Why Russia, China, and Other Countries Are Passing Data Localization Laws.
China and Russia have recently introduced new technology regulations. For China, this includes new data security and personal information lawsand for Russia, a requirement that foreign technology companies open an office in the country. American companies and foreign law enforcement are at odds over one thing that is increasingly important: data, or more specifically access to data.
It is well known that American companies collect data on Americans, but they also collect huge volumes of data on people around the world: data on citizens of foreign countries, on the interactions between these citizens and, more importantly, on the alleged criminal activities of these foreign citizens. Foreign law enforcement needs access to this data to do their job, and governments around the world, including in Beijing and Moscow, are inventing ingenious ways to ensure that access. This includes the requirement for companies to have employees and offices in the country, which is a very convenient bargaining chip.
In the good old days, law enforcement had an easier time accessing the data they needed to investigate and prosecute crimes. Since the vast majority of their citizens had very little or no interaction with companies located abroad, they only had to use the domestic mechanisms. Think of local telephone companies, business records stored on premises, court or county records, or even witnesses – all were usually located in the same country. So the country’s lawmakers could empower their law enforcement as they saw fit. Tangled cases with a multinational were rare and the imperfect system of mutual legal assistance treaties, police cooperation and letters rogatory (from one judge from one country to another) worked due to the low number of requests for data.
The data explosion of the past decade has changed this landscape, and the number of requests in all jurisdictions has exploded, with the vast majority directed to the United States. American companies have tons of data on foreign citizens, ranging from Facebook, Amazon, Google and Microsoft to payment providers, messaging apps and many other companies. Many people around the world also use these services, including for criminal (or “criminal”) activities. To start, Amazon, Google, Microsoft, and others operate physical Internet infrastructure, such as globally distributed cloud networks, that contain data. And because of the United States link in the global Internet network, up to 70 percent of all global Internet data traffic passes through a small town in Virginia. The United States has become a de facto decision maker as to which countries’ data requests are legitimate and deserve the very meager resources allocated to respond to law enforcement data requests. Some data requests reflect legitimate requests made by U.S. allies, such as investigations of local robberies or murders, or distribution of child sexual abuse material. Not surprisingly, however, many demands take an authoritarian view of “illegal” activity – the state acting against journalists, dissidents, citizens. If they break US law, they are not respected.
Authoritarian countries, especially China and Russia, want this data from American companies. With new data localization and other legal authorities, they bring these demands to the doorsteps of American businesses, because even if the data is overseas, employees and offices can be at their fingertips.
Chinese and Russian law enforcement will contact US companies directly to request this information about their citizens; intelligence and security services may also harass or intimidate field workers in local offices, pointing the finger at data access laws and demanding that they hand them over. Sometimes the threat is made quietly or implicitly. Other times, disrespect is met with outright force: when Google and Apple refused to take down an opposition app in September 2021, the Kremlin threatens field staff in Russia and sent armed, masked thugs to sit around Google’s office in Moscow. Especially as US tensions continue to escalate with China and Russia, there is no sign that this pressure will fade.
To be clear, American companies are not just dealing with these issues in China and Russia. Many countries, including U.S. allies and partners, have a legitimate need to access information about criminals, terrorists, and spies at their borders. This need has catalyzed everything from the renegotiations of the US-EU Privacy Shield framework to Washington’s executive CLOUD Act. agreement with the UK, which allows a UK judge to decide, in certain circumstances, whether UK law enforcement meets the burden of proof to request data from a US company. A major driver of data localization proposals in India, to give another example, is the agonizingly slow and inefficient process for Indian law enforcement to file data requests with the US government.
The risks are pronounced in authoritarian regimes, however, for at least two main reasons: Companies are now forced to decide which demands are legitimate and which are aimed at repression. If they reject a request, these countries can turn around and threaten employees, send executives to jail or endanger the physical safety of offices and employees in the country. Even in India, a crucial partner of the United States, the state raided a Twitter office in March 2021 (although no employees were there) when the company was not complying with requests.
Washington is feeling enormous pressure from allies and partners to make data much more accessible. For the administration, the key lies in continuing to negotiate cross-border data flows and data access requirements, including where that pressure drives data localization, such as in India. The United States can also work with individual countries to expedite and standardize the process for requesting data from American companies.
Companies operating in authoritarian regimes face much more difficult decisions. For companies that touch on issues of priority to Beijing and Moscow — like online speech, elections, and dissent — maintaining offices and employees in those jurisdictions will most likely allow those regimes to coerce compliance. Generally speaking, US companies must learn to navigate multiple legal jurisdictions at the same time, where this navigation will force them to synchronize their international behavior with unique data regimes. In the meantime, it is employees and field offices who form the front lines of this fight – and authoritarian regimes have them in their sights.