Many of the world's governments are currently exercising what they call "digital sovereignty," trying to assert control over data flows involving their citizens in the global net. One of the policy approaches they are taking is known as "data localisation." This means requiring multi-national information technology and financial businesses to store the data related to a country's citizens within that nation's boundaries.
Although the terms "data localisation" and "digital sovereignty" are sometimes conflated, data localisation is only one means of expressing sovereign interests in digital infrastructure and data flows. Some governments — notably those of Russia, China, and now India — have been particularly energetic in requiring data localisation as an expression of digital sovereignty. Both the National Communications Policy, promulgated by the DoT in May, and the RBI's "Notification on Storage of Payment System Data," just released, require in-country storage of data related to Indian citizens.
For public good or increased surveillance?
The primary ostensible motive behind data localisation requirements is to ensure that the country's legal system has all appropriate access to data relevant to its citizens for purposes of law enforcement. This should have been simple, but for the game of "server location".
There has been a general assumption throughout the world's legal systems that the law applicable to data is the law of the storage server's location. This principle of "lex loci server" has meant that national justice and law enforcement authorities have had to rely on so-called "mutual legal assistance treaties," or MLATs—individually negotiated bilateral legal agreements among governments—for extra-territorial access to data about their citizens. But procedures under MLATs, which the US government began negotiating in the 1990s, are generally now regarded as too narrow and too slow for international cybercrime response. Beyond these motives that can be avowed, lie the enthusiasm of national security agencies to keep data about citizens within national borders, where the government has powers of informal coercion. Such power, that can be used to secure extrajudicial access to data for purposes of intelligence gathering and social control.
In general, the ostensible need for data localisation has been an excuse for these internal security actors' ambitions. They want unfettered local access to the data gathered about their citizens by the multinational platform companies.
The extent to which data localisation has assisted in investigating and resolving incidents of cybercrime is difficult to determine, but as the incidence of reporting—let alone resolving—such crimes remains abysmally low, we can infer that little has been achieved by these measures, and more widespread success is hardly likely. Whatever advantages secret police and other agencies of social coercion have derived by coercion and subterfuge with respect to servers located within their borders, excuses made on the basis of crime-reduction are unconvincing without any data to back it up with.
Hindrance to cloud computing tech
Broad requirements to keep local users' data in-country substantially impede the adoption of "cloud computing" technologies by local businesses as well as international enterprises, however. Data storage and computing power are becoming utilities available on the net without regard to location. The resulting flexibility and price competition are transforming the global market in information technology. Localisation requirements will radically distort that market, a form of protectionism that will raise prices and reduce productivity throughout national economies.
We can secure government's legitimate interest in law enforcement access to data generated by and about its citizens and resident businesses, without these significant harms to economic and civil liberty. Businesses providing services and earning revenue in India are subject to the jurisdiction of Indian courts, whether the equipment they use to provide those services is located in India, or elsewhere. A judicial order requiring the employees of a business to produce data under the business's control does not become ineffective because the data is temporarily or permanently stored outside the country.
The CLOUD Act
This is the principle on which the United States Congress has recently legislated in the so-called CLOUD Act, which stands for "Clarifying Lawful Overseas Use of Data." The Act brought to an end litigation between Microsoft and the US government over a subpoena issued to Microsoft for the email of a US citizen, stored by Microsoft at its discretion on a server in Ireland, wanted as evidence in a narcotics investigation.
By clarifying the effect of the US Stored Communications Act of 1986 under current technological conditions, the CLOUD Act eliminates the legal system's interest in the physical location of data, brings the regime of "lex loci server" to an end, and thus eliminates pressure for data localisation rules in the US.
The CLOUD Act is imperfect, as pioneering compromises usually are. Additional safeguards for citizens' privacy through the provision of additional procedural rights for those whose data is sought should have been included. Businesses should not be required to choose between expensively contesting all requests and abandoning their customers' privacy rights. But the approach taken—recognising that the basis of jurisdiction to compel production of data is the presence of the business, not the presence of the data—is enormously important in avoiding the unnecessary tensions between technical innovation and the needs of law enforcement.
Localisation seems like a beneficial means of expressing digital sovereignty. In fact, it imposes severe costs that far outweigh its benefits. In societies not governed by the rule of law, localisation amplifies the power of the organs of oppression, just as the form of "personal localisation" represented by the Berlin Wall and the Iron Curtain amplified the power of Stasi and the KGB.
But for democracies, like India or the US, data localisation is altogether the wrong approach to law enforcement in digital society.
Eben Moglen is Professor of Law and Legal History at Columbia Law School. Mishi Choudhary is a technology lawyer and legal director of Software Freedom Law Centre, New York.