://www.consilium.europa.eu/en/press/press-releases/2018/06/29/eu-to-ban-data-localisation-restrictions-as-ambassadors-approve-deal-on-free-flow-of-data/.

“Riigikogu Adopts Personal Data Protection Act.” ERR. December 12, 2018. Accessed March 29, 2019. https://news.err.ee/884268/riigikogu-adopts-personal-data-protection-act.

“Russia Finally Signs Border Treaty with Estonia.” World News. February 18, 2014. Accessed March 29, 2019. https://article.wn.com/view/2014/02/18/Russia_finally_signs_border_treaty_with_Estonia/.

Savelyev, Alexander. “Russia’s new personal data localization regulations: A step forward or a self-imposed sanction?.” Computer Law & Security Review 32, no. 1 (2016): 128–145.

Selby, John. 2017. “Data Localization Laws: Trade Barriers Or Legitimate Responses to Cybersecurity Risks, Or both?” International Journal of Law and Information Technology 25 (3): 213–232. doi:10.1093/ijlit/eax010. http://resolver.scholarsportal.info/resolve/09670769/v25i0003/213_dlltbortcrob.

Tammpuu, Piia, and Anu Masso. 2018. “‘Welcome to the Virtual State’: Estonian e-Residency and the Digitalised State as a Commodity.” European Journal of Cultural Studies 21 (5): 543–560. doi:10.1177/1367549417751148. http://resolver.scholarsportal.info/resolve/13675494/v21i0005/543_ttvseetdsaac.

“What Is E-Residency | How to Start an EU Company Online.” E-Estonia. 2019. Accessed March 29, 2019. https://e-resident.gov.ee/.

“X-Road — E-Estonia.” E-Estonia. 2019. Accessed March 29, 2019. https://e-estonia.com/solutions/interoperability-services/x-road/.