Every time we send an email, tap on an Instagram ad, or swipe our credit cards, we create digital data.
Information circles the world at the speed of a click, becoming a sort of borderless currency that underpins the digital economy. Largely unregulated, the flow of bits and bytes has helped fuel the rise of transnational megacorporations such as Google and Amazon and reshaped global communications, commerce, entertainment and media.
Today, the era of open borders for data is coming to an end.
France, Austria, South Africa and more than 50 other countries are accelerating their efforts to control the digital information produced by their citizens, government agencies and businesses. Driven by security and privacy concerns, as well as economic interests and authoritarian and nationalistic impulses, governments are increasingly setting rules and norms about how data can and cannot move around the world. world. The goal is to achieve “digital sovereignty”.
- In Washington, the Biden administration is circulating an early draft of an executive order intended to block rivals such as China from accessing US data.
- In the European Union, judges and policymakers are scrambling to protect information generated within the 27-nation bloc, including stricter online privacy requirements and rules for artificial intelligence.
- In India, lawmakers are set to pass a law that would limit data that can leave the country of nearly 1.4 billion people.
- According to the Information Technology and Innovation Foundation, the number of laws, regulations and government policies requiring the storage of digital information in a specific country has more than doubled to 144 between 2017 and 2021.
While countries like China have long sealed off their digital ecosystems, the imposition of more national rules on information flows represents a fundamental shift in the democratic world and is changing the way the Internet works since its large-scale commercialization in the 1990s.
The implications for business operations, privacy, and how law enforcement and intelligence agencies investigate crimes and run surveillance programs are significant. Microsoft, Amazon and Google are offering new services to allow companies to store records and information in a certain territory. And the movement of data has become part of geopolitical negotiations, including a new pact for information sharing across the Atlantic that was agreed to in principle in March.
“The amount of data has grown so large over the last decade that it has created pressure to put it under sovereign control,” said Federico Fabbrini, professor of European law at Dublin City University, who edited a book on the subject and asserts that data is inherently more difficult to regulate than physical goods.
For most people, the new restrictions are unlikely to cause popular websites to shut down. But users may lose access to certain services or features depending on where they live. Meta, Facebook’s parent company, recently said it would temporarily stop offering augmented reality filters in Texas and Illinois to avoid being prosecuted under laws governing the use of biometric data.
The data restriction debate echoes broader rifts in the global economy. Countries are rethinking their reliance on foreign assembly lines after supply chains collapsed in the pandemic, delaying deliveries of everything from refrigerators to F-150s. Fearing that Asian computer chip producers could be vulnerable to Beijing’s influence, U.S. and European lawmakers are pushing to build more domestic factories for semiconductors that power thousands of products.
Changing attitudes towards digital information are “linked to a broader trend of economic nationalism”, said Eduardo Ustaran, partner at Hogan Lovells, a law firm that helps companies comply with new data rules.
The central idea of “digital sovereignty” is that digital escape created by a person, business or government should be stored in the country it originated, or at least treated in accordance with established privacy and other standards by a government. In cases where the information is more sensitive, some authorities want it to be checked by a local company as well.
This is a change from today. Most files were initially stored locally on personal computers and company mainframes. But as internet speeds increased and telecommunications infrastructure advanced over the past two decades, cloud services allowed someone in Germany to store photos on a Google server in California, or a company in Italy to run a website from Seattle-based Amazon Web Services.
A turning point came after national security contractor Edward Snowden leaked dozens of documents in 2013 that detailed widespread US surveillance of digital communications. In Europe, concerns grew that reliance on American companies like Facebook made Europeans vulnerable to American espionage. This has led to long legal battles over online privacy and transatlantic negotiations to protect communications and other information passed to American companies.
The aftershocks are still being felt.
While the United States supports a free and unregulated approach that allows data to flow unhindered between democratic nations, China has been joined by Russia and others in blocking the internet and keeping data close at hand to monitor citizens and suppress dissent. Europe, with heavily regulated markets and data privacy rules, is charting another course.
In the European Union, the personal data of Europeans must meet the requirements of an online privacy law, the General Data Protection Regulation, which came into force in 2018. Another bill, the law on data, would enforce new limits on what corporate information could be made available to intelligence services and other authorities outside the bloc, even by court order.
The Biden administration recently drafted an executive order to give the government more power to block deals involving Americans’ personal data that endanger national security, two people familiar with the matter said. An administration official said the document, which Reuters reported earlier, was an early draft sent to federal agencies for comment.
But Washington has tried to maintain the flow of data between America and its allies. During a trip to Brussels in March to coordinate a response to the Russian invasion of Ukraine, President Joe Biden announced a new deal to allow data from the European Union to continue flowing to the United States .
The deal was needed after Europe’s top court overturned a previous deal in 2020 because it failed to protect European citizens from espionage by US law enforcement, jeopardizing the operations of thousands of companies that transmit data across the Atlantic.
In a joint statement in December, Gina Raimondo, the US trade secretary, and Nadine Dorries, Britain’s top digital minister, said they hoped to counter “negative trends that risk blocking international data flows”. The Commerce Department also announced last month that it was joining several Asian countries and Canada in keeping digital information flowing between countries.
As new rules were introduced, the tech industry sounded the alarm. Groups representing Amazon, Apple, Google, Microsoft and Meta have argued that the online economy is fueled by the free flow of data. If tech companies were required to store everything locally, they wouldn’t be able to offer the same products and services around the world, they said.
But countries have cracked down nonetheless. In France and Austria, customers of Google’s Internet measurement software, Google Analytics, which is used by many websites to collect audience figures, were warned this year not to use the program again because it could expose the personal data of Europeans to American espionage.
Last year, the French government canceled a deal with Microsoft to handle health-related data after authorities came under fire for awarding the contract to a US company. Officials pledged to partner with local businesses instead.
Companies have adapted. Microsoft said it was taking steps to make it easier for customers to retain data in certain geographies. Amazon Web Services, the largest cloud computing service, said it gives customers control over where data is stored in Europe.
In France, Spain and Germany, Google Cloud last year signed agreements with local technology and telecommunications providers so that customers can guarantee that their data is monitored by a local company when using Google products. .
“We want to meet them where they are,” said Ksenia Duxfield-Karyakina, who leads Google Cloud’s public policy operations in Europe.
Liam Maxwell, director of government transformation at Amazon Web Services, said in a statement that the company would adapt to European regulations but customers should be able to purchase cloud services based on their needs, “not limited by the place where the technology provider is headquartered”. .”