Every time we send an email, tap an Instagram ad, or swipe our credit cards, we create a piece of digital data.
The information travels around the world at the speed of a click and becomes a kind of borderless currency that supports the digital economy. The flow of bits and bytes, which was largely unregulated, helped fuel the rise of transnational mega-corporations like Google and Amazon and reshape global communications, commerce, entertainment and media.
Now the era of open borders for data is coming to an end.
France, Austria, South Africa and more than 50 other countries are accelerating their efforts to control the digital information produced by their citizens, government agencies and businesses. Driven by security and privacy concerns, as well as economic interests and authoritarian and nationalistic motives, governments are increasingly setting rules and standards about how data can and cannot move around the world. The goal is to gain “digital sovereignty”.
Think that:
-
In Washington, the Biden administration is distributing an early draft executive order designed to stop rivals like China from accessing US data.
-
In the European Union, judges and policymakers are seeking to monitor information generated within the 27-nation bloc, including stricter online privacy requirements and artificial intelligence rules.
-
In India, lawmakers are in the process of passing a law that would limit what data can leave the country of nearly 1.4 billion people.
-
According to the Information Technology and Innovation Foundation, the number of laws, regulations and government policies requiring digital information to be stored in a given country more than doubled to 144 between 2017 and 2021.
While countries like China have long ditched their digital ecosystems, imposing more national rules on information flows represents a fundamental shift in the democratic world and changes the way the internet has functioned since it was widely commercialized in the 1990s.
The implications for business, privacy and the way law enforcement and intelligence agencies investigate crimes and conduct surveillance programs are far-reaching. Microsoft, Amazon and Google are offering new services that allow companies to store records and information within a specific area. And the movement of data has become part of geopolitical negotiations, including a new pact to share information about the Atlantic that was agreed in principle in March.
“The amount of data has grown to such an extent over the past decade that pressure has been building to bring it under sovereign control,” said Federico Fabbrini, a professor of European law at Dublin City University, who published a book on the subject and argues. that data is inherently more difficult to regulate than physical goods.
For most people, the new restrictions are unlikely to shut down popular websites. But users may lose access to some services or features depending on where they live. Facebook’s parent company Meta recently said it would temporarily stop offering augmented reality filters in Texas and Illinois to avoid being sued under laws governing the use of biometrics.
The debate over data throttling reflects wider rifts in the global economy. Countries are rethinking their reliance on foreign assembly lines after supply chains sputtered during the pandemic, slowing deliveries of everything from refrigerators to F-150s. Concerned that Asian computer chip makers could be vulnerable to Beijing’s influence, US and European lawmakers are pushing to build more domestic factories for the semiconductors that power thousands of products.
The shifting attitudes toward digital information are “connected to a broader trend toward economic nationalism,” said Eduardo Ustaran, a partner at Hogan Lovells, a law firm helping companies comply with new data regulations.
The core idea of ”digital sovereignty” is that the digital exhaust created by an individual, company or government should be stored in the country where it originated, or at the very least treated in accordance with privacy and other standards that established by a government. In cases where information is more sensitive, some authorities want it to be controlled by a local company as well.
That’s a shift from today. Most of the files were initially stored locally on the company’s PCs and mainframes. But as internet speeds increased and telecommunications infrastructure advanced over the past two decades, cloud computing services allowed someone in Germany to store photos on a Google server in California, or a company in Italy to build a website. run at Amazon Web Services operated out of Seattle.
A turning point came after Edward Snowden, a national security contractor, leaked dozens of documents in 2013 describing the widespread US surveillance of digital communications. In Europe, concerns grew that a reliance on US companies like Facebook made Europeans vulnerable to US snooping. That led to protracted legal battles over online privacy and transatlantic negotiations to protect communications and other information transported to US companies.
The aftershocks are still felt.
While the United States supports a free, unregulated approach that lets data zip freely between democratic countries, Russia and others have joined China in shielding the internet and keeping data at their fingertips to monitor citizens and suppress dissent. Europe, with highly regulated markets and data privacy rules, is heading in a different direction.
In Kenya, draft rules require information from payment systems and health services to be stored primarily in the country, according to the Information Technology and Innovation Foundation. Kazakhstan has said that personal data on a server must be kept within its borders.
In the European Union, the personal data of Europeans must meet the requirements of an online privacy law, the General Data Protection Regulation, which came into effect in 2018. Another bill, the Data Act, would set new limits on what corporate information could be. made available to intelligence and other authorities outside the bloc, even with a court order.
“It’s the same sense of the sovereign state, that we can maintain knowledge about what we’re doing in sensitive areas, and that’s part of what defines us,” Margrethe Vestager, the European Union’s top antitrust enforcer, said in an interview.
The Biden administration recently issued an executive order to give the government more power to block deals involving Americans’ personal data that endanger national security, two people familiar with the matter said. A government official said the document, previously reported by Reuters, was an initial draft sent to federal agencies for feedback.
But Washington has tried to keep the data flowing between America and its allies. During a March trip to Brussels to coordinate a response to Russia’s invasion of Ukraine, President Biden announced a new agreement to keep data flowing from the European Union to the United States.
The deal was necessary after Europe’s highest court rejected an earlier agreement in 2020 for failing to protect European citizens from espionage by US law enforcement, jeopardizing the operations of thousands of companies sending data across the Atlantic.
In a joint statement in December, Gina Raimondo, the US Secretary of State for Commerce, and Nadine Dorries, the UK’s top digital secretary, said they hoped to counter “the negative trends that risk closing international data flows”. The Department of Commerce also announced last month that it is working with several Asian countries and Canada to help keep digital information flowing between countries.
Now that new rules have been introduced, the tech industry has sounded the alarm. Groups representing Amazon, Apple, Google, Microsoft and Meta argued that the online economy was fueled by the free flow of data. If tech companies had to store everything locally, they wouldn’t be able to offer the same products and services all over the world, they said.
Nevertheless, countries joined forces. In France and Austria, customers of Google’s internet measurement software Google Analytics, which many websites use to collect ratings, were told this year that they could no longer use the program because it could expose Europeans’ personal data to US espionage.
Last year, the French government scrapped a deal with Microsoft to process health-related data after authorities were criticized for awarding the contract to a US company. Officials pledged to partner with local businesses instead.
Companies have adapted. Microsoft said it is taking steps to make it easier for customers to retain data within certain geographic areas. Amazon Web Services, the largest cloud computing service, said it allows customers to control where in Europe data is stored
In France, Spain and Germany, Google Cloud has made deals with local tech and telecom providers in the past year so that customers can guarantee that their data is checked by a local company while using Google’s products.
“We want to meet them where they are,” said Ksenia Duxfield-Karyakina, who leads Google Cloud’s public policy activities in Europe.
Liam Maxwell, director of government transformation at Amazon Web Services, said in a statement that the company would align with European regulations, but customers should be able to purchase cloud computing services based on their needs, “not limited by where the technology provider is based.”
Max Schrems, an Austrian privacy activist who won lawsuits against Facebook over its data-sharing practices, said more disputes are looming over digital information. He predicted that the US-EU data deal announced by Mr Biden would be again quashed by the European Court of Justice because it still does not meet EU privacy standards.
“We had a time when data was completely unregulated and people did what they wanted,” said Mr. Schrems. “Now we are gradually seeing that everyone is trying to regulate it but regulates it differently. That is a worldwide problem.”
Ana Swanson reporting contributed.