Bitthal Sharma

This article critically analyses issues related to data localisation and data sovereignty in the wider context of their potential impact on the efficiency of global and local cloud systems.

Introduction

In the past few years, a new trend of data localization, referring to various governments trying to control the flow of data to keep it within their own jurisdictions has swept across the world. Data localization, also known as “data residency” or “data sovereignty” are typically resorted to store and manage personal, critical or financial data in the jurisdiction in which it originated, subject to access and local regulation by law enforcement agencies.

Recently, countries including India, Indonesia, Vietnam, China and Russia have been focusing on passing legislations in their pursuit of controlling and managing the data originated within their jurisdictions, with additional steps of keeping the data within their borders and forbidding it to pass to other countries. According to a study, it is estimated that there are more than 200 data regulations being implemented worldwide, with the overall level of restrictiveness in the European Centre for International Political Economy (ECIPE) doubling in the past decade. These stringent measures which directly contravene the free flow of data across borders can not only prove detrimental to the economy and competitiveness in the long run, but can also stand in the way of other essential digital services, including cloud computing.

This article aims to evaluate the repercussions data localization and local cloud services can have on efficacy of cloud computing by analyzing the recent laws and regulations passed by certain countries, in order to keep the data flow across borders in check and rein over it in the name of “data sovereignty”.

Effect of Data Localization on Cloud Computing

A spew of data localization efforts is steadily on the rise. Numerous countries, be it a totalitarian regime or a democratic state, are attempting to curb cross border transfer of data, trying to exercise significant authority over the data originated within their respective borders. These actions provide a sordid view of how internet freedom is constantly on the wane. The growth of data localization can be credited to countries resorting to justifications such as access to data, consumer protection and privacy, protection against foreign access and control of content, among others. A deep dive into these rationales would give off the view that they don’t actually solve any of these problems but are merely used by governments as excuses to control the data originating in their local servers. This article would not go into the nuances regarding the workings of each of the rationales as it’s outside the scope.

Data localization can further be categorized into two types. Soft data localization which involves “mirroring,” meaning that copies of a certain kind of data must be stored within a certain area but does not restrict the copying or transmission of that data elsewhere. On the other end of the spectrum lies hard data localization, which mandates that certain data including “critical infrastructure data” and “sensitive personal data” must be stored within certain borders and not allowed to be transmitted across borders.

It’s the hard data localization which unveils itself as the bone of contention, impeding the overall efficaciousness of cloud computing services, thus threatening the very fabric on which they’ve established themselves in the digital space over time. The demand for data localization by governments appears to decimate the very purpose of cloud computing, as cross border flow of data is indispensable for their operation. Although no absolute definition of cloud computing is present at the moment, the one given by the US National Institute of Standards Technology (NIST) is considered the most acceptable one which defines it as “model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”

This definition appropriately reflects the omnipresent and prevalent nature of cloud computing services all over the globe, which is contravened by the localization norms and regulations in the false cry of justifications including foreign surveillance, privacy and security by governments all around the world. Furthermore, localization requirements are problematic for cloud computing due to the essential impact of “location independence” to its functioning.

The Changing Face of Cloud Computing: Different Jurisdictions

A number of internet users and policymakers, particularly in Europe have come to the unfortunate and ineffective conclusion that storing data locally or regionally can magically solve all privacy and security related problems. While the risks concerning data protection and individual privacy may subsidize minimally, data localization is no panacea, much to the dismay of many people. Cloud computing works on the premise of data mirroring, in which copies of certain data packets are stored on different servers in different jurisdictions. This would help in the prevention of information compromise amidst a hacking incident or a natural disaster. Data localization measures work to thwart such data mirroring and render it defunct. This makes it difficult for cloud service providers to take advantage of the internet’s distributed infrastructure and use sharding and obfuscation on the global spectrum.

This is apparent from a paper published by the International Trade Commission, according to which “Localization requirements are problematic for cloud providers, as ‘location independence’ is a core aspect of the cloud delivery model. Policies that require providers to locate facilities in a given location may leave them with the choice of selecting a suboptimal location or not serving the target market at all.” Hence, continuation of this localization trend will not only impede the openness and accessibility of cloud services, but also create a web of constricted and less resilient network paltry performance.

Legislations

A slew of recently passed cybersecurity laws by governments are testament to their intention of controlling and managing the data which originates within their jurisdictions.  For instance, the Personal Data Protection Bill, 2019 prepared by the Indian Parliament mandates that critical personal data of certain kind cannot be transferred and stored outside the country. The EU, which was successful in passing and enforcing the world’s first data privacy law, the General Data Protection Regulation (GDPR), described India’s overall data localization requirements in the draft Personal Data Protection Bill as “unnecessary, harmful, and likely to have negative effects on trade and investments.” Aside from this move, the Reserve Bank of India (RBI) issued a new rule for payment system providers operating in the country to localize all user data within the borders. This has caused confusion among these service providers regarding the manner in which they are supposed to comply with the arbitrary guidelines. Various foreign entities and policy researchers have argued that this was an unnecessarily protectionist measure that might prove to be detrimental to the economy. According to NASSCOM, this move by RBI would stifle the progress of global cloud platforms. India’s attempts at enforcing data localization measures to ensure safety of user data can be achieved through other reasonable measures such as encryption and other clear legal frameworks. Moreover, it’s time the country accepts the fact that data localization is no solution for every cybersecurity problem and starts ratifying global trade negotiations promoting minimization of data localization such as the Osaka Track.

 Russia on the other hand has specified the collection and storage of databases containing of personal data of its citizens via Federal Law No.241-FZ. China, which is infamous for its “great firewall” has taken a further leap by inserting Article 37 in its Cybersecurity Law, which mandates operators to store “critical information infrastructure” (CII) within the mainland, the ambit of which is significantly amplified due to the definition of CII, not being limited to “public communication and information services, energy, transportation, water resources, finance, public services, e-governance.” The effect of this nebulous and somewhat wide provision, along with Article 2 of the Draft Measures and Article 3.1 of the Draft Guidelines has cast a looming shadow over the proper functioning and freedom of cloud services, giving something to ponder upon for the corporations. As a result, conglomerates such as Apple and Microsoft have been forced to store all cloud data in Guizhou-Cloud Big Data, a government-owned data centre. Such control over data stored on cloud servers within the border not only goes against the very ethos of cross border flow of data, as enunciated by paragraphs 15-18 of the OECD Guidelines which advocate for free flow of data across border without any undue influence, but also becomes an easy target for state sponsored surveillance over citizens.

Local Cloud

The threat to cloud service providers through the enactment of legislations and regulations is further exacerbated by the emergence of data localization conducted through local cloud services, lead by European nations. One of the earliest proposals of a local cloud service was France’s Minitel system, a “pay for use” cloud-based system which lets individuals access various services within the French borders. This prevented in the transfer of personal data to other countries, which was seen as a successful endeavour in furtherance of data privacy and security. In 2011, the German government led a similar initiative when it announced the establishment of Bundescloud (federal cloud). Andromède, a French federal cloud was given green light by the government in 2012 as a response to the 2011 German initiative. The recently announced Gaia-X European open cloud and data infrastructure project has further caused controversy across the cloud sector due to its fixation with data sovereignty and control over data. These projects have been followed by a call for “Shengen for data”, an agreement to aggrandize and manage cloud data within a “safe” geographical zone determined by no particular distinction.

One of the inherent setbacks of such proposed local cloud services lies in the fact that the presumption on which they’ve been put forward is in itself flawed. While personal data can be stored on cloud servers locally to give way to privacy and data protection, the absence of data mirroring will only prove to be detrimental in the long run. Storing data on a single cloud server without duplicating it on other servers worldwide would make it vulnerable and an easy target for hackers and other mischievous organizations. Localization increases entry points, thereby reducing overall security. This is a major concern for sectors such as finance and banking. Even from the economic stand point, cloud service providers will have to bear the brunt by augmenting their services within the country involved in imposing data localization measures through establishment of local servers or prohibiting cross border flow of data to other countries. A study conducted by Leviathan proves that local companies are forced to pay significantly more for cloud services in Brazil and Europe if they’re cut off from the global cloud providers.

The plans for data localization combined with local cloud infrastructure projects have in large parts been a reaction and a safety net to surveillance activities conducted by US from which majority of the cloud services originate from. But the expectation that these actions would prevent surveillance are not well-founded, owing to the legislative structure in the country. In United States v. Fields, the court held that it “simply cannot acquiesce in the proposition that United States criminal investigations must be thwarted whenever there is conflict with the interest of other states. Following the same trial, in United States v. Bank of Nova Scotia, the court stated that it can demand any kind of information from a conglomerate as long as it had a subsidiary in US. These decisions directly allude that the no matter the location of a cloud server, the US government has absolute prerogative to access the personal data of individuals if the cloud service provider comes within its jurisdiction. This is complemented by the PATRIOT Act, under which the government can intercept and inspect data stored by a US-based company, notwithstanding the location of the same, as stated by the head of Microsoft UK and its chief counsel in Australia.

The European countries are equally, if not more interested in surveillance and snooping activities. The UK’s Regulation of Investigatory Powers Act 2000 confers powers as those provided by the PATRIOT Act. Article 100 of France’s Code of Criminal Procedure gives freeway to the law enforcement agencies to get involved in “special investigative techniques” under any circumstances “if the requirements of the investigation call for it.” Chapter 27 of the Swedish Code of Judicial Procedure is just as pernicious with regards to data privacy of an individual, as it allows for cross-border snooping. These laws are testament to the fact that storing data in locally, on a single server rather than multiple cloud servers would only enable government, private entities and hackers to engage in threats to individual data privacy and cybersecurity. Without the advantages of a distributed infrastructure laid across the globe, such as data sharding, data breaches are inevitable.

Conclusion

The act of data localization measures resorted by governments undermines the very efficacy of cloud computing services by attacking the very core through which they function i.e., flow of data across national borders. This is further deteriorated by their attempts at formulating their own regional/local cloud services in the name of data sovereignty and protection of personal data, which as explained above doesn’t really work as intended. To ensure the proper functioning of cloud services without any glitches, it’s imperative that governments give up in their attempts at impeding the free flow of data and allow cloud service providers to store data on multiple servers through data mirroring. This would not only be in consonance with various principles enshrined in international legal instruments and regulations, but would also further the very purpose which data localization fails to complete, which is safety of personal data of individuals.

Bitthal Sharma is a current undergraduate student at the Rajiv Gandhi National University of Law (RGNUL), Patiala.