Even if the EU harmonizes its data
laws, the focus, however, is still on
data as residing in one place or within
a region. The EU is big enough that one
might think location problem is not
an issue. One could set up data centers
across the EU and move the data within
the system. With one law to govern, it
will all work out. That view misses the
fact that, like a power grid, data networks have cycles of demand and manage that demand dynamically. If there is
idle capacity in a region, it may be useful
for service outside the region. If there is
a demand spike in the region, capacity
from outside the region may be used
to meet the demand. Location-based
data rules clash with these realities.
Furthermore, many countries are copying the EU approach to data protection.
The EU is a large region and market;
Singapore is not. Nor is Vietnam, Costa
Rica, Egypt, Peru, Ghana, or most single
countries. From a security perspective,
location-based rules falter in a large
area such as the EU; they fail in smaller
markets. Nonetheless, governments
have a real need to protect their citizens’ data and to have a legal process to
obtain data. Location models, however,
do not achieve these goals well.
Possible Ways forward
Neither mandated location compliance by governments nor claims of
inability to comply with laws by businesses provides satisfactory results;
but some options are available. Part
of a possible solution is to abandon
the location-based aspects of data security laws. Indeed, forcing companies to limit data movement ignores
the reality of data management and
can increase the security threat rather
than reduce it. Unraveling the jurisdiction question is more difficult. As Jack
Goldsmith and Tim Wu point out, governments will always find a way to exert
power to shape the world as they see
fit, so places and borders still matter. 1
This point is already seen in current
laws in the U.S. and Europe, which allow governments to access data when
investigating national security or terrorism crimes. Thus, countries or regions may fashion new data laws that
move beyond location to determine jurisdiction and demand data for areas
beyond national security and terrorism. If so, companies will have to find
from a security
perspective,
location-based rules
falter in a large
area such as
the eu; they fail in
smaller markets.
ways to comply. The time when a company could stick its data-head in the
sand of one country and reject other
countries’ laws may be over precisely
because of government needs, global
computing services, and advances in
data security and networking. If companies wish to have the flexibility to
employ different data management
methods and especially ones that involve continual movement of data,
they cannot simultaneously argue
that no law or method covers how and
when a government may gain access to
data. Yet, it is this need to comply that
may undermine the trust of one country over another. For example, Country
X may be comfortable with data moving to Country Y, but not Country Z, because Country Z has a history of forcing companies to divulge data. All of
which presents an opportunity.
As data security laws evolve, gov-
ernments, companies, and computer
scientists will have to work together
to create a data security system for the
21st century. A key hurdle is identifying
when any government may demand
data. Transparent policies and possibly
treaties could help better identify and
govern under what circumstances a
country may demand data from anoth-
er. Countries might work with local in-
dustry to create data security and data
breach laws with real teeth as a way to
signal that poor data security has conse-
quences. Countries should also provide
more room for companies to challenge
requests and reveal them so the global
market has a better sense of what is
being sought, which countries respect
data protection laws, and which do not.
Such changes would allow companies
to compete based not only on their se-
curity systems but their willingness to
defend customer interests. In return
companies and computer scientists
will likely have to design systems with
an eye toward the ability to respond to
government requests when those re-
quests are proper. Such solutions may
involve ways to tag data as coming from
a citizen of a particular country. Here,
issues of privacy and freedom arise, be-
cause the more one can tag and trace
data, the more one can use it for sur-
veillance. This possibility shows why
increased transparency is needed, for
at the very least it would allow citizens
to object to pacts between governments
and companies that tread on individual
rights. Nonetheless, distributed com-
puting techniques and encryption even
with some type of tracing system may be
better protection than relying on data
residing in one place. After all, if data is
stored in one place and a government
knows where the data is, a government
can simply walk off with the server. So
far, however, the one group that could
explain whether these ideas or others
are viable—computer scientists—is
missing from this interplay.
Reference
1. Goldsmith, j. and Wu, t. Who Controls the Internet?
Illusions of a Borderless World. Oxford university
Press, 2006, 180–181.
Deven Desai ( devenrdesai@gmail.com) is a law professor
at the thomas jefferson school of law in san diego, Ca,
and recently completed serving as the first academic
Research Counsel at Google, Inc.
Copyright held by author.