Does the Physical Location of Data Matter?

By TAP Staff Blogger

Posted on October 5, 2016


Continuation of a 3-part Interview with Christopher Millard and Ian Walden


“The idea that citizens will have greater protection for their personal data if the data are sitting on a server physically in their country may be fatally flawed.” – Professor Christopher Millard


Law professors Christopher Millard and Ian Walden, both with the Centre for Commercial Law Studies at Queen Mary University of London (QMUL), discuss their work collaborating with fellow technology lawyers and computer scientists on the challenges in cloud computing where technology and regulation intersect.


In this second of a three-part series, Professors Millard and Walden discuss the forced localization of cloud computing. This refers to in-country data storage facilities that physically keeps the data stored on servers within a country’s borders, and allows the data to be subject to country-specific regulation.


Can Local Laws Reach into Cyberspace?


Christopher Millard
Since the beginning of the deployment of Internet and online services on a commercial basis, going back to the early 1990's, there have been concerns on the part of governments in various parts of the world that they would lose control of activities that they think happen within their jurisdiction, but which actually happen in "cyberspace." For a while this was a view popularized by John Perry Barlow, the Grateful Dead lyricist, who in his “Declaration of the Independence of Cyberspace” basically said, "Sorry, governments of the old world, you are obsolete. Your laws no longer work; they do not apply in cyberspace."


Now, that turned out to be hopelessly naïve. In fact, there were plenty of examples following that where governments managed to enforce their existing laws. An example is online gambling; it is perfectly lawful in many parts of the world, but it is not generally lawful in the U.S. A senior executive of an English company that provides an online gaming service, which is completely lawful in the UK, travelled to the U.S. for a vacation with his family. He was arrested at the airport for taking bets illegally over the Internet. There are many cases like that where we have seen the enforcement of local laws in a global online environment.


Is Data More Secure if It Is Kept Within a Country’s Borders?


Christopher Millard
We've done a lot of work on the forced localization of cloud computing services where, for various policy reasons, governments in some countries have said that data must be stored locally, or some other processing activity must be carried on within their jurisdiction. They usually interpret that in traditional geo-locational, geographic terms.


This doesn't make a great deal of sense in cloud computing. The idea that citizens will have greater protection for their personal data if the data are sitting on a server physically in their country may be fatally flawed. For example, it may not be stored securely on that local server and may actually be accessible from anywhere on the planet. Whereas conversely, a cloud computing service on the other side of the globe, with appropriate security controls in place, could provide much greater protection to the citizens.


In our view, geography shouldn't be the determining factor. Physical access to a server containing data is neither necessary nor sufficient in terms of access to information in an intelligible form, for example where strong encryption is being used. On the other hand, logical access is both necessary, and may be sufficient, to provide access to intelligible data, regardless of location.


What Factors Drive Governments to Keep Data within their Borders?


Ian Walden
It's a perfectly legitimate reason to say national security is the reason why certain government data should not leave the shores of the country. Economic protectionism can be a reason as well.


In the 1970s, as computers really started taking off, two countries that were very concerned about data being held abroad were Canada and Brazil.


Christopher Millard
In my article, “Forced Localization of Cloud Services: Is Privacy the Real Driver?,” I quote a Swedish government minister in the 1970s – which sounds prehistoric now – but she said: "We do not really trust the data acts in other countries, or we understand there are none at all, so we feel unprotected in those countries with our data – walking down Fifth Avenue in our underwear."


Also way back in the early ‘70s, a Canadian Federal Government report stated that, as a sovereign state, Canada felt some national embarrassment and resentment over increasing quantities of often sensitive data about Canadians being stored in a foreign country. That country was, once again, the United States.


With these two examples, you have issues to do with privacy, which was the Swedish concern, and national sovereignty including economic sovereignty, which were the drivers for Canadian comment at that time.


Is Privacy the Real Driver?


Christopher Millard
A lot of the recent debate has related explicitly to privacy and data protection. But, when we've looked beneath the surface at what's actually happening, we find that such arguments can be a smokescreen for other drivers.


For example, in September 2015, a Russian data localization law came into force that requires personal data relating to Russian citizens to be stored on a server in Russia. The explicit justification for that requirement was to protect the privacy of Russian citizens. But our understanding is that there are no restrictions on maintaining copies of that data outside Russia. So the underlying purpose of the law may be to enhance the ability of the Russian government to get access to its own citizens' data rather than to improve the privacy protection for those citizens.


Ian Walden
This is driven in part by international law. Governments who have signed up to the World Trade Organization trade agreements can only restrict trade for certain reasons, one of which is data protection. Thus, international law encourages countries to justify behaviors in particular ways.


Learn More about Professors Millard and Walden’s research on regional boundaries in cloud computing:


** **


Christopher Millard is Professor of Privacy and Information Law and head of the Cloud Legal Project in the Centre for Commercial Law Studies, Queen Mary University of London. He is also a Research Associate at the Oxford Internet Institute and is Senior Counsel to the law firm Bristows. He is Editor and Co-Author of Cloud Computing Law (Oxford University Press, 2013) and is a founding editor of the International Journal of Law and IT and of International Data Privacy Law. Professor Millard is a Fellow and former Chairman of the Society for Computers & Law, a past-President of the International Federation of Computer Law Associations, and a past-Chair of the Technology Law Committee of the International Bar Association.


Ian Walden is Professor of Information and Communications Law and head of the Institute of Computer and Communications Law in the Centre for Commercial Law Studies, Queen Mary University of London. Professor Walden has held visiting positions at the Universities of Texas and Melbourne. His publications include EDI and the Law (1989), Information Technology and the Law (1990), EDI Audit and Control (1993), Cross-border Electronic Banking (2nd ed., 2000), Telecommunications Law Handbook (1997), E-Commerce Law and Practice in Europe (2001), Media Law and Practice (2009), Telecommunications Law and Regulation (4th ed., 2012) and Free and Open Source Software (2013), and Computer Crimes and Digital Investigations (2nd ed., 2016).


TAP graciously thanks Professors Christopher Millard and Ian Walden for sharing their expertise and time.


Read more from TAP’s interview with Professors Millard and Walden: