A Fear of Being Fenced In: It’s Time for the United States to Tackle Data Localization

In the age of Google, Facebook, and YouTube, it seems as if we have finally reached a somewhat egalitarian moment in history. All internet users have access to these resources regardless of socioeconomic status. Yet, these resources are not exactly ‘free.’ 

Anytime someone logs onto the internet and uses a search engine or social media platform, that individual gives up personal data in exchange for access to the platform. In an unorthodox economic transaction, the 21st century has seen personal data replace traditional currencies — serving as the basis for our emerging digital economy. Companies like Google, Facebook, and Apple collect, process and use personal data for monetary gain. Analyzing personal data allows companies to create targeted ads and feedback loops that cater to personal preferences. 

But Americans seriously undervalue their personal data, especially when it comes to national security. Despite Edward Snowden’s 2013 publications which revealed that service providers like Google, Microsoft, and Facebook handed over user data to the National Security Agency for surveillance purposes, little has been done to strengthen personal data protection in the United States. Beyond its value as a means of government intelligence efforts, personal data inherently possesses commercial value. Companies that collect personal data (nearly any online service provider) have the ability to use that information largely at their own discretion

Personal data might seem like an unusual currency; however, it demands just as much attention and regulation as more traditional currencies like the U.S. dollar. The U.S. government must expand its ability to protect American consumers and internet users, beginning with the establishment of data localization laws. 

In the realm of personal data collection, one structure in particular garners special attention when it comes to the government’s ability to protect citizens: the cloud. In theory the cloud is a network of software and services that does not run locally on a computer. However, in practice, the cloud is a structure grounded in many physical locations and servers. Most consumers do not stress about information stored on iCloud or Google Drive because like their names suggest, this information lives in some non-geographic location. 

Therein lies the problem facing America today: How do we promote a cloud that simultaneously protects personal data and U.S. national security? 

It might make the most sense for large tech companies to tackle this issue. After all, they are the ones that created this issue in the first place. However, countries are not waiting for the private sector to take the lead on personal data protection when it comes to the cloud. The European Union, China, and Russia have already developed frameworks for handling personal data collection and cloud storage within their respective borders. In the European Union, regulators argue that large technology companies use data collection to monopolize the market and create unfair competition. Officials in China and Russia argue that data localization laws are necessary for proper law enforcement practices.

At present, the United States refuses to engage on this issue based on the principle that limiting the free flow of information and data across the internet would be “undemocratic.” But this logic is flawed primarily because the idea of a global free flow is cosmopolitan, but not necessarily democratic. Furthermore, some countries have already established laws on this issue thereby limiting free flow of data across the world. The United States is fooling itself if it believes it can maintain such a free flow of data and information. The U.S. government must abandon “data exceptionalism” or the notion that data is “incompatible with existing territorial notions of jurisdiction” and instead begin developing the American framework for cloud data localization. 

Data localization laws protect American interests by ensuring that American data cannot become subject to abuse abroad. For example, under current U.S. law, if the Russian government demanded that Google hand over all of its data about a certain American under investigation, Google would have to hand over all of the data located on that individual stored on servers in Russia. 

Likewise, if the U.S. government wanted a company to hand over personal data for an individual in question, and that data was located outside of the United States, there is no guarantee that the U.S. would be able to locate the data regardless of the individual’s nationality. 

While it might seem nice in theory for the United States to stay out of debates about data localization, other countries are forcing the issue. If the United States does not establish its own framework for data localization, we may find ourselves adhering to standards and regulations put forth by people and governments in faraway countries.