The End of Data Without Borders

The storage and transmission of data around the world involves a constant clash of competing local, regional, and national regulations. But why does anyone care where data is physically located?

Find yourself a map of the world's major shipping routes (or just click here) and compare it to a map of the world's undersea internet cables (…and here): They are strikingly similar, a thick band of traffic across the Atlantic between Europe and North America; a sizable swath from Asia to the US Pacific Coast; a longer haul from Europe to Asia across Africa; and a few thinner connections between the northern and southern hemispheres. Both sets of routes have their origins in a 400-year-old world trading system that dates back to the Age of Sail, yet while the movement of goods over oceans is highly regulated by centuries of law and custom, the movement of data via fiber-optic cables is very much not. Data can now be stored in whatever corner of the world best serves the interests of cost and convenience, and it can be retrieved at the literal speed of light or secreted away in the dark. This digital version of mare liberum (“free seas,” the guiding legal notion coined by 17th-century Dutch jurist Hugo Grotius) is only now being subject to real legal scrutiny, and it’s a once-in-an-era opportunity to define how we regulate the global trade of information and intellectual property.

Unfortunately, bureaucrats are busy writing data localization laws that stem from the age of ink-stained vellum paper rather than our current Dropbox reality. Consider this instructive legal quiz: If US authorities have a warrant to obtain data from a US company about a US citizen, but that data happens to live abroad because of whatever cloud caching particulars, must the US company hand over the data to US authorities?

The answer, incredibly, isn’t at all clear. In the US, right now, there are two completely contradictory court judgements in effect. In 2016, the Second Circuit Court of Appeals judged that Microsoft need not comply with a US warrant requesting data stored overseas (even though the parties in question are subject to US law). Then last year, in another unrelated case, a federal judge in Washington, D.C. completely contravened the earlier ruling, ordering Google to turn over user data to federal investigators, even though the data was stored overseas.

The story only gets more complex as US and European governments try to carve out digital free-trade zones in the face of competing local and state laws. For example, the Trump administration, as part of its NAFTA renegotiation bid, wants total data openness among the US, Canada, and Mexico. However, such a deal would violate laws in the Canadian provinces of British Columbia and Nova Scotia that mandate local storage for any personal data.

Similarly, the European Union is pitching a Digital Single Market to its members that would unify all European data, whether government or commercial, and allow its use and physical storage anywhere within the EU. However, many European countries possess detailed legislation around where public records are stored. France (of course) has gone so far as to build a local cloud and call it le cloud souverein, which French businesses are encouraged to adopt over any regional or global cloud services.

Quel shitshow, and it begs the question: Can a global cloud system peacefully coexist with national sovereignty? All this data is ultimately the magnetization state of a thin patch of cobalt alloy on a hard drive, and where that hard drive lives should be immaterial, in both senses of the word. In the same way the designer of a mobile app interface doesn't much think of how the app's data will be saved and retrieved from memory—that being the job of the language compiler and operating system—the managers of our legal and economic systems shouldn't care too much where a document or piece of user data happens to physically live. To use the dismissive charge leveled by software engineers when someone reaches way down the programming language or technological stack into the murky depths where they’re not welcome nor knowledgeable, our politicians and regulators are “violating the abstraction layer” by trying to dictate where data is physically stored. For the purposes of obtaining that data through a search warrant, how that data is stored should be about as relevant as the ink color a contractual signatory used to seal their business deal.

This is not to say that “information wants to be free,” nor is it the recipe for anarchy it might seem. Personal privacy concerns and intellectual property rights must remain paramount, and the leviathan of the state, with its coercive power, should still reign supreme inside its own borders. Tangible goods (and digital bits) can transit the deep, blue sea, but they need to be subject to the laws of the land when they cross into the land. (Even Facebook, which formerly countenanced no local restrictions, is now bending over backwards to comply with local German election laws or Israeli hate speech legislation.)

It’s the tradeoff between free movement and national sovereignty, as always, that’s tricky. Even a suddenly-contrite Facebook will have trouble managing the data laws of almost two hundred nation-states. Instead of this ugly patchwork of local, national, and regional laws, regulators need to come together to create new trade agreements (and strengthen existing ones) that treat data like so much oil or grain or any other tradable good. In facilitating and safeguarding the lawful exchange of data between independent countries, whether in the name of commerce or the rule of law, these digital trade agreements would help lay the groundwork for the global, digital infrastructure that our future selves deserve. Before long, talking about data somehow possessing a physical location, out of reach to some and too easily hidden by others, will become one of those quaint throwbacks we’ll completely forget.


Data Dilemmas

Photograph by WIRED/Getty Images