Header graphic for print
Steptoe Cyberblog

Retain Locally, Comply Globally

Posted in International, Privacy Regulation, Security Programs & Policies

We used to talk about the “borderless” environment of the Internet.  These days, that view is looking increasingly outmoded and utopian, in large part because of the intersection of law enforcement and privacy concerns.  Steady increases in regulation (and enforcement of existing regulation) in these areas is increasingly prompting two types of responses by global businesses:

  • delivery of Internet services using servers and other facilities located in the country or region (e.g. the European Union) where the services are provided; and
  • global compliance with the regulation of one country or region.

A couple of developments in the first half of April illustrate these two approaches:

Earlier examples of both types of responses are numerous, and in fact it is US regulation which has previously been the largest driver of such actions.  Global companies are familiar with the need to comply with US law that has extraterritorial effect on such areas as securities, mergers, export control, and anti-corruption.  And the US FBI has long worked with other US regulators to strongly encourage foreign operators to maintain facilities in the United States to permit interception of communications.  We have long expected this approach to bite back at US companies, and now, increasingly, it is.  Major emerging markets like China, India, Brazil, and Turkey have been among the quickest to apply their national laws aggressively to maintain jurisdiction over foreign companies that wish to access their growing markets.

Beyond explicit regulation, there are increasing commercial drivers for businesses to retain locally or comply globally.  For example, for the last few years, many European providers of Internet and cloud services have argued that non-US customers should be reluctant to use US service providers, because of accessibility of data in the United States to US law enforcement.  In fact, this argument is suspect from a legal perspective, because US law and practice are significantly more protective of the privacy of customer data than the law and practice of many European countries.  For example, in the UK, the Regulation of Investigatory Powers Act 2000 allows a huge number of government bodies (including tax authorities and fire departments) to obtain communications data (e.g. information on caller and calling party, location for mobile calls, etc.) without court involvement.  And Italy leads the world in real-time wiretaps of communications.  But these points have started to ring a little hollow in the wake of the Snowden disclosures, and have prompted significant action.

In short, watch this space.  Localization of Internet facilities and globalization of compliance with data regulation are likely to continue to increase in coming years.