Required storage of data in a certain location might seem like the anti-internet openness pipe dream of an authoritarian government. But, that could not be further from the truth, with governments from New Delhi to Washington also implementing or considering rules that mandate local storage of data.
ADVERTISEMENTLast week, a Moscow court fined Twitter and Facebook for not complying with data localisation requirements, rules that mandate the company to store data on Russian citizens geographically within Russian borders. Roskomnadzor, Russia’s internet regulator, said the companies would continue to be fined if they didn’t comply in the near future.
Required storage of data in a certain location might seem like the anti-internet openness pipe dream of an authoritarian government. But, that could not be further from the truth, with governments from New Delhi to Washington (and, yes, to Beijing) also implementing or considering rules that mandate local storage of digital information. The recent Russia case demonstrates, however, that these policies don’t come without costs and challenges - nor without pushback.
Facebook, Twitter, and other internet companies holding data on Russian citizens are supposed to store that information in Russia. It dates back to when a 2015 law requiring Russians’ information to be kept in-country went into effect. The latest fines represent increased penalties that the Russian government enacted at the end of last year, building on this past legislation, for firms who don’t comply.
It’s probably easy to dismiss Russian data localisation laws out-of-hand as poorly masqueraded attempts to get better law enforcement and security service access to data on Russian citizens. Certainly, this is one motivation at play. But the Kremlin is also legitimately concerned about American social media companies - and in their view, by extension, the US government - having access to information on Russian persons. President Putin and his close advisors have long seen US tech platforms as a means for the government to project power and access information, so these concerns play into this ongoing data localisation push as well.
These motivations (and concerns) are shared elsewhere. India has data localisation requirements in areas like payment data. Data in that category, held by companies incorporated domestically and abroad, must be stored in-country. The draft of India’s Personal Data Protection Bill, recently published by the country’s parliament, also contains requirements that certain data must be copied within the country, though some can still be sent abroad (dubbed “mirroring”). Europe’s General Data Protection Regulation (GDPR) also has requirements limiting the out-bound transfer of data. Beijing is in the midst of enacting broad data localisation rules too.
Even the United States is entering the fray. There already exists rules for cloud contractors working with the Defense Department to store their data on US territory. In November, Senator Josh Hawley introduced a bill that would force Chinese and Russian companies with data on Americans to store the information in the States. The Huawei saga could even be considered an exercise in concern about where internet data is stored and how it could potentially be accessed by foreign governments.
What Russia’s case demonstrates is that such pushes towards data localisation don’t come without costs, challenges, and pushback. For instance, Moscow fined Facebook and Twitter back in 2019 for disobeying these laws. Social media users mocked the almost pathetically low fine - 3,000 rubles, not even $50 (€44). The recent fines were the first time such penalties have ever hit five figures’ worth in American currency. It’s unlikely these fines will weaken the resolve of multi-billion-dollar companies who have resisted these policies for years.
Reasons to push back against data localisation are numerous. Storing data within Russian borders could allow law enforcement and intelligence services heightened access to citizens’ information - hardly a plus for human rights in an authoritarian country. It also costs money to buy servers and change technical routing protocols to ensure data can be stored locally; firms might not want to spend that money or set these kinds of precedents. This explains why, for example, US firms have aggressively lobbied against the data localisation rules under consideration in India.
There can even be costs for governments. In 2016, Russia banned LinkedIn from operating within the country after it failed to comply with local storage requirements. Why, then, has Russia not similarly banned Facebook or Twitter? Perhaps it’s because those services remain popular within the country. Perhaps it’s because those companies have been more successful in behind-closed-door conversations with Moscow, though that seems a less likely explanation. But the government might not want to cut off services altogether that citizens and businesses need.
Simply put, specific costs of data localisation policies can relate to security and research, economics and content censorship. They vary in specific cases, and pushback from different companies, governments, civil society groups, and other entities likewise varies depending on the situation. States controlling access to large domestic markets - like in India or China - could have an easier time forcing compliance from firms. Companies whose services are in high demand likewise could enjoy greater success in resisting data localisation rules, or attempting to have them relaxed before codified into law.
But there still might be reasons why states would want to pursue data localisation. For countries with laws that allow government access to citizen data without real oversight, there are legitimate risks that sensitive information could be exposed. It’s worth scrutinising the type of data localisation envisaged, though, and what it accomplishes. Mirroring requirements that only force copies of data to be locally stored, for example, wouldn’t necessarily address US and European policymakers’ concerns about the Chinese authorities’ access to their citizens’ information.
Data localisation is on the global rise, and in many cases, it threatens to further undermine the relatively free flow of data that has been enjoyed on the global internet for decades. The recent case in Russia, as well as other pushes playing out across the globe, should therefore be a lesson: these efforts don’t come without challenges and pushback, and they certainly don’t come without costs.
Where pushback is possible, governments and other actors should try to minimise costs where appropriate, such as not elbowing small players out of the market altogether. And where pushback isn’t possible, governments need to confront the reality of balancing privacy considerations, internet freedom, economic benefits and security risks.
Justin Sherman is a Fellow at the Atlantic Council’s Cyber Statecraft Initiative.
____________
Are you a recognised expert in your field? At Euronews, we believe all views matter. Contact us at view@euronews.com to send pitches or submissions and be part of the conversation.