Cross-border data flows
Data sovereignty — the concept that information is subject to the laws of the country in which it is located; many of the current concerns that surround data sovereignty relate to enforcing privacy regulations and preventing data that is stored in a foreign country from being subpoenaed by the host country’s government
Data localization — barriers to cross-border data flows, such as data-residency requirements that confine data within a country’s borders
Despite the best efforts of early internet pioneers, cyberspace has become a domain subject to nation-state sovereignty. The increasing imposition of sovereignty on cyberspace is a natural corollary to the internet’s growing implications for a nation’s well-being and security.
However, discussion of the relationship between national sovereignty and cyberspace has often been incomplete, focusing only on the traditional question of data sovereignty: limiting the transit of personal data across national borders.
To appropriately account for the costs and benefits of sovereignty in cyberspace, it is necessary to take a wider view that evaluates both data egress (e.g. data sovereignty, export controls on cryptographic protocols) and data ingress (e.g. content restrictions):
- Data egress — Governments have undertaken measures to limit the data that leaves national borders. One salient example of these measures are growing data localization efforts. In the wake of concerns that citizens’ personal information may be surveilled or monetized by corporations, governments have begun to limit the extent to which personal data can cross national borders. As a consequence, in a “cloud-first” world where companies are increasingly creating software offerings premised on access to a centralized pool of resources and applications, data egress limitations are resulting in companies investing in more localized data centres. However, it is unclear whether data localization efforts effectively constrain a foreign government’s access to data on a given host country’s citizens.41
- Data ingress — A more recent trend is policy-making around limiting the data that enters a given country. Establishing national barriers to the spread of information is not a new phenomenon but the application of these barriers to cyberspace is novel. While a number of salient examples exist, the most visible expressions of limitations on data ingress are content-restrictions that various national governments have established to limit citizens’ access to certain websites or content.
Increasing efforts to exercise sovereignty in cyberspace have significant risks and benefits:
- Whether it is expressed in terms of limitations on data egress or data ingress, in general, efforts to increase information control impose additional costs on the users of internet services. For example, if a given country undertakes data localization efforts, cloud-based services will be more expensive to deliver and, in some cases, offered with delays. After all, service providers must amortize the additional cost associated with building or accessing additional relatively expensive data centres.
- Additionally, data localization efforts have a mixed impact on security. While localization legislation may be embraced as an opportunity to set clear policy on security generally, the proliferation of physical data centres (beyond those needed for redundancy) is a security risk because there are more physical targets.42
Policy-makers may consider borrowing from the relatively well-developed intellectual framework of trade economics in considering questions of cross-border data flows. For example, one counter-intuitive finding of trade theory is that an import tax may be effectively borne by exporters. Similarly, efforts to limit “importing” data (e.g. content restrictions) place a heavy burden on data “exporters”. For instance, engineers unable to freely query and refer to global experience in software development are likely to face greater difficulties developing software.
Policy model: Cross-border data flows
Key values trade-offs created by data flow policy choices
Case study: The economics of data centers
Within a given country and also in an international context, the economics of data centres — the physical linchpins for cloud resources — are commonly misunderstood. In general, data localization (and the subsequent reshuffling of data centres) imposes much greater costs than benefits for any subnational locale or country:
Within a given country, there is often intense competition for the promise of enormous investment by companies building data centers, typically through tax incentives. But the capital expenditures associated with a datacenter result in little long-term employment. Indeed, that is in some sense the motivating principle of a datacenter—how to build cloud resources with the lowest recurring operational costs whether it is electricity or people-related costs. The canonical example illustrating these dynamics is a $1B data center built by Apple in North Carolina that created “only” 50 jobs.43
Some policy-makers argue in favour of data localization efforts on the basis of the economic benefit of bringing data centre construction to a given locale. However, the economics of an incremental data centre in a new locale are similarly self-defeating. While there are limited concentrated benefits associated with the construction of a data centre (per the Apple example), the costs associated with the localized provision of cloud services are diffuse and non-trivial. A recent Information Technology & Innovation Foundation report benchmarked these effects using memory allocated for storage and found that data localization greatly increased costs for local companies: between 10.5% and 62.5% more for some cloud-computing services.44 These increased costs are bounded by the availability of alternatives (e.g. a company builds their own private data centre instead of relying on cloud resources).
Data localization costs are not only imposed on users within a given country but also internationally. The providers of cloud resources, despite the increased costs noted above, also amortize some of the costs imposed by a given locale across the entirety of the customer base.
Connecting policy to values
There are few inherent value trade-offs associated with data flow policy choices in the abstract — a number of different polities have implemented and administered data flow limitations with differing effectiveness and impact depending on the national context.
Increased cross-border data flow limitations may improve security insofar as they codify and organize national policy on personal data. In other words, the limitation itself is unlikely to provide security (given the exacting security controls multinational cloud service providers already adopt) outside of policy clarification. That said, data flow limitations, which amount to a mandate to build physical data centres in a given locale, may reduce security depending on the physical security of those data centres and the trustworthiness of ancillary network infrastructure.
Increased data flow limitations will almost certainly increase costs to a greater extent than the security incident damages averted owing to greater security. Data flow limitations have significant direct costs (e.g. more expensive cloud resources) and indirect costs (e.g. decreased cloud adoption and slower innovation).
The impact of data flow limitations on privacy and fairness is ambiguous. For example, increased limitations on the handling and processing of personal health information (PHI) may improve privacy. On the other hand, limitations on the content an individual can access may intrude on an individual’s privacy. Data flow limitations may be entirely fair and neutral (e.g. all cloud providers must adopt certain controls for the transit of personal financial data). Alternatively, data flow limitations may unfairly privilege companies based on national origin (e.g. data in a given locale must be processed by a corporation headquartered in the country of national origin).
Increased limits on cross-border data flows will almost always increase the accountability of the private sector. Administering data flow limitations will be a private-sector-led effort in most contexts, and as such it will be the responsibility of that sector to ensure that specific limitations are affected.