Cloud computing and data localisation: Lessons on jurisdiction
Updated on 07 August 2022
For many countries, the specific locus of citizen and other data for jurisdictional purposes is the data’s actual location. However, jurisdiction should be framed from a data processing and transfer perspective, and multilateral trade rules may serve as a guide to this approach. In the cloud computing age, data should generally be free from any geographic restrictions, save for certain exceptions involving national security, economic development and citizen identification.
As online technologies enable instantaneous storage, processing and retrieval of large amounts of data through cross-border networks of computers and servers, data localisation appears to be a superficial and anachronistic attempt at addressing jurisdictional issues.
While cloud computing continues to evolve rapidly, current definitions acknowledge that it goes beyond data storage. The US National Institute of Standards and Technology (NIST) enumerates the following elements: on-demand self-service, broadband network access, resource pooling, rapid elasticity, and measured service. The European Commission includes the following: hardware used in a ‘dynamically optimised’ manner across a computer network; movement or allocation of users’ workloads; storage, processing and making available data through remote hardware and applications; real-time content access by users; payment based on usage; and users’ variable use of hardware. Thus, cloud computing involves numerous infrastructure and hardware resources, dynamic processes, and online services.
The European Commission notes that ‘the exact location of data or processes, as well as the information which piece is actually serving a particular user at a given moment, does not in principle have to concern the user, even though it may have an important bearing on the applicable legal environment.’ The technical efficacy of cloud computing does not depend upon data location, but is constrained by the existing legal regime. On data privacy, for instance, Deloitte notes the need to ‘understand and comply with various jurisdictional privacy laws’. Deloitte underscores that the legal trend is ‘disrupting the supply chain of cloud computing’, and the need to make the cloud provider compliant with local laws.
While it would be ideal to adopt harmonised cross-border data rules, order and stability could currently only be achieved through sovereign domestic laws. In recent years, multilateralism in general has struggled to deliver meaningful mandatory outcomes; specifically, despite more participative processes involving technical experts and other stakeholders, cross-border negotiations to govern the Internet have been an uphill climb.
Data location does not matter for technical security purposes. Rather than confining the servers to a particular locality – which would only limit the radius of possible breach – end-to-end encryption ultimately ensures the integrity and safety of data. Despite the legal thrust towards localisation, Deloitte suggests relying on encryption and anonymising technologies to secure information.
Data localisation is dictated by national security and political economy concerns. According to Lewis et al., the Snowden exposé contributed to the adoption of data localisation, greater reliance on domestic providers, and enhanced privacy protection. Governments are also wary of the growing political influence of IT giants vis-à-vis states.
Moreover, data is now said to be the world’s most valuable resource. Countries compete to attract investments in data servers and analytics to achieve development and generate employment. They now see it as a national asset for survival and influence. Data, like oil, is a vital raw material fueling production.
Yet data cannot simply be stored like oil in barrels. Apart from physical storage in servers, cloud computing involves instantaneous processing and delivery in various locations, with greater possibilities and complexities.
As cloud computing is closely associated with the provision of e-commerce, a multilateral trade policy could provide valuable insights on jurisdiction.
Since 1998, the World Trade Organization (WTO) has imposed a moratorium on customs duties on e-commerce transactions. In recent years, the US, together with Global Services Coalition, has proposed a ban on data localisation, which affects the competitiveness of digital services exporters. In a more multipolar setting, it has been opposed for national security and political economy reasons.
A more nuanced approach to the movement of data could be undertaken, similar to how trade has evolved from goods to services. In goods trade, only the product – such as oil in a barrel – moves from one jurisdiction to another, making trade rules straightforward. In trade in services , four modes of transfer – cross-border trade (similar to goods, only the service provided is transferred to another territory); consumption abroad (the consumer goes to the service provider); commercial presence (the provider invests in the consumer’s country); and movement of natural persons (the provider temporarily travels to the consumer’s location) – have varying implications on commitments. The different permutations of cloud computing (e.g. multiple locations, processes, and providers involved) could similarly be identified for jurisdictional purposes.
Akin to rules of origin in trade, data could also be treated as a raw material, intermediate good or final product. The data source would be where the most value is added (e.g. processing, analysis, transformation).
While wholesale data localisation is restrictive, the other extreme of allowing IT giants to dictate their own policies and exempt themselves from foreign jurisdictions – particularly given the intangible sovereignty issues – is too liberal and prone to abuse.
A hybrid system – where data localisation is generally prohibited, except for data directly affecting national security (with the burden of proving necessity on the claiming government), contributing to economic development, or identifying citizens (including biometric data) – is preferable, similar to the general rule of free trade in the WTO, with permitted exceptions for security imperatives, public order and morality, and special and differential treatment for developing countries.
Complex cross-border concerns require international co-operation to avoid undermining the Internet’s universality. Despite challenges to multilateralism, the growing significance of a well-functioning Internet could catalyse greater harmonisation and inclusiveness in governing cloud computing.
According to Antoine de Saint-Exupéry’s novella The Little Prince, ‘what is essential is invisible to the eye’. Governments should look beyond the static physical location of data, and the legal, political and economic comfort that localisation brings. They must see cloud computing as a dynamic activity involving value-adding storage, processing and movement of data by people and computers worldwide.
Ryan Francis D. Gener is a foreign service officer who previously served as deputy to the Permanent Representative at the Philippine Permanent Mission to the WTO. He earned the advanced diploma in Internet governance from DiploFoundation in 2017. His views are his own and do not represent the views of the Philippine government.