Data Localization - Why You Should Care

Data localization. Chances are, you don't know what that is, but it affects you in a big way.

Data localization is where, geographically, your data is stored. The database record which constitutes your Facebook profile, for example: where is the server that stores it located? Does Facebook have a local server farm in a Canadian city which stores the main record? Or is it part of a vast, replicating, distributed database, located mostly on servers hosted in American data centers?

You might shrug: "Why does it matter where the data is stored? Data is intangible. It's constantly flowing over the internet from one machine to another." Well, the reason it matter is legal jurisdiction.

By now, you'd have to have been living under a rock not to know that the US National Security Agency has been using every legal and technological means at their disposal to collect information on people. You might perceive this as a problem exclusive to the United States. Unfortunately, if you have data which is stored on a server geographically located in the US, that data may be legally accessible by the NSA.

That concept probably has a lot of you creeped out. I'm glad you're with me. My challenge is to convince those of you who shrug a second time. After all: lots of people see what you post on Facebook. "I have nothing to hide," you might say - the classic argument of the privacy-apathetic. Perhaps you do feel you have nothing to hide in Canada. But what about the USA, or Britain? What about China or Malaysia or Vietnam? Hmm...

It was because of concerns about foreign government spying (specifically, by the American NSA) some governments have enacted "data localization" laws. Such laws state that certain personal data pertaining to their citizens (eg: their Gmail or their Facebook profile data records) must be stored on servers geographically located in the home country. This means that the hosting providers of those servers are not subject to any US jurisdiction, and (theoretically) safer from the prying eyes of organizations like the NSA.

It sounds like a good idea, but like many ideas which are great for digital civil liberties, the private sector hates it. It means that a company like Facebook has to either set up their own data center in each country that has such laws, or (even less palatably) hire another company in that country to host their servers. Companies and free-trade advocates have criticized this as trade protectionism, and stated that "data needs to flow freely across borders".

So, along came the TPP, or Trans-Pacific Partnership. For those of you who don't know, the TPP is a massive trade agreement among several of the Pacific Rim countries. The TPP has several problematic provisions that concern labour unions and farmers, as well as draconian copyright protection provisions. Another of the provisions lobbied for by industry was an end to data localization laws. This means that companies like Google or Facebook can store your data anywhere they feel is convenient. This has all sorts of scary implications, as Michael Geist has pointed out:
"The combined effect of these U.S. laws is that many users fear that once their information is stored in the U.S., it will be accessible to U.S. authorities without suitable privacy protections or oversight. Since U.S. law provides less privacy protection to foreigners, there is indeed limited legal recourse for Canadian data held in the U.S. 
In response to these concerns, provinces such as British Columbia and Nova Scotia have enacted laws to keep government information (such as health data) within the country. The TPP is designed to counter these efforts by restricting the ability of governments to mandate local data storage."
Where and under what laws intangible assets are stored is important. I doubt many people would be comfortable if the Canadian banks were suddenly bought up by American firms which cheerfully announced that your money would be safely stored in the USA, subject to scrutiny by the IRS. Nor would you be very happy to learn that your provincial health records were actually stored on a server in the People's Republic of China.

Contrary to the boosters of the TPP's anti-data-localization provisions, data already can flow freely, it does so all the time. What privacy advocates are concerned about is storage and jurisdiction, because where your data is stored defines who can get access to it, and what they can do with it.