The information pings around the world at thespeed of a click, becoming a kind of borderless currency that underpins thedigital economy. Largely unregulated, the flow of bits and bytes helped fuelthe rise of transnational megacompanies like Google and Amazon and reshapedglobal communications, commerce, entertainment and media.
Now the era of open borders for data isending.
France, Austria, South Africa and more than 50other countries are accelerating efforts to control the digital informationproduced by their citizens, government agencies and corporations. Driven bysecurity and privacy concerns, as well as economic interests and authoritarianand nationalistic urges, governments are increasingly setting rules andstandards about how data can and cannot move around the globe. The goal is togain “digital sovereignty.”
Consider that:
— In Washington, the Biden administration iscirculating an early draft of an executive order meant to stop rivals such asChina from accessing American data.
— In the European Union, judges andpolicymakers are pushing efforts to guard information generated within the27-nation bloc, including tougher online privacy requirements and rules forartificial intelligence.
— In India, lawmakers are moving to pass a lawthat would limit what data can leave the nation of almost 1.4 billion people.
— The number of laws, regulations andgovernment policies that require digital information to be stored in a specificcountry more than doubled to 144 from 2017 to 2021, according to theInformation Technology and Innovation Foundation.
While countries like China have long cordonedoff their digital ecosystems, the imposition of more national rules oninformation flows represents a fundamental shift in the democratic world andalters how the internet has operated since it became widely commercialised inthe 1990s.
The repercussions for business operations,privacy and how law enforcement and intelligence agencies investigate crimesand run surveillance programs are far-reaching. Microsoft, Amazon and Googleare offering new services to let companies store records and information withina certain territory. And the movement of data has become part of geopoliticalnegotiations, including a new pact for sharing information across the Atlanticthat was agreed to in principle in March.
“The amount of data has become so big over thelast decade that it has created pressure to bring it under sovereign control,”said Federico Fabbrini, a professor of European law at Dublin City Universitywho edited a book on the topic and argues that data is inherently harder toregulate than physical goods.
For most people, the new restrictions areunlikely to shut down popular websites. But users might lose access to someservices or features depending on where they live. Meta, Facebook’s parentcompany, recently said it would temporarily stop offering augmented realityfilters in Texas and Illinois to avoid being sued under laws governing the useof biometric data.
The debate over restricting data echoesbroader fractures in the global economy. Countries are rethinking theirreliance on foreign assembly lines after supply chains sputtered in thepandemic, delaying deliveries of everything from refrigerators to F-150s.Worried that Asian computer chip producers might be vulnerable to Beijing’sinfluence, American and European lawmakers are pushing to build more domesticfactories for the semiconductors that power thousands of products.
Shifting attitudes toward digital informationare “connected to a wider trend toward economic nationalism,” said EduardoUstaran, a partner at Hogan Lovells, a law firm that helps companies complywith new data rules.
The core idea of “digital sovereignty” is thatthe digital exhaust created by a person, business or government should bestored inside the country where it originated, or at least handled in accordancewith privacy and other standards set by a government. In cases whereinformation is more sensitive, some authorities want it to be controlled by alocal company, too.
That’s a shift from today. Most files wereinitially stored locally on personal computers and company mainframes. But asinternet speeds increased and telecommunications infrastructure advanced overthe past two decades, cloud computing services allowed someone in Germany tostore photos on a Google server in California, or a business in Italy to run awebsite off Amazon Web Services operated from Seattle.
A turning point came after national securitycontractor Edward Snowden leaked scores of documents in 2013 that detailedwidespread US surveillance of digital communications. In Europe, concerns grewthat a reliance on American companies like Facebook left Europeans vulnerableto US snooping. That led to protracted legal fights over online privacy and totrans-Atlantic negotiations to safeguard communications and other information transportedto American firms.
The aftershocks are still being felt.
While the United States supports a free,unregulated approach that lets data zip between democratic nations unhindered,China has been joined by Russia and others in walling off the internet andkeeping data within reach to surveil citizens and suppress dissent. Europe,with heavily regulated markets and rules on data privacy, is forging anotherpath.
In Kenya, draft rules require that informationfrom payments systems and health services be primarily stored inside thecountry, according to the Information Technology and Innovation Foundation.Kazakhstan has said personal data must be kept on a server within its borders.
In the European Union, the personal data ofEuropeans must meet the requirements of an online privacy law, the General DataProtection Regulation, which took effect in 2018. Another draft law, the DataAct, would apply new limits on what corporate information could be madeavailable to intelligence services and other authorities outside the bloc, evenwith a court order.
“It’s the same sense of the sovereign state,that we can maintain knowledge about what we do in areas that are sensitive,and that is part of what defines us,” said Margrethe Vestager, the topantitrust enforcer of the European Union.
The Biden administration recently drafted anexecutive order to give the government more power to block deals involvingAmericans’ personal data that put national security at risk, said two peoplefamiliar with the matter. An administration official said the document, whichReuters earlier reported, was an initial draft sent to federal agencies forfeedback.
But Washington has tried to keep data flowingbetween America and its allies. On a March trip to Brussels to coordinate aresponse to Russia’s invasion of Ukraine, President Joe Biden announced a newagreement to allow data from the European Union to continue flowing to theUnited States.
The deal was needed after the top Europeancourt struck down a previous agreement in 2020 because it did not protectEuropean citizens from spying by American law enforcement, imperiling theoperations of thousands of companies that beam data across the Atlantic.
In a joint statement in December, GinaRaimondo, the US secretary of commerce, and Nadine Dorries, Britain’s topdigital minister, said they hoped to counteract “the negative trends that riskclosing off international data flows.” The Commerce Department also announcedlast month that it was joining with several Asian nations and Canada to keepdigital information flowing between countries.
As new rules have been introduced, the techindustry has raised alarms. Groups representing Amazon, Apple, Google,Microsoft and Meta argued the online economy was fuelled by the free flow ofdata. If tech companies were required to store it all locally, they could notoffer the same products and services around the world, they said.
But countries nevertheless clamped down. InFrance and Austria, customers of Google’s internet measurement software, GoogleAnalytics, which is used by many websites to collect audience figures, weretold this year not to use the program anymore because it could expose thepersonal data of Europeans to American spying.
Last year, the French government scrapped adeal with Microsoft to handle health-related data after authorities werecriticised for awarding the contract to an American firm. Officials pledged topartner with local firms instead.
Companies have adjusted. Microsoft said it wastaking steps so customers could more easily keep data within certaingeographical areas. Amazon Web Services, the largest cloud computing service,said it lets customers control where in Europe data is stored
In France, Spain and Germany, Google Cloud hassigned deals in the past year with local tech and telecom providers socustomers can guarantee that their data is overseen by a local company whilethey use Google’s products.
“We want to meet them where they are,” saidKsenia Duxfield-Karyakina, who leads Google Cloud’s public policy operations inEurope.
Liam Maxwell, director of governmenttransformation at Amazon Web Services, said in a statement that the companywould adapt to European regulations but that customers should be able to buycloud computing services based on their needs, “not limited by where thetechnology provider is headquartered.”
Max Schrems, an Austrian privacy activist whowon lawsuits against Facebook over its data-sharing practices, said moredisputes loom over digital information. He predicted the US-EU data dealannounced by Biden would be struck down again by the European Court of Justicebecause it still does not meet EU privacy standards.
“We had a time where data was not regulated atall and people did whatever they wanted,” Schrems said. “Now gradually we seethat everyone tries to regulate it but regulate it differently. That’s a globalissue.”
©2022 The New York Times Company
