By creating national barriers to data, data localization measures break up the World Wide Web, which was designed to share information across the globe. The Internet is a global network based on a protocol for interconnecting computers without regard for national borders. Information is routed across this network through decisions made autonomously and automatically at local routers, which choose paths based largely on efficiency, unaware of political borders.
Thus, the services built on the Internet, from email to the World Wide Web, pay little heed to national borders. Services such as cloud computing exemplify this, making the physical locations for the storage and processing of their data largely invisible to users. Data localization would dramatically alter this fundamental architecture of the Internet. Such a change poses a mortal threat to the new kind of international trade made possible by the Internet—information services such as those supplied by Bangalore or Silicon Valley.
Barriers of distance or immigration restrictions had long kept such services confined within national borders. Data localization would thus require the information service provider to build out a physical, local infrastructure in every jurisdiction in which it operates, increasing costs and other burdens enormously for both providers and consumers and rendering many of such global services impossible.
While others have observed some of the hazards of data localization, especially for American companies, 7 See, e. Cloud Computing Industry? Ezell, Robert D.
Read More From Yale Law Journal
Wein , Info. First, while the earlier analyses have referred to a data localization measure in a country in the most general of terms, our Article provides a detailed legal description of localization measures. Second, by examining a variety of key countries around the world, the study allows us to see the forms in which data localization is emerging and the justifications offered for such measures in both liberal and illiberal states. Third, the Article works to comprehensively refute the various arguments for data localization offered around the world, showing that data localization measures are in fact likely to undermine security, privacy, economic development, and innovation where adopted.
Our paper proceeds as follows. Part I describes the particular data localization measures in place or proposed in different countries around the world, as well as in the European Union. Part II then discusses the justifications commonly offered for these measures—such as avoiding foreign surveillance, enhancing security and privacy, promoting economic development, and facilitating domestic law enforcement.
We appraise these arguments, concluding that, in fact, such measures are likely to backfire on all fronts. Data localization will erode privacy and security without rendering information free of foreign surveillance, while at the same time increasing the risks of domestic surveillance. The problem of data localization is even more pervasive than the jurisdictions we identify. Furthermore, the measures achieve data localization in a wide variety of ways. While some of the measures explicitly force data to be located on home country servers, often the localizing effect is less visible and more indirect.
Malaysia, on the other hand, requires consent for international transfer of data, which can prove a significant hurdle. Other regulations focus on selected sectors. Australia prevents health records from being transferred outside the country if they are personally identifiable.
Hidden Laws of the Time of Ferguson
In sum, our study reveals the astonishing array of countries that have enacted or are considering data localization. Subsection 1 provides:. The System Operator, a registered repository operator, a registered portal operator or a registered contracted service provider that holds records for the purposes of the PCEHR system whether or not the records are also held for other purposes or has access to information relating to such records, must not: a hold the records, or take the records, outside Australia; or b process or handle the information relating to the records outside Australia; or c cause or permit another person: i to hold the records, or take the records, outside Australia; or ii to process or handle the information relating to the records outside Australia.
In essence, under these provisions, foreign companies handling health related information must build data centers or outsource to local services inside Australia. It also raises practical issues for users who wish to access their data from overseas. The Marco Civil was inspired by the work of Ronaldo Lemos. After the NSA surveillance revealed that the U. This version included a new power for the executive branch: the ability to require that data about Brazilians be stored in Brazil. Article 12 of the new proposed Marco Civil provided as follows:. The Executive branch, through Decree, may force connection providers and Internet applications providers provided for in art.
After consideration, however, the Marco Civil was passed into law on April 23, , without the much-debated data localization provision.
These provincial restraints developed out of attempts to outsource government information technology services to providers based in the United States. Cate, Ctr.
While these rules were formulated long before the Snowden revelations, they were justified by increases in the U. Two Canadian provinces, British Columbia and Nova Scotia, have enacted laws requiring that personal information held by public institutions—schools, universities, hospitals, government-owned utilities, and public agencies—be stored and accessed only in Canada unless one of a few limited exceptions applies. Localization obligations exist in certain Chinese sector-specific operations.
Banks outsourcing their data outside of China need to pay special attention to this requirement, especially as the Notice defines PFI very broadly, including personal information of identity, property, account, credit, financial transaction, etc. The United States Federal Reserve has simply asked banks to examine the risks associated with outsourcing, whether within the United States or offshore. Reserve Sys. July 16, , effective, Sept. The Provisions provide implementing rules for the Decision on Strengthening Protection of Online Information the Decision , a national law issued in December These provisions are in addition to the Information Security Technology Guidelines for Personal Information Protection within Public and Commercial Services Information Systems, promulgated on January 21, , which became effective February 1, A translation of these Guidelines composed by Dr.
The Guidelines prohibit the transfer of personal data abroad without express consent of the data subject or explicit regulatory approval. Article 5.
- Data Nationalism | Emory University School of Law | Atlanta, GA.
- Book of One :-) Volume 1 (Lightworkers Log);
- Yale Law Journal: Volume , Number 1 - October by Yale Law Journal - Book - Read Online.
Absent express consent of the subject of the personal information, or explicit legal or regulatory permission, or absent the consent of the competent authorities, the administrator of personal information must not transfer the personal information to any overseas receiver of personal information, including any individuals located overseas or any organizations and institutions registered overseas. At the same time, it sought to ensure that data about Europeans was well protected as it traveled the world.
Accordingly, it allowed data to be sent outside the European Union or the European Free Trade Association states if it were protected adequately either by local law or by contractual arrangement with the foreign company. See id. Given the amount of information exchanged with the United States, the European Union negotiated a special Safe Harbor with the United States, allowing data to be exported to companies in the United States that abide by certain data protection standards, under the supervision of the Federal Trade Commission.
Recently, however, the European Union has been reconsidering the Safe Harbor, alongside a major effort to rewrite European Union privacy law altogether. On November 27, , the Commission published a set of recommendations that it asked the United States Department of Commerce to consider, with the possibility left open that the Safe Harbor might be suspended. The draft would prohibit the transfer to a country where the law permits local authorities access to personal data from the European Union. Currently, the draft is undergoing Parliament—Council negotiations, which were projected to conclude at the end of Parliament Apr.
The government has directly invested in two cloud computing enterprises, Numergy and Cloudwatt, with a one-third ownership stake in each. In February , Minister of Industry Arnaud Montebourg declared his support for efforts to keep data processing in France in order to support domestic employment. Whether a subsidy to domestic enterprises is a violation of trade commitments is a complicated question. Under the proposal, the tax rate would depend on the level of compliance with respect to privacy, potentially diminishing to zero for those that were fully compliant. The charge could even be waived for the most compliant companies.
If France were to declare that data processing in the United States was noncompliant, even when conducted under the Safe Harbor, such a tax would effectively become a tax on the export of data.
Times Dec. The legislation has drawn criticism.https://horlosimante.gq
Harvard Law Review - Wikipedia
On July 24, , in the wake of the NSA revelations, the Conference of the German Data Protection Commissioners announced that they would stop approving international data transfers until the German government could guarantee that foreign national intelligence services abide by fundamental principles of data protection law. The Commissioners argued that the violations arose because data transferred by German companies can be accessed by the NSA and various other foreign intelligence services without complying with limitation principles viz.
Safe Harbor self-certifications should not be automatically be considered as conclusive proof of adequate protection. While the Commissioners sought to stop data flow outside Europe, some within Germany proposed to limit data flow only to routes within Germany.
In February , Chancellor Angela Merkel proposed that Europe build out its own internet infrastructure designed to keep data within Europe. Some questioned whether the proposals, which would increase both network construction and operation costs significantly, would in fact protect data from foreign surveillance an issue we return to in Part II. A below or simply increase the profits of local network firms. In April , the Indian Ministry of Communications and Technology published privacy rules implementing certain provisions of the Information Technology Act of Information Technology Act, , No.
Information Technology Amendment Act, , No. The rules define the type of information that the Act covers: Sensitive personal data or information of a person means such personal information which consists of information relating to[:]— i password; ii financial information such as Bank account or credit card or debit card or other payment instrument details; iii physical, physiological and mental health condition; iv sexual orientation; v medical records and history; vi [b]iometric information; vii any detail relating to the above clauses as provided to body corporate for providing service; and viii any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise[;] provided that, any information that is freely available or accessible in public domain or finished under the Right to Information Act, or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of these rules.
Specifically, Rule 7 provides as follows:. A body corporate or any person on its behalf may transfer sensitive personal data or information including any information, to any other body corporate or a person in India, or located in any other country, that ensures the same level of data protection that is adhered to by the body corporate as provided for under these Rules. The transfer may be allowed only if it is necessary for the performance of the lawful contract between the body corporate or any person on its behalf and provider of information or where such person has consented to data transfer.
The Rules, however, do not make it clear how consent for onward transfer from the information collector to the information processor is to be obtained. European Union laws require consent for data collection and processing generally, not special consent for transfer abroad. Special consent required for exporting data suggests that data sent to another country is, by that act, less safe—thus requiring special knowledge and approval of the data subject.
Because consent for offshore transfer can be a significant practical hurdle, American critics of outsourcing to India have sought to impose a consent requirement before consumer information can be sent outside the United States. As drafted, the Indian law seemed to ironically accomplish the goal of those against outsourcing to India—that is, requiring American companies to obtain the consent of individuals before passing their information to India.
While patching over one problem, the clarification may discourage foreign companies from investing in India because to do so would bring them under the purview of the Rules. We return to the impact of data localization on local economic development in Part II. C below. Another statute potentially poses substantial localization pressures for information held by the government.
In , the Delhi High Court interpreted this requirement to bar the transfer of government emails outside India. Times Oct. It ordered the government to formulate a policy for official government email that would comply with the Public Records Act. In February , the National Security Council NSC proposed a policy that might require data localization for Indian citizens, and not just government agencies alone.