The era of borderless data is ending

Every time we send an email, touch an Instagram ad, or swipe our credit cards, we create digital data.

Information travels around the world at the speed of a click, becoming a kind of borderless currency that sustains the digital economy. Largely unregulated, the stream of bits and bytes has helped fuel the rise of transnational mega-corporations like Google and Amazon and has reshaped global communications, commerce, entertainment and media.

Now the era of open borders for data is ending.

France, Austria, South Africa and more than 50 other countries are stepping up efforts to control the digital information produced by their citizens, government agencies and corporations. Driven by security and privacy concerns, as well as economic interests and authoritarian and nationalist forces, governments are increasingly setting rules and standards on how data can and cannot move around the world. The goal is to acquire “digital sovereignty”.

While countries like China have long since isolated their digital ecosystems, the imposition of more national rules on information flows represents a fundamental shift in the democratic world and alters the way the internet operates since it became widely commercialized in the 1990s. nineteen ninety.

The repercussions for business operations, privacy, and how law enforcement and intelligence agencies investigate crimes and run surveillance programs are far-reaching. Microsoft, Amazon and Google are offering new services to allow companies to store records and information within a certain territory. And the movement of data has become part of geopolitical negotiations, including a new pact to share information across the Atlantic, which was agreed in principle in March.

“The volume of data has become so large in the last decade that it has created pressure to bring it under sovereign control,” said Federico Fabbrini, a professor of European law at the City University of Dublin, who has edited a book on the subject and argues that data are inherently more difficult to regulate than physical goods.

For most people, the new restrictions are unlikely to close popular websites. But users may lose access to some services or features depending on where they live. Meta, the parent company of Facebook, recently said it would temporarily stop offering augmented reality filters in Texas and Illinois to avoid being sued under laws governing the use of biometrics.

The debate over data restriction echoes larger fractures in the global economy. Countries are rethinking their reliance on foreign assembly lines after supply chains failed in the pandemic, delaying deliveries of everything from refrigerators to pickup trucks. Fearing that Asian computer chip makers are vulnerable to Beijing’s influence, US and European lawmakers are pushing to build more domestic factories for the semiconductors that move thousands of products.

The shift in attitudes toward digital information is “linked to a broader trend of economic nationalism,” said Eduardo Ustaran, a partner at the law firm Hogan Lovells, which helps companies comply with the new data rules.

The core idea of ​​”digital sovereignty” is that digital escape created by a person, company or government must be stored within the country of origin, or at least handled in accordance with privacy and other standards set by a government. In cases of more confidential information, some authorities want it to also be controlled by a local company.

That’s a change from today. Most files were initially stored locally on personal computers and company mainframes. But as internet speeds have increased and telecommunications infrastructure has advanced over the past two decades, cloud computing services have allowed a person in Germany to store photos on a Google server in California, or a company in Italy to run a Google website. Amazon Web Services operated in Seattle (USA).

A tipping point came after national security contributor Edward Snowden leaked dozens of documents in 2013 that detailed the widespread surveillance of digital communications in the US. In Europe, concerns grew that reliance on US companies like Facebook would leave Europeans vulnerable to US spying. This has led to lengthy legal disputes over online privacy and transatlantic negotiations to protect communications and other information carried for US companies.

The consequences are still being felt.

While the United States supports a free and unregulated approach that allows data to pass between democratic nations unhindered, China has joined with Russia and others to isolate the internet and keep data within reach to surveil citizens and clamp down on dissent. Europe, with heavily regulated markets and data privacy rules, is taking another path.

In the European Union, citizens’ personal data must follow an online privacy law, the General Data Protection Regulation, which came into force in 2018. Another bill, the Data Law, would apply new limits on what corporate information could be made available to intelligence services and other authorities outside the bloc, even with a court order.

The Biden administration recently drafted an executive order to give the government more power to block deals involving personal data of Americans that pose a risk to national security, according to two people briefed on the matter. A government official said the document, which Reuters previously reported, was an early draft sent to federal agencies for comment.

But Washington has tried to keep the data flowing between the United States and its allies. On a March trip to Brussels to coordinate a response to Russia’s invasion of Ukraine, President Joe Biden announced a new deal to allow EU data to continue flowing to the US.

The deal was necessary after the top European court struck down an earlier deal in 2020 because it failed to protect European citizens from spying by US authorities, jeopardizing the operations of thousands of companies that transmit data across the Atlantic.

In a joint statement in December, Gina Raimondo, US Secretary of Commerce, and Nadine Dorries, Britain’s top digital minister, said they hoped to counteract “negative trends that risk shutting down international data flows”. The US Commerce Department also announced last month that it was teaming up with several Asian nations and Canada to keep digital information flowing between countries.

As new rules were adopted, the tech industry raised alarm bells. Groups representing Amazon, Apple, Google, Microsoft and Meta argued that the online economy was fueled by the free flow of data. If tech companies were forced to store everything locally, they wouldn’t be able to offer the same products and services around the world, they said.

The countries, however, repressed anyway. In France and Austria, customers of the internet measurement software Google Analytics, which is used by many websites to collect audience numbers, were told this year not to use the program anymore because it could expose the personal data of Europeans to American spying. .

Last year, the French government canceled a deal with Microsoft to handle health-related data after officials came under fire for awarding the contract to an American company. The authorities have pledged to partner with local firms.

Companies have adjusted. Microsoft said it is taking steps so that customers can more easily maintain data in certain geographic areas. Amazon Web Services, the biggest cloud computing service, said it allows European customers to control where data is stored.

In France, Spain and Germany, Google Cloud signed agreements last year with local technology and telecom providers so that customers can ensure that their data is supervised by a local company while using Google products.

“We want to find them where they are,” said Ksenia Duxfield-Karyakina, who leads Google Cloud’s public policy operations in Europe.

Liam Maxwell, director of government transformation at Amazon Web Services, said in a statement that the company will adapt to European regulations, but that customers should be able to purchase cloud computing services as per their needs, “and not limited by the location of the technology provider.” “.​

Translated by Luiz Roberto M. Gonçalves