Communications - January 2013

Even if the EU harmonizes its data laws, the focus, however, is still on data as residing in one place or within a region. The EU is big enough that one might think location problem is not an issue. One could set up data centers across the EU and move the data within the system. With one law to govern, it will all work out. That view misses the fact that, like a power grid, data networks have cycles of demand and manage that demand dynamically. If there is idle capacity in a region, it may be useful for service outside the region. If there is a demand spike in the region, capacity from outside the region may be used to meet the demand. Location-based data rules clash with these realities. Furthermore, many countries are copying the EU approach to data protection. The EU is a large region and market; Singapore is not. Nor is Vietnam, Costa Rica, Egypt, Peru, Ghana, or most single countries. From a security perspective, location-based rules falter in a large area such as the EU; they fail in smaller markets. Nonetheless, governments have a real need to protect their citizens’ data and to have a legal process to obtain data. Location models, however, do not achieve these goals well.

Possible Ways forward Neither mandated location compliance by governments nor claims of inability to comply with laws by businesses provides satisfactory results; but some options are available. Part of a possible solution is to abandon the location-based aspects of data security laws. Indeed, forcing companies to limit data movement ignores the reality of data management and can increase the security threat rather than reduce it. Unraveling the jurisdiction question is more difficult. As Jack Goldsmith and Tim Wu point out, governments will always find a way to exert power to shape the world as they see fit, so places and borders still matter. 1 This point is already seen in current laws in the U.S. and Europe, which allow governments to access data when investigating national security or terrorism crimes. Thus, countries or regions may fashion new data laws that move beyond location to determine jurisdiction and demand data for areas beyond national security and terrorism. If so, companies will have to find

from a security
perspective,
location-based rules
falter in a large
area such as
the eu; they fail in
smaller markets.

ways to comply. The time when a company could stick its data-head in the sand of one country and reject other countries’ laws may be over precisely because of government needs, global computing services, and advances in data security and networking. If companies wish to have the flexibility to employ different data management methods and especially ones that involve continual movement of data, they cannot simultaneously argue that no law or method covers how and when a government may gain access to data. Yet, it is this need to comply that may undermine the trust of one country over another. For example, Country X may be comfortable with data moving to Country Y, but not Country Z, because Country Z has a history of forcing companies to divulge data. All of which presents an opportunity.

As data security laws evolve, gov-
ernments, companies, and computer
scientists will have to work together
to create a data security system for the
21st century. A key hurdle is identifying
when any government may demand
data. Transparent policies and possibly
treaties could help better identify and
govern under what circumstances a
country may demand data from anoth-
er. Countries might work with local in-
dustry to create data security and data
breach laws with real teeth as a way to
signal that poor data security has conse-
quences. Countries should also provide
more room for companies to challenge
requests and reveal them so the global
market has a better sense of what is
being sought, which countries respect
data protection laws, and which do not.
Such changes would allow companies
to compete based not only on their se-
curity systems but their willingness to
defend customer interests. In return
companies and computer scientists
will likely have to design systems with
an eye toward the ability to respond to
government requests when those re-
quests are proper. Such solutions may
involve ways to tag data as coming from
a citizen of a particular country. Here,
issues of privacy and freedom arise, be-
cause the more one can tag and trace
data, the more one can use it for sur-
veillance. This possibility shows why
increased transparency is needed, for
at the very least it would allow citizens
to object to pacts between governments
and companies that tread on individual
rights. Nonetheless, distributed com-
puting techniques and encryption even
with some type of tracing system may be
better protection than relying on data
residing in one place. After all, if data is
stored in one place and a government
knows where the data is, a government
can simply walk off with the server. So
far, however, the one group that could
explain whether these ideas or others
are viable—computer scientists—is
missing from this interplay.

Reference

1. Goldsmith, j. and Wu, t. Who Controls the Internet?

Illusions of a Borderless World. Oxford university Press, 2006, 180–181.

Deven Desai ( devenrdesai@gmail.com) is a law professor at the thomas jefferson school of law in san diego, Ca, and recently completed serving as the first academic Research Counsel at Google, Inc.