Data sovereignty: electronic border controls

Data sovereignty: electronic border controlsTechnology – specifically, the internet – has made it much easier for businesses to operate on an international level. We’re used to an instantaneous flow of information and data across locales unheard of a decade ago.

But things are changing in the datasphere. In many jurisdictions, data protection legislation regulates the collection, sharing, and transmission of personal data. Recent revelations about how some organizations and governments harvest, collect, and (in some cases) just plain steal data are helping create a climate of paranoia.

This is driving nations to take steps to ensure that their data, and the means of processing that data, remain within their borders. Data sovereignty is a challenge for all businesses seeking to operate on a global level.

Border controls for data

China is growing ever more protective of its domestic technology market and relevant data. The result is a confusing mish-mash of rules related to data protection and prohibitions on moving data outside the country. Many organizations handling Chinese data are now forced to cease handling such data, or obliged to operate a data center in China.

Indonesia drew criticism earlier this year when its government threatened to force IT service providers, such as Google, to build data centers within the country. But Indonesia is following the lead of China, while Brazil, Malaysia, South Korea, Venezuela, and Vietnam are taking similar steps. This list is expected to grow, and include European countries and the US. The freedom of data movement is under threat.

Ironically, many nations seeking to impose or protect their own data sovereignty are keen to house and manage data originated from others. It’s a case of “you can’t have any of our data, but please pay us to look after yours.”

Any firm collecting or processing data in a nation with data sovereignty rules understands the problem. In China, you may face prosecution if you inadvertently transfer data relating to trade or state secrets outside the jurisdiction, though you may not always be aware if the data falls under such a heading.

KYD: Know your data

In such a case, do you cease working in that jurisdiction, or jump through the procedural hoops required to comply with local law? Unfortunately, the latter is unavoidable. You need to know the precise nature of the data: where that data was collected, where it relates to, and where it may be transferred to. You also need to know the extent of applicable data sovereignty laws in both the location where you collect the data from, and the location where it will be transferred to.

Do you need legal advice for every jurisdiction the data passes through? For countries like China, the answer is likely “yes”. But the cost of legal fees alone may be enough to drive a business with limited resources away from the country

But driving businesses away won’t discourage a country from changing its data sovereignty rules. Data sovereignty is just one aspect of technological protectionism, a trend most recently seen in China. The government promotes a concerted move away from American technology, be it IBM servers and Microsoft Windows, or the Apple iPhone. Unfortunately such protectionism is bad for competition and, ultimately, bad for the industry.

Note that the views expressed by LegalWatch contributors do not necessarily reflect the views of Computerworld Hong Kong.

Paul Haswell is a partner with Pinsent Masons. He is based in Hong Kong and specializes in technology (including telecoms and data protection), commercial and employment matters