Future of the Internet Initiative’ Opportunity Mapping



Download 274.55 Kb.
Page4/9
Date07.05.2017
Size274.55 Kb.
#17470
1   2   3   4   5   6   7   8   9

C.Scope

The mapping of opportunities in the Internet governance6 space is challenging due to at least two factors. First, the Internet ecosystem is characterized by a diversity of actors. There is no point of central control; instead, “[i]t is a multi-layered system of administration and operational oversight that spans areas as diverse as standards setting, cybersecurity, and interconnection agreements.”7 And within this system, there is a diversity of actors pursuing independent, and often divergent or competing, agendas.8 Second, it is a highly dynamic ecosystem.9 It is dynamic because the constellation of actors addressing any one particular challenge will be different from those addressing a different challenge. And even within a single challenge, the constellation of actors may change over time.


This diversity and dynamism presents a challenge to a mapping exercise such as this one. The constellation of actors changes from issue to issue and over time. Moreover, new actors may be created (or old ones dissolved) as the needs of the groups change. We can see the effects of this diversity and dynamism in a number of short examples throughout this mapping.
The diversity and dynamism that we observe in the Internet ecosystem has two significant implications for the Forum and the FII as it identifies opportunities for engagement in this sphere. First, because the constellation of actors addressing any one issue will shift in response to new circumstances and developments, any mapping represents a snapshot of a fixed and limited period of time. Second, the constant reconfiguration of participants means that a mapping cannot anticipate all of the new topics, issues, and entrants that will be important over the coming weeks and months. Taken together, these implications represent an opportunity: new entrants and partnerships have as much of a chance of influencing the debate as existing ones.
It is because of that diversity and dynamism that the proceeding narrative analysis focuses on describing key thematic observations in each of the four topical areas, highlighting prototypical actors, and identifying potential opportunities for Forum and FII engagement in each area. Although we include a fuller catalogue of entities in the appendices, we focus in this narrative on prototypical actors because individual actors can change (and be changed) quite quickly. The examples we selected are highlighted because they are exemplary of the range of issues, the current gaps, and the opportunities for meaningful Forum and FII contributions to the ecosystem. Moreover, a mapping that overemphasizes the existing set of actors runs the risk of underemphasizing the dynamism of the space as a whole; the current constellation of actors should not serve to constrain the potential solution space and opportunities for engagement. As the Forum and FII consider their role in the ecosystem going forward, there is an opportunity to think creatively about new partnerships and new opportunities that transcend the existing landscape of actors.

IV.Mapping Selected Areas




A.Key Characteristics of Data Localization




1.Introduction to Data Localization

Traditionally, data is routed across the Internet using autonomous servers that simply seek to deliver packets one hop closer to the destination. The process is then repeated from server-to-server until the packet is delivered. This traditional approach to packet routing typically moves data from one node to the next without respect to international borders.10 However, national concerns over local innovation, privacy, security, surveillance, and law enforcement—concerns driven by the growth of cloud storage11—have encouraged some jurisdictions to consider data localization legislation that would necessitate fundamental changes to how data is routed and ultimately stored across the Internet.12 “Data localization” generally refers to “laws that limit the storage, movement, and/or processing of data to specific geographies and jurisdictions, or that limit the companies that can manage data based upon the company’s nation of incorporation or principal situs of operations and management.”13


Data localization is just one aspect of a larger phenomenon referred to as “Internet fragmentation.” Internet fragmentation refers to a wide range of policies which collectively threaten the continued operation of a cohesive, global, interoperable network.14 The forthcoming WEF report on Internet fragmentation identifies four broad categories of fragmentation: (1) infrastructure; (2) transactions and content; (3) data localization; and (4) commercial practices.15 Indeed, the range of policies with fragmentary effects is quite broad and includes those relating to language, cultural, and religious homogeneity, inequalities in access, Internet filtering, reactions to cybersecurity issues, and others. In sum total, these fragmentary policies serve to make it harder for systems and people to interact and interconnect through the network by erecting barriers at every level of interoperability: technology layer, data layer, human layer, and institutional layer.16 In some cases, the fragmentary effects are intentional and the policymaker seeks to make it harder to communicate or access certain content; in other cases the fragmentary effects are a secondary (and possibly unintended) effect of policies with some other objective.
Of the many kinds of fragmentary policies, countries and regions have shown particular interest in data localization policies over the past few years. Given the substantial developments in that space, we limit our analysis to the significant variety of laws and proposals relating to data localization policies. We can classify the data localization policies that have been implemented or proposed into three broad policy classes:

  1. Data export limitations: policies limiting how data captured within a jurisdiction can be shared with those outside of the jurisdiction.

  2. Location-based routing restrictions: policies altering the status quo for network routing in order to limit the flow of data to certain jurisdictions.

  3. Data residency requirements: policies stating where certain data must be kept for access and/or processing.

Countries or regions can deploy a single one of these policies or can layer them together. We proceed by looking at each of these policy classes in turn. We next describe some of the factors motivating data localization policy, its impact on the ICT sector, and the complex relationship between data localization and privacy law. Finally, we identify key actors and outputs in the area of data localization.



2.Key Themes/Issues




a)Forms of Data Localization Policy




(1)Data Export Restrictions

Perhaps the most common form of data localization policies is that relating to the transmission of data (most often personal data) collected within a particular jurisdiction to individuals and systems located outside of the jurisdiction. Such restrictions are neither all-encompassing nor absolute; instead, the policies range in effect from those that offer minimal resistance to data export, on the one hand, to those that make it impossible to export certain kinds of data, on the other. No country, however, has thus far enacted an outright ban on the export of all data.


As noted, countries’ approaches to export restrictions vary dramatically. Some countries, like the United States, take a less restrictive approach to the export of domestic data. Although the U.S. does limit the export of certain kinds of data,17 it generally does not interfere with the transmission of Internet traffic beyond the country’s borders. To a large extent, this leniency may be due to the fact that the economic and political factors which tend to motivate data localization policies in other countries (as discussed below) are simply not prevalent in the U.S. For example, U.S. law enforcement agents may not feel a need to demand export restrictions on most domestic Internet data because it is likely to stay in the control of domestic technology companies and service providers.
On the other end of the spectrum, we find onerous localization mandates like Russia’s Federal Law 242-FZ, which prohibits the export of any Russian personal data to any server beyond the country’s borders. Most countries’ export limitations exist between these extremes, with export restrictions based on the legislative environment of the recipient country, the category or type of data, or whether the data subject has consented to its transfer.

(a)Restrictions based on recipient country

Some countries allow data export only to countries or companies that meet certain privacy or security standards. This provides to the originating country some assurance that the data (and the citizens generating the data) will be afforded certain comparable, minimum protections.


Country examples:

  • European Union: 1995 Data Protection Directive allows the export of personal data only where the recipient jurisdiction provides adequate privacy protection, or if there are contractually binding corporate rules with a recipient company for protecting the data. The ECJ recently struck down the “Safe Harbor” Data-Transfer provision of the 1995 Data Protection Directive, which previously permitted companies to self-certify that their transfer methods adequately protected the data of European users and complied with the Directive and with fundamental European rights to privacy. Now, data protection authorities cannot rely on the Safe Harbor provision when governing European data processing operations.18

  • South Africa: 2013 Protection of Personal Information Act is generally consistent with the limits of the E.U. Data Protection Directive.

  • Brazil: On January 28, 2015, the government introduced a Preliminary Draft Bill for the Protection of Personal Data that would restrict transferring personal data to countries that do not offer comparable levels of protection.



(b)Restrictions based on content of data

Some export restrictions apply to particular categories of data that are believed to be too sensitive or dangerous to be kept on foreign servers. Most frequently this includes personal data collected by government entities.


Country examples:

  • Nigeria: The National Information Technology Development Agency’s 2013 Guidelines for Nigerian Content Development in Information and Communications Technology require that data and information management companies must host government data locally and cannot export that data without express approval.

  • Germany: In August 2015, German government IT officials agreed on rules that would limit government use of cloud services to those providers that agree never to subject the stored data to foreign disclosure obligations. Effectively, this means that German government cloud providers must process data entirely within Germany or operate only within other countries that could not, or would not, attempt to seize or access that data.

  • India: Section 4 of the Public Records Act of 1993 bars the transfer of public records outside of India.

  • Canada: Local legislation in British Columbia and Nova Scotia requires that the data of public institutions, as well as health data, not be moved to other jurisdictions.

  • Australia: The Personally Controlled Electronic Health Records Act of 2012 bars the export of personally identifiable health records.

  • South Korea: The 2009 Act on Land Survey, Waterway Survey and Cadastral Records has been interpreted to mandate that map data of South Korea not be stored on servers outside of the country.

  • China: A 2011 notice from the People’s Bank of China prohibits banks operating in China from storing abroad the financial data of any Chinese citizens. A 2015 draft law would mandate the local storage of data for operators of “crucial” information infrastructure, but it would allow exceptions for business reasons subject to passing a security review.19



(c)Restrictions based on consent

Another form of export restriction is based on the citizen providing consent for the export of their data.


Country examples:

  • China: The 2013 Information Security Technology Guidelines for Personal Information Protection within Public and Commercial Services Information Systems prohibits the export of data without the consent of the subject. In September 2015, the government asked technology companies to pledge their commitment to data export policies that restrict them from transferring, storing, or processing information outside the country’s borders without permission from the user any data collected within the Chinese market.

  • South Korea: The 2011 Personal Information Protection Act creates an obligation to obtain consent from a data subject and to provide the subject with extensive information about the transfer, including the reason for collecting personal information, and the period for which the data will be held.

  • Switzerland, Brazil, and Argentina: Customer consent is required before banks can send data outside of the country.

  • Thailand: Proposed legislation would require both that the data subject provide consent and that the destination jurisdiction meet certain minimum standards.

It is important to note that the fragmentary and localization effects of consent requirements depend largely upon the level of difficulty in obtaining effective consent. In most cases, the burden for obtaining consent is likely so low that it will not pose a major obstacle for data export. However, in places such as South Korea, which has more onerous disclosure requirements, the provisions may make it more difficult to obtain consent. Such difficulties indirectly create data localization effects by making it more difficult to export the data.



(2)Location-Based Routing Restrictions

Over the last three years, several proposals have emerged that would require that Internet traffic be routed only through certain territorial boundaries. Such a technological change would be a dramatic departure from the current operations of the Internet, where the autonomous systems that control network routing may determine that it is most efficient to send packets across a geographic border even when the sender and recipient are in the same jurisdiction. For example, an e-mail being sent from one neighborhood in Toronto to another could pass through nodes in the United States. In the wake of the Snowden disclosures, some became concerned that such cross-boundary routing could expose the data to additional surveillance risks. Indeed, there have been examples where unusual diversions of Internet traffic suggest that routing protocols have been altered or abused in attempts to monitor traffic.20 As a result, the goal of circumscribing the transmission of Internet traffic became a politically salient proposal in certain jurisdictions, whether advanced by proponents in government, the private sector, or civil society.


Country examples:

  • Germany and France: These countries developed plans for an E.U. or Schengen-only routing restriction for all traffic with start and end points in Europe; the plan appears to be abandoned.

  • India: The Indian National Security Advisor has requested regulations that would require that all domestic traffic is routed through the National Internet Exchange of India (NIXI) to prevent foreign surveillance; no such regulations have been proposed.


Private sector example:

  • Deutsche Telekom: One of Europe’s largest telecommunications firms has spearheaded the development of a national e-mail system that routes messages exclusively through Germany.


Civil society example:

  • Canadian privacy and technology researchers: Some Canadian academics have advanced a range of proposals to limit the percentage of traffic routed through the United States, including the development of improved infrastructure, new Internet Exchange Points, and explicit routing restrictions.

Overall, it is important to note that despite the development of voluntary, private sector products (like German-only e-mail routing), there has been almost no government action taken on routing restrictions. Changing the process of Internet routing would fundamentally alter the ways that the underlying network operates, making such changes both technically challenging but also risky to the openness and generativity of the network.



(3)Data Residency Requirements

Data residency requirements are policies that require companies to maintain a copy of user data on a domestic server. Such restrictions differ from data export requirements in that they generally allow the export of data, provided that at least a copy is stored within the country.


Country examples:

  • Vietnam: Decree 72 requires that all online services operating within the country store a domestic copy of an immense array of user data (from user credentials to complete activity logs) for the purposes of government inspection.

  • Russia: Starting on September 1, 2015,21 companies with a legal presence in Russia that collect personal information from Russian citizens must process and store those records on servers within the country. There is considerable uncertainty, however, about which companies are subject to these restrictions.22

  • Indonesia: Laws require that copies of data can be exported but a copy must remain inside Indonesia.

In some cases, residency requirements and export limitations converge. For example, a law that requires that data be stored exclusively on domestic infrastructure is both a residency requirement and an export limitation in the sense that data must reside inside the country and cannot reside anywhere else.



b)Contextualizing Data Localization




(1)Policy Motives for Data Localization

It is tempting to connect the rise of data localization to the Edward Snowden disclosures beginning in June 2013, but it would be an oversimplification to draw a causal connection between the two. In fact, there are several reasons—many unrelated to international surveillance—that explain why countries and regions have begun to explore or enact data localization requirements. While several governments have used surveillance controversies in order to advance data localization agendas, the underlying motivations driving these policies are fairly diverse.


One key motivating factor is economics, which may be just as important as concerns over surveillance, if not more so. Data localization requires significant infrastructure; where that infrastructure does not yet exist, new data centers must be built. Thus, in theory, data localization can have positive economic impacts through new construction, new technology procurement and investments, and employment opportunities for data center management, maintenance, and operation. Indeed, we observed in our research that domestic technology and ICT companies were often major proponents of data localization proposals within their countries. Although not all countries are so explicit in drawing the connection between economics and localization, in Nigeria local data storage requirements were a direct part of an economic agenda to develop the ICT sector through procurement policy and regulatory mandates. Some critics of data localization, however, contend that the economic benefits, if any, tend to fall on a narrow set of industries, while overall suppressing economic opportunities through the restraint of global trade and discouraging investment.23
In some countries, another motivating factor for data localization may be the opportunity to obtain greater control over information flows and create new domestic surveillance opportunities. In Russia and Vietnam, for instance, opponents of data localization policies have frequently cited the risks of greater surveillance through data localization. While it is difficult to determine the extent to which domestic surveillance is a motivating issue, some countries have mandated data residency as part of law enforcement regulations, suggesting a motivating role. In other cases, accusations of domestic surveillance may simply provide an expedient argument for opponents to challenge inconvenient and costly trade barriers.
Despite the recent attention on international surveillance, it appears to be a weak motivating factor in the data localization ecosystem.24 In countries where outrage regarding the Snowden revelations served as the primary driving force for data localization proposals, such initiatives have lost momentum over time. This was the case in Brazil, where the proposed localization amendment to the draft Marco Civil da Internet was abandoned and a much tamer Draft Law for Personal Data Protection has been proposed in its place. Similarly, calls for a “European Internet” from French and German political leadership have subsided without concrete legislation, although the private sector in Germany did implement data localization services for voluntary data protection and cloud storage (e.g., Deutsche Telekom’s national e-mail service). Conversely, in countries where the motivation for data localization policies is rooted in domestic surveillance interests or economic development goals, data localization policies remain on the horizon.

(2)Divisions in the Technology Sector

Although there have been some attempts to quantify the economic impact of data localization policies at the national level,25 there has been little data assessing the impact at the level of economic sectors or companies. In fact, we observe that companies across the technology sector have responded in different ways to localization policies. At both the local and global levels we observe some companies in clear opposition, while others are advocating for such policies as a business opportunity. Industry observers have noted that several major companies in the technology sector that rely on serving a global audience, could see their business diminished as a result of data localization policies.26 At the same time, other major technology companies have viewed these policies as an opportunity to sell the products and services necessary to operate data centers.


Industry examples:

  • Internet Service Providers Association of India: The ISPAI has been one of the most active proponents of data residency requirements and export restrictions in India.

  • Deutsche Telekom: The German telecommunications giant has been a driving force behind the plan for a “European Internet” and the largest corporate partner associated with the “e-mail made in Germany” service.

  • Google: The U.S.-based search and online services giant has been one of the most prominent opponents of data localization efforts, citing economic and security concerns alongside the risk of “Balkanization.”

  • Microsoft: The U.S.-based software and online services company responded to the backlash over NSA surveillance by announcing that customers would have the ability to choose the jurisdiction in which their data would be stored from among the company’s existing data center locations.

  • IBM and Salesforce: These companies, which specialize in building the hardware and software to manage infrastructure, have sought to build overseas data centers in order to preempt data localization laws.



(3)The Relationship Between Data Localization and Privacy and Security Laws

Data localization policy intersects with privacy and cybersecurity legislation in complex ways. Across jurisdictions, our initial analysis of privacy and data protection laws that include data localization provisions indicates that most do not actually create outright restrictions in the form of mandatory data residency or strict limitations on routing. Rather, these policies may be better categorized as a series of hurdles that may make it more difficult—but not impossible—to transfer data. One example is permissions-based requirements for international data transfer.


In some cases, data localization provisions evince a nexus with privacy and data protection legislation. For example, Australia mandates the domestic storage of personally identifiable health records. Keeping such sensitive records within the country may assist in ensuring that victims of a privacy breach can access appropriate legal recourse. In other cases, industry observers see little connection between data localization policies and the stated privacy objectives. In fact, in some countries, such policies may actively undermine privacy rights, either because of poor security or issues of domestic surveillance. Data localization efforts, even when done for privacy reasons, may impose practical costs; in the Australian case, opponents of the localization provision argued that it would jeopardize citizens’ ability to access important health records when travelling.

c)Additional Key Actors and Outputs

Given the nature of the data localization issue, key actors are necessarily state and region-specific. Beyond those already mentioned, we do, however, observe some additional key actors and reports at the global and regional level.


Example actors:

  • Internet Governance Forum: Fragmentation and data localization was a key issue and program track at the 2014 Internet Governance Forum, with several panels such as “Geo-Localisation of Data, Threat or Opportunity?” “Across The Globe: Local Infrastructure is Local Development,” and “Privacy, Surveillance & the Cloud: Globalization Under Fire?” It is likely to be revisited at IGF 2015.

  • Global Commission on Internet Governance: This group has produced numerous reports addressing the issue of fragmentation and localization, including a report entitled Addressing the Impact of Data Location Regulation in Financial Services, which captures the views of global financial institution executives on data localization. The report includes a set of recommendations for financial institutions, some of which may be useful for the Forum and the FII to consider.

  • The European Centre for International Political Economy (ECIPE): This group has attempted to quantify the financial losses and perceived market inefficiencies resulting from data localization in a report entitled The Cost of Data Localisation, which reviews seven jurisdictions: Brazil, China, the European Union, India, Indonesia, South Korea, and Vietnam.

  • The CIGI-Ipsos Global Survey on Internet Security and Trust: This report includes several findings related to the user perception of data localization. For example, in the 24 countries surveyed, they found that 72% of users would like their online data and personal information to be physically stored on a secure server in their own country. When these preferences are broken out by country, there does not appear to be a strong correlation between a state’s official position and its citizen preference for localization.

Academic writing on the subject is relatively limited and—given the nature of the subject matter—becomes rapidly out-of-date. However, a few recent pieces of scholarship may be particularly useful.


Example scholarship:

  • Anupam Chander, Uyen P. Le, Breaking the Web: Data Localization vs. the Global Internet, UC Davis Legal Studies Research Paper, No. 378, April 2014. This paper provides a critical summary of the localization debate in over fifteen countries.

  • Jonah Force Hill, The Growth of Data Localization Post-Snowden: Analysis and Recommendations for U.S. Policymakers and Industry Leaders, Lawfare Research Paper Series, July 21, 2014. This study includes a collection of high-level recommendations targeted toward U.S. business leadership and policymakers.



3.Conclusion and Core Observations

A country-by-country analysis suggests that understanding data localization is made complex because it is the result of a multi-layered, and sometimes uncoordinated, set of diverse policies; it is often not the result of a single piece of legislation or a coordinated omnibus set of carefully constructed regulations. Localization (and its fragmentary effects) often is driven by the cumulative effect of many separate and independent policies, often tied to specific types of data. This complexity poses challenges both for policymakers who seek to develop clear policies without unintended consequences, as well as for market participants who must navigate those policies, and end users who are ultimately most affected by them.


One approach to addressing this complexity is through the development of new analytical frameworks by which to unpack and further understand this complex network of policies. The FII’s ongoing fragmentation research is a valuable contribution in that effort.
This complexity also presents several additional opportunities for the Forum and the FII to serve an educational role in the ecosystem.

  • First, there is a need to help develop new tools and measures for assessing the impact of (both intended and unintended) data localization measures.

  • Second, there is a need to help policymakers find solutions for governmental concerns, without endangering the overall functioning, efficiency, and value of the Internet within their jurisdictions.

  • And third, there is a need to help apply best practices from entities, such as those in the financial sector, that have experience managing complex regulatory environments in an international context.

In addition to education, the data localization ecosystem suggests there is also a need for technical innovation. Data localization is an attempt on the part of policymakers to address governmental concerns through structural changes to the way the underlying network operates. The Forum and the FII could help identify and support technical alternatives to data localization policies, which could more effectively address concerns about privacy, security and surveillance without compromising the integrity of the underlying network.


Finally, we observe that economic factors are a large motivating factor for data localization at both the national and global levels. At the national level, the Forum and the FII can help countries find new ways to grow and support the development of their technology and ICT sectors. At the global level, there is a need to better understand the economic impact that the data localization initiatives have on both companies that are supporting the development of localization infrastructure, and those whose business models rely on a global, interoperable network.


Download 274.55 Kb.

Share with your friends:
1   2   3   4   5   6   7   8   9



The database is protected by copyright ©ininet.org 2024
send message
    Main page
coming months
four areas