Requiring local storage of Internet data will not protect privacy
By Christopher Kuner
Widespread Internet surveillance by governments, whether carried out directly or by accessing private-sector databases, is a major threat to the data protection and privacy rights of individuals. It seems that in some countries (such as the United States), the national security state is out of control. This has led to proposals to require that the Internet data of individuals be stored within their own national borders, or even to re-engineer the technical infrastructure of the Internet to store data locally.
As I warned, requiring local data storage would undermine, rather than strengthen, fundamental rights by making it easier for intelligence services to access data locally and then share them with other countries. For example, it seems that the French intelligence services conduct widespread Internet surveillance in France and share the data they collect with the United States, so it is not clear what the privacy benefit would be of requiring data to be stored in France. Computer science experts have also stated that requiring data to be stored in country would be largely ineffective in protecting against foreign surveillance.
Proposals to limit transborder data flows under the proposed EU General Data Protection Regulation would have no effect on data processing by the intelligence services, as that instrument does not even apply to data processed for ‘national security’ purposes (under Article 4 of the Treaty on European Union, national security remains the ‘sole responsibility’ of the Member States).
Nor does human rights law necessarily require local data storage. The UN’s International Covenant on Civil and Political Rights (ICCPR) protects both privacy (Article 17), and freedom of expression ‘regardless of frontiers’ (Article 19), which rights must be balanced based on the principle of proportionality. Requiring local data storage only strengthens the authority of national intelligence services and their ability to collect data locally, and limits the possibility to communicate across borders, without having any specific benefit for privacy.
To be sure, access to Internet data by the United States and other governments will likely lead to a greater demand by citizens, businesses, and governments for data to be stored within their own borders (particularly data that are especially sensitive, or those concerning critical infrastructure). But no one should be under any illusions that legal requirements to store data locally will prevent intelligence services from gaining access to them.
So, what can and should be done to protect against surveillance of Internet data by the intelligence services?
With regard to excesses by the US intelligence services, the most effective action would be legal reform in the United States itself, and a debate is already underway in this regard. However, as a symposium issue of International Data Privacy Law in 2012 demonstrated, systematic governmental access to online data is a global problem that is not limited to one country. Calls for the UN Human Rights Commission to draft a protocol to the ICCPR specifically covering online data protection rights are praiseworthy, since we need stronger legal protections for privacy at the international level. However, such efforts are unlikely to reach fruition anytime soon.
Any moves by the European Union to protect against data access by foreign intelligence services can only be effective if the EU Member States reach a common understanding of what constitutes ‘national security’. Having 28 different national interpretations of this concept facilitates data collection by national intelligence services and the sharing of data with third countries. Data processing for national security purposes should also be brought within the EU’s data protection reform proposals (though legal issues concerning EU competence would have to be clarified in this regard).
Bellicose rhetoric calling for a ‘legal Maginot Line’ in cyberspace to protect EU data against foreign surveillance should be firmly rejected. There is no legal mechanism that can shut off data transfers from the European Union to other countries without also disconnecting the EU from the Internet, with all the catastrophic economic and social consequences that would entail. Attempting to wall off countries or regions in the Internet would be a disproportionate interference with the right of transborder communication, and would be legally unenforceable. The real Maginot Line was a failure, and a virtual one would be as well.
We should demand that personal data be protected from omnipresent law enforcement surveillance, and that legal protections be implemented to shield data as much as legally possible. However, this should cover both domestic and foreign surveillance, and should allow the Internet to function as a global, open network. If we value the freedom to communicate globally, we will have both to strengthen global standards of data protection, and reject calls for the construction of virtual walls.
Dr. Christopher Kuner is editor-in-chief of the journal International Data Privacy Law. He is author of European Data Protection Law: Corporate Compliance and Regulation and Transborder Data Flow Regulation and Data Privacy Law. Dr. Kuner is Senior Of Counsel at Wilson Sonsini Goodrich & Rosati in Brussels, and an Honorary Fellow of the Centre for European Legal Studies, University of Cambridge.
Combining thoughtful, high level analysis with a practical approach, International Data Privacy Law has a global focus on all aspects of privacy and data protection, including data processing at a company level, international data transfers, civil liberties issues (e.g., government surveillance), technology issues relating to privacy, international security breaches, and conflicts between US privacy rules and European data protection law.