Policy and law lag behind technological change. Nowhere is this more obvious than in infosec, where legal and policy frameworks remain mired in Cold War debates despite over two decades worth of high profile cyber attacks and data theft. This is all beginning to change. We are at a significant inflection point where countries are rapidly implementing policies that are dramatically shaping the future of the internet and how business is conducted abroad. Focused on various data protection standards, these frameworks often have little in common and reflect competing perspectives on data privacy, theft, and regulations. Absent a global institution powerful enough to harmonize these competing frameworks, data localization - country-specific data governance frameworks - is a dominant force shaping the future of digital security and privacy.
As countries scramble to catch up with modern technological realities, two major frameworks are gaining traction: the multi-stakeholder model and cyber sovereignty. The multi-stakeholder model advocates for a free, open, secure and global internet based on individual data protection, while cyber sovereignty reflects a government-controlled approach to information security. Countries across the globe continue to adopt their own data protection standards, which fall along a spectrum between these two frameworks. The European Union’s (EU) General Data Protection Regulation (GDPR), which comes into effect in May, epitomizes the push toward individual protections of data, while Russian and Chinese data localization laws reflect government-controlled approaches to data protection. These opposing frameworks continue to diffuse globally, as countries such as Colombia, Brazil, India, Nigeria, and South Korea introduce or adopt local data standards. This post details this break-up of the Internet (aka Splinternet) through the current implementation of these competing data localization approaches, and how they will increasingly pose logistical challenges for corporations. Data localization also has broader strategic implications, impacting geopolitics, democratic and authoritarian institutions, and individual freedoms.
Individual Data Privacy Protection: The GDPR
As we discussed last month, the GDPR introduces a regulatory framework for how companies collect, use, and store individual data. At its core, the GDPR maintains a strong emphasis on individual data protections, which includes personally identifiable data (PII), but extends to content about an individual. Key data protection features within the GDPR are the right to erasure (aka the right to be forgotten), and the right for an individual to access their data and rectify incorrect data. It is a far-reaching framework that impacts everything from marketing to artificial intelligence to breach notification. Importantly, the GDPR introduces data standards that pertain to data of European Union citizens regardless of where the data is held. Even if a corporation is not headquartered in the EU, but they have data on EU citizens, they must comply with the GDPR.
The EU’s push toward individual data protection and privacy is not surprising in the wake of the increasingly unprecedented magnitude and scope of corporate data breaches. The GDPR also reinforces the values and norms of individual freedoms and humans rights that are foundational to the EU. In this way, data regulation frameworks intersect with and adhere very closely to their native political institutions. The GDPR reflects the political and economic union of 28 democratic members, prioritizing the data protection and individual rights that reinforce democratic institutions. In turn, with the additional emphasis on corporate responses to data breaches, the GDPR advances specific norms for security and privacy within a regulatory framework.
Data Localization with Chinese Characteristics
In October, Chinese President Xi Jinping thoroughly detailed his vision of Socialism with Chinese Characteristics that includes internet control to "oppose and resist the whole range of erroneous viewpoints". This emphasis on cyber sovereignty reinforces China’s cybersecurity law which similarly places the government as the protector and manager of online content. According to the law, data localization requirements focus on critical infrastructure businesses and firms with access to personal data. For over a decade, China has demanded foreign corporations turn over data, but this new law tightens the requirements and blacklists corporations who fail to comply. While the definition of critical infrastructure remains vague, the law could undermine foreign intellectual property and the privacy of individual data held by corporations operating in China. The law went into effect in 2017, and is expected to impact those companies leveraging big data the most, greatly increasing data processing costs and logistical challenges for companies. With the larger movement toward AI and the internet of things, this law has farther reaching impact, including on companies such as social media platforms that host web content and websites in China.
The repercussions of China’s data localization extends beyond its own sovereign borders. For instance, China has led several efforts to integrate state internet control requirements into United Nations documents focused on global cyber norms. China also seeks to control Chinese language media and content external to its borders as part of a broader strategy to garner influence abroad. Domestically, China’s emphasis on government control of data has enabled a nascent social credit system that perhaps best personifies the striking repercussions of competing approaches to data protection. Revealed in 2014, China is developing a national system to track and rate the reputations of individuals and businesses. It will increasingly influence all aspects of life, including loan applications, dating profiles, job prospects, airplane ticket purchases, travel, and property ownership. Individuals are scored based on a range of factors such as financial debt, deviation from state-approved online content, and the scores of others within your social networks. Finally, China already blocks several U.S. internet companies, and further assists in domestic development of Chinese competitors. This too has great global impact, as Tencent passed Facebook last year in market capitalization. Tencent also has ten percent stake in Snapchat’s parent company Snap. Other Chinese tech giants such as Alibaba and Baidu continue to expand as well. Although they are not technically state-owned enterprises, these companies influence China’s capabilities for internet and data control, including a dominant role positioning China to emerge as the global leader in AI, and further strengthening localized government control of data.
The Russian model
China and Russia share many similarities in their push for cyber sovereignty and data localization, including a bilateral ‘nonagression pact’ for mutual support of sovereignty and refraining from attacks. Russia is best known for various high profile breaches and a propaganda machine of troll factories and disinformation that seeks to disrupt elections across the globe, divide societies, and weaken democracies. However, there is much more to the Russian approach, including a strict focus on cyber sovereignty to simultaneously control domestic information, expand data localization policies globally, and shape the global digital infrastructure.
In 2015, a new Russian law required all data collected on Russian citizens to be stored and processed on servers in Russia. This law equally applies to countries outside of Russia, and has already resulted in the blocking of websites owned by U.S. companies. Russia’s 2016 information security doctrine outlines its far-reaching approach to information security, including an integration of both the technical and the social and psychological components of digital information control. Russia also requires foreign companies to provide source code for security products as a cost of doing business there. Two pieces of legislation in 2017 further focus on data control, eliminating anonymity online and restricting tools to evade censorship, including VPNs and anonymizers.
Russia has embraced many aspects of China’s internet strategy, working to create its own ‘Great Firewall’ (dubbed the Red Web), and continues to rise in global measures for censorship and surveillance. Whereas China tends to censor content based on keywords and limiting collective expression and congregation, Russian censorship focuses more on cultural control, fostering self-censorship in publications, websites, and media due to nebulous guidelines. Russia often first deploys various forms of Russian information security domestically, such as fostering societal divisions through disinformation, before applying them internationally.
Additionally, as part of the broader effort to leverage data collection for domestic control, Moscow recently introduced a new facial recognition capability within a city-wide camera network. While depicted as a means to capture criminals, it has massive privacy implications and contributes to the ongoing expansion of domestic surveillance. Finally, Russia is actively attempting to shape global information flows. For example, Russia recently provided the infrastructure to expand North Korean internet access, resulting in 60% more internet access thanks to this second connection. Simultaneously, Russia is working to build an independent internet infrastructure among the BRICS countries (Brazil, Russia, India, China, and South Africa), which includes an alternate domain name system. This alternate internet, combined with data sovereignty, is intended to grant Russia greater autonomy and control of digital information.
Boundaries Do Exist on the Internet
Localized data governance will continue to diffuse into 2018 as governments across the globe seek to control digital security within their borders. The European, Chinese, and Russian frameworks reflect various facets of data localization and internet governance, and each is inspiring other countries as they shape their own national frameworks. In 2015, Kazakhstan passed a law similar to Russia’s, requiring data on their citizens to be stored within their boundaries. Conversely, a Canadian court ruling mirrored a European Court of Justice right to be forgotten case, while the UK’s latest data protection law shares many similarities with the GDPR, as does a recent bill proposed in the U.S. pertaining to data breach notifications. The end of net neutrality in the U.S. and Nigerian support for net neutrality and an open internet further reflect the divides that will continue to shape data localization into 2018.
In each case, the domestic political environment dramatically shapes and reshapes each data localization framework. For instance, Iran’s nascent state-sponsored intranet, the Halal internet, shares similar aims as China’s Great Firewall. However, in response to recent protests, Iranian President Hassan Rouhani noted, “Some imagine that the people only want money and a good economy, but will someone accept a considerable amount of money per month when for instance the cyber network would be completely blocked?” As this quote demonstrates, shifting political environments will likely result in shifting data localization frameworks, not just in Iran but across the globe.
While the GDPR is understandably garnering the most attention due to its May 2018 implementation deadline, countries across the globe are increasingly shaping their own data frameworks for information security. The result is a patchwork of laws and policies that impact corporate data governance as well as individual privacy. Social media companies already experience this with various approaches to online speech, and other multinational corporations are increasingly impacted by various frameworks for data protection, cross-border data flows and privacy. While many of the recent policies reinforce the key tenets of a secure, free, and open internet, authoritarian data localization strikes at these fundamentals and puts internet freedoms, economic security and democracy at risk across the globe.