The notion that domestic storage of data will increase its security is false--but location can determine the extent to which government authorities can access data, notes a new paper from the Information Technology and Innovation Foundation.
Security doesn't depend on the country location of servers, "only on the measures used to store it securely," writes ITIF senior analyst Daniel Castro.
"The primary situation in which differences may arise between countries is in the government-mandated disclosure of data, such as for law enforcement purposes," he adds.
The extent to which governments can compel digital and telecommunication services providers to hand over data has become the source of renewed controversy since former intelligence contractor Edward Snowden leaked a trove of classified documents to media outlets earlier this year. Access by American intelligence and law enforcement to non-domestic data via the private sector has periodically flared as an international issue over the past decade, particularly in Europe.
A European Parliament committee approved in October a measure that would require any company handling European citizens' data, regardless of its location, not to comply with requests for EU citizens' data except through the channels of a mutual legal assistance treaty or international agreement. Fines for noncompliance would reach up to €100 million, or up to 5 percent of company global revenue, whichever is greater.
That proposal could set up difficult choices for American Internet companies, which would face contradictory domestic and international laws regarding data access; complying with American law regarding Europeans' data could trigger hefty fines from European Union countries. The European Court of Justice advocate general recently published an opinion stating that Google comes under European country legal jurisdiction so long as it sets up an office "which orientates its activity towards the inhabitants of that state"--even if the office conducts only the non-technical activity of selling advertising space.
In a sign that incongruent legal regimes would place unacceptable pressure on Internet companies, eight very large U.S. Internet companies released Dec. 9 an open letter to President Obama and Congress calling for consistent international adoption of data usage principles. Among the principles AOL, Apple, Google, Facebook, LinkedIn, Microsoft, Twitter and Yahoo cite in their letter is resolution of conflicting national laws through a "robust, principled, and transparent framework to govern lawful requests for data across jurisdictions, such as improved mutual legal assistance treaty."
Castro, in his paper, says that different national laws on data disclosure to governments risk becoming "an insurmountable hurdle for future trade in digital goods and services." American exports of digitally enabled services totaled $356.1 billion in 2011, calculates (.pdf) the U.S. International Trade Commission, a $74 billion increase over four years previously.
He calls for a "Geneva Convention on the Status of Data" that would establish multilateral agreements settling questions of jurisdiction, transparency, and the degree to which governments could access non-domestic data.