Data Nationalism

From La Quadrature du Net
Jump to navigationJump to search


Anupam Chander et Uyên P. Lê, 2015, Data Nationalism, Emory Law Review, 64, 677, p. 678-739. Web

Mots clés[edit]

  • Coopérations
  • Data nationalism
  • Droit
  • Gouvernance
  • Public-privé
  • Relations commerciales
  • Relations internationales
  • Transferts


L'article offre un tour d'horizon des politiques mises en œuvre dans le but de relocaliser l'hébergement des données numériques au niveau national ou régional. Dans les démocraties libérales comme dans les régimes « autoritaires », les auteurs montrent la diversité des mesures adoptées à cet effet, et mettent en exergue les différentes justifications avancées pour légitimer ces politiques (par exemple : échapper à la surveillance étrangère et protéger la vie privé de ses ressortissants, ou au contraire faciliter la censure des contenus en ligne et protéger la sécurité nationale, encourager le développement de l'économie numérique nationale ; protéger les acteurs économiques locaux dans le domaine numérique de la concurrence internationale, etc.). À partir d'un cadre normatif libéral, ils développent une critique montrant les dangers de ces mesures « protectionnistes » et leur inefficacité du point de vue des objectifs qu'on leur assigne.


Notes de lecture[edit]


A BRICS Internet, the Euro Cloud, the Iranian “Halal” Internet: Governments across the world eager to increase control over the World Wide Web are tearing it apart. Iran seeks to develop an Internet free of Western influences or domestic dissent. The Australian government places restrictions on health data leaving the country. Russia requires personal information to be stored domestically. Vietnam insists on a local copy of all Vietnamese data. The last century’s nontariff barriers to goods have reappeared as firewalls blocking international services. Legitimate global anxieties over surveillance and security are justifying governmental measures that break apart the World Wide Web, without enhancing either privacy or security.

The issue is critical to the future of international trade and development, and even to the ongoing struggle between democracy and totalitarianism. Data localization threatens the possibility of outsourcing services, whether to Bangalore, Accra, Manila, or even Silicon Valley. The theory of this Article expands the conversation about international Internet regulation from efforts to prevent data from flowing in to a country through censorship, to include efforts to prevent data from flowing out through data localization. A simple formula helps demonstrate what is stake: censorship + data localization = total control.


  • New paradigm for information control : The first generation of Internet border controls sought to keep information out of a country—from Nazi paraphernalia to copyright infringing material. The new generation of Internet border controls seeks not to keep information out but rather to keep data in.
  • NSA disclosures has led to new efforts at data localization.
  • Core argument: data localization will backfire and that it in fact undermines privacy and security, while still leaving data vulnerable to foreign surveillance. Even more importantly, data localization increases the ability of governments to surveil and even oppress their own populations.
  • The Article:
    • provides a detailed legal description of localization measures.
    • examines the justifications offered for such measures in both liberal and illiberal states.
    • refutes the various arguments for data localization offered around the world, showing that data localization measures are in fact likely to undermine security, privacy, economic development, and innovation where adopted.

Country studies[edit]


  • In 2012, Australia passed the Personally Controlled Electronic Health Records (PCEHR) Act, Section 77 of which prohibits the transfer of health records outside of Australia, with certain exceptions.


  • A parliamentary version of the Marco Civil included a new power for the executive branch: the ability to require that data about Brazilians be stored in Brazil. It was finally passed in April 2014 without the said provision.


  • While Canada’s national law, the Personal Information Protection and Electronic Documents Act (PIPEDA), 25 does not prohibit the transfer of personal data outside of Canada, cross-border data flow faces provincial prohibitions. These rules were justified by increases in the U.S. government’s surveillance power provided in the USA PATRIOT Act. British Columbia and Nova Scotia, have enacted laws requiring that personal information held by public institutions (schools, universities, hospitals, government-owned utilities, and public agencies) be stored and accessed only in Canada unless one of a few limited exceptions applies.


  • In 2013, the Chinese government issued the Information Security Technology Guidelines for Personal Information Protection within Public and Commercial Services Information Systems. Although the Guidelines are a voluntary technical guidance document, they might serve as a regulatory baseline for Chinese judicial authorities and lawmakers. The Guidelines prohibit the transfer of personal data abroad without express consent of the data subject or explicit regulatory approval.
  • Since 2011, banking rules also prohibiut the storing, processing or analysing outside of China of personal financial information collected in China. Finally, the Law of the People’s Republic of China on Guarding State Secrets prevents data from being removed from China if it is deemed to contain a state secret.


  • In 2011, the Danish Data Protection Agency denied the city of Odense permission to transfer “data concerning health, serious social problems, and other purely private matters” to Google Apps, citing security concerns.

European Union[edit]

  • The 1995 personal data directive allowed data to be sent outside the European Union (or the European Free Trade Association states) if it were protected adequately either by local law or by contractual arrangement with the foreign company. 11 jurisdictions have qualified for "adequate protection": Andorra, Argentina, Canada, Faeroe Islands, Guernsey, Israel, the Isle of Man, Jersey, New Zealand, Switzerland, and Uruguay. The European Union negotiated a special Safe Harbor with the United States, allowing data to be exported to companies in the United States that abide by certain data protection standards, under the supervision of the Federal Trade Commission. The safe harbour has been firecly debated in the aftermath of the Snowden disclosures.


  • The French government has sought over the last few years to promote a local data center infrastructure, which some have dubbed “le cloud souverain,” or the sovereign cloud. The government has directly invested in two cloud computing enterprises, Numergy and Cloudwatt, with a one-third ownership stake in each.
  • The government’s ambition to promote a “Made in France” label includes efforts in cloud computing, big data, and connected devices. In its national innovation plan, the government declared its goal to “build a France of digital sovereignty.”
  • Several proposals to tax big Web companies throuh a tax on the “collection, management and commercial exploitation of personal data generated by users located in France” have been discussed, and could have an impact on the transborder flow of data.


  • On July 24, 2013, in the wake of the NSA revelations, the Conference of the German Data Protection Commissioners announced that they would stop approving international data transfers until the German government could guarantee that foreign national intelligence services abide by fundamental principles of data protection law. While the Commissioners sought to stop data flow outside Europe, some within Germany proposed to limit data flow only to routes within Germany.
  • In October 2013, Deutsche Telekom (which is one-third state-owned) proposed that data between Germans be routed inside German networks. The idea was also supported by then-Interior Minister Hans-Peter Friedrich. Earlier in August, Deutsche Telekom launched “E-mail made in Germany,” a service that seeks to route data exclusively through domestic servers.
  • In February 2014, Chancellor Angela Merkel proposed that Europe build out its own internet infrastructure designed to keep data within Europe.


  • In April 2011, the Indian Ministry of Communications and Technology published privacy rules implementing certain provisions of the Information Technology Act of 2000. The “Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules” limit the transfer of “sensitive personal data or information” abroad to two cases: when “necessary” or when the data subject consents to the transfer abroad. Given that the term "necessary is highly ambiguous, it would effectively ban transfers abroad except when an individual consents. The Rules, however, do not make it clear how consent for onward transfer from the information collector to the information processor is to be obtained.
  • Another statute potentially poses substantial localization pressures for information held by the government. Section 4 of the Public Records Act of 1993 prohibits public records from being transferred out of India territory, except for “public purpose[s].
  • In February 2014, the National Security Council (NSC) proposed a policy that might require data localization for Indian citizens, and not just government agencies alone. NSC has called on the Department of Telecom to mandate all telecom and Internet companies “to route local data through the National Internet Exchange of India” to ensure that domestic Internet packets remain mostly in India.


  • In 2012, the Indonesian government required service providers providing “public services” to place their data centers within the country. But "public services" is defined so broadly that any commercial website of social platform may be deemed to be a public service.
  • On January 7, 2014, the Ministry of Communication circulated a Draft Regulation on Technical Guidelines on Data Centers, which would require domestic data centers for disaster recovery for a broader range of institutions.


  • Requires new companies using the “.kz” top level domain to operate from physical servers located within the country. The Kazakhstani Association of IT Companies later required that the domestic server requirements apply only to new domains registered after September 7, 2010.


  • In 2010, Malaysia passed the Personal Data Protection Act (PDPA), which requires data about Malaysians to be stored on local servers (with exception if prior user consent, i.a.). While it officially entered into force on November 15, 2013, the PDPA has thus far not been enforced.


  • To address Nigeria’s “clear negative trade balance” in the IT sector, the Nigerian government has set a target of 50% locally supplied goods and services in the information technology sector and has sought to achieve this target through regulatory mandates.
  • The National Information Technology Development Agency (NITDA) released the Guidelines for Nigerian Content Development in Information and Communications Technology (ICT) in 2013, requiring, in addition to a list of local content and usage of local hardware requirements, that ICT companies must “[h]ost all subscriber and consumer data locally within the country” and must “[h]ost their websites on .ng TLD.” The Guidelines also mandate that data and information management firms must “[h]ost government data locally within the country and shall not for any reason host any government data outside the country without an express approval.”


  • In 2012, the Norwegian data authority concluded that cities could not use cloud computing services unless the servers were located within the EU, but then lifted the ban on the use of Google Apps a short time later.


  • Following the NSA revelations in the summer of 2013, Sergei Zheleznyak, a deputy speaker of the lower house of the Russian parliament and a member of the Committee on Information Policy and Information Technology and Communications, called on Russia to strengthen its “digital sovereignty” through “legislation requiring e-mail and social networking companies [to] retain the data of Russian clients on servers inside Russia, where they would be subject to domestic law enforcement search warrants.”
  • In spring 2013, the Minsvyazi (Russian Ministry of Communications) drafted an order forcing telecommunications and Internet providers “to install equipment allowing data collection and retention on their servers for a minimum of 12 hours.” By requiring Russian Internet service providers to save data locally, it serves as a data localization requirement, not preventing data from leaving but at least requiring a copy to be stored locally. This order gives the Russian Federal Security Service (FSB) “direct access to a wider range of data than was possible before—including users’ phone numbers, account details on popular domestic and overseas online resources (like Gmail, Yandex, etc [sic]), IP addresses and location data—without a court order, for the purposes of national anti-terrorist investigations.”
  • In May 5, 2014, President Vladimir Putin signed Federal Law No. 97, or the “Blogger’s Law,” the legislation requires that individuals or legal entities who organize the dissemination of information, or the exchange of information between Internet users, to store all information about the arrival, transmission, delivery, and processing of voice data, written text, images, sounds, or other kinds of action for six months in Russia.
  • On July 21, 2014, Putin signed Federal Law No. 242 (which amended Federal Law No. 152 “On Personal Data” of July 27, 2006) to prohibit the storing of Russians’ personal data outside the Russian Federation. Operators of these databases must disclose the physical locations of datacenters. Online websites that violate the prohibition could be placed on the Roscomnadzor’s (Federal Communications Supervisory Service’s) blacklist of websites, generally reserved for those promoting drugs and chil pornography.

South Korea[edit]

  • In March 2011, South Korea promulgated a comprehensive regulation on data through the Personal Information Protection Act, covering both the private and public sectors. 129 Article 17(3) of the Act targets data exports for a special protection regime: “When a personal information manager provides a third person at any overseas location with personal information, he/she shall notify a subject of information of the matters referred to . . . and obtain the consent thereto.” The law requires the data exporter to provide the data subject (the person to whom the data relates) with extensive information about the data transfer.


  • Sweden’s Datainspektionen (Data Inspection Board) has given a number of interpretations on whether the use of services that place data abroad violates Swedish data processing law. It concluded that the town of Salem could not use Google cloud services, in part because Google could not guarantee that any subcontractor they used abroad would follow the Safe Harbor. The Datainspektionen did eventually approve the use of Dropbox, a U.S.-based cloud service.


  • Article 21 of Taiwan’s Personal Data Protection Act permits government agencies the authority to restrict international transfers in the industries they regulate, under certain conditions such as when the information involves major national interests, by treaty or agreement, inadequate protection, or when the foreign transfer is utilized to avoid Taiwanese laws.


  • Thailand is considering a comprehensive data protection framework. The draft Personal Information Protection Act would require that before an overseas data transfer is executed, the data subjects must give specific consent in writing to overseas transfers, and the recipient country’s personal data protection law must be deemed adequate.


  • In 2013, the Vietnamese government promulgated a lengthy and comprehensive decree seeking to control speech on the Internet. The Decree on Management, Provision, and Use of Internet Services and Information Content Online (Decree 72), which became effective on September 1, 2013, bans the use of the Internet to criticize the government or to do anything else to harm “national security, social order and safety.” Decree 72 also requires a range of Internet service providers to maintain within Vietnam a copy of any information they hold in order to facilitate the inspection of information by authorities.


Governments offer a variety of arguments for data localization, from avoiding foreign surveillance to promoting users’ security and privacy to bolstering domestic law enforcement and securing domestic economic development. The article assess these four justifications, as well as the costs they will impose on the economic development and political and social freedom across the world.

  • Foreign intelligence:
    • Data localization might not be effective as the NSA and allied countries have extensive oversea information collection programs. For instance, malwares can be injected to provide for the automatic transfer of target information.
    • Governments also routinely share clandestinely intercepted information with each others (Even while the German government has been a forceful critic of NSA surveillance, the German intelligence service has been described as a “prolific partner” of the NSA.)
    • By compelling companies to use local services rather than global ones, there is a greater likelihood of choosing companies with weak security measures.
    • Centralizing information about users in a locality might actually ease the logistical burdens of foreign intelligence agencies, which can now concentrate their surveillance of a particular nation’s citizens more easily (phenomenon nicknamed "the jackpot effect).
    • One state could require a multinational Internet service provider to store all its data on local servers, but that fact does not bar another state from requiring the same multinational provider to turn over data on those servers (e.g US could force Google to grant access to data stored in Brazil)
  • Privacy and security
    • Requirements to localize data only make it impossible for cloud service providers to take advantage of the Internet’s distributed infrastructure and use sharding and obfuscation (aimed at protecting privacy by disseminating bits of personal information across several locations) on a global scale.
    • Data localization makes it imposible for consumers to choose a global scale which service provider brings the best protection for their privacy (which is also a markketing argument and a positive externality of competition).
  • Economic Development

Many governments believe that by forcing companies to localize data within national borders, they will increase investment at home. Thus, data localization measures are often motivated, whether explicitly or not, by desires to promote local economic development. But:

    • Data localization raises costs for local businesses,
    • It reduces access to global services for consumers
    • It hampers local start-ups
    • It interferes with the use of the latest technological advances.
  • Domestic Law Enforcement
    • Data localization will not necessarily provide law enforcement better access to a criminal’s data trail because localization requirements are extremely hard to enforce. They might simply end up driving potential wrongdoers abroad to less compliant and more secretive services.
    • Many governments already have authority under their domestic laws to compel a company operating in their jurisdictions to share data of their nationals held by that company abroad. If needed, this can be done through MLATs.
  • Freedom
    • Information control is central to the survival of authoritarian regimes. Such regimes require the suppression of adverse information in order to maintain their semblance of authority. Data localization efforts in liberal societies thus offer cover for more pernicious efforts by authoritarian states.

Conclusion: We must insist on data protection without data protectionism. A better, safer Internet for everyone should not require breaking it apart.


  • Data Nationalism and Its Discontents: A Response to Anupam Chander & Uyê P. Lê, by Christopher Kuner. Raises three points:
    • Measures of data localization are in fact not new and have existed since the 1970s. The fact that they seem to be increasing in number over the last few years has as much to do with increasing public unease with globalization and a desire to maintain national borders on the Internet, as with protectionism.
    • The authors’ definition of “data nationalism” mixes initiatives that have very different motivations, and in particular when the authors attribute protectionist motives to some measures seeking to protect constitutional and human rights on the Internet.
    • The authors could have put forward a stronger normative basis for their criticisms. Without this, it will be difficult to counteract current moves towards data nationalism.

The transfer of national borders to the online space reflects society’s ambivalence about the benefits and drawbacks of globalization: on the one hand we have grown accustomed to the global availability of goods and services, but on the other hand we are unsettled by the breakdown of barriers that seems to threaten our national and regional identities. The Snowden revelations and other recent developments have increased the pace and intensity of these anxieties, but the deep-seated nature of these concerns shows the importance of developing an underlying normative framework to address them.