Retain Locally, Comply Globally

We used to talk about the “borderless” environment of the Internet.  These days, that view is looking increasingly outmoded and utopian, in large part because of the intersection of law enforcement and privacy concerns.  Steady increases in regulation (and enforcement of existing regulation) in these areas is increasingly prompting two types of responses by global businesses:

• delivery of Internet services using servers and other facilities located in the country or region (e.g. the European Union) where the services are provided; and
• global compliance with the regulation of one country or region.

A couple of developments in the first half of April illustrate these two approaches:

• The European Court of Justice (ECJ) found the European Data Retention Directive inconsistent with EU privacy and data protection law, as my colleague Daniella Terruso has already reported on this blog.  This 2006 directive required all EU member states to adopt laws requiring public communications operators to retain data on user communications for 6 to 24 months.  One of the bases for the ECJ decision was that the directive did not require retention of data within the EU (although some member states have imposed such a requirement via their national legislation).  In our experience, many US-headquartered companies were already pursuing local retention strategies - for data retained under the directive, and otherwise - and the ECJ decision is likely to accelerate this trend.
• Microsoft obtained confirmation from the national data protection authorities of the EU’s 28 member states that its cloud services are subject to requirements of EU data protection law wherever the data are stored (at least for customers who opt to accept these protections through a contractual addendum), and therefore are fully compliant with that law for global customers.

Earlier examples of both types of responses are numerous, and in fact it is US regulation which has previously been the largest driver of such actions.  Global companies are familiar with the need to comply with US law that has extraterritorial effect on such areas as securities, mergers, export control, and anti-corruption.  And the US FBI has long worked with other US regulators to strongly encourage foreign operators to maintain facilities in the United States to permit interception of communications.  We have long expected this approach to bite back at US companies, and now, increasingly, it is.  Major emerging markets like China, India, Brazil, and Turkey have been among the quickest to apply their national laws aggressively to maintain jurisdiction over foreign companies that wish to access their growing markets. Beyond explicit regulation, there are increasing commercial drivers for businesses to retain locally or comply globally.  For example, for the last few years, many European providers of Internet and cloud services have argued that non-US customers should be reluctant to use US service providers, because of accessibility of data in the United States to US law enforcement.  In fact, this argument is suspect from a legal perspective, because US law and practice are significantly more protective of the privacy of customer data than the law and practice of many European countries.  For example, in the UK, the Regulation of Investigatory Powers Act 2000 allows a huge number of government bodies (including tax authorities and fire departments) to obtain communications data (e.g. information on caller and calling party, location for mobile calls, etc.) without court involvement.  And Italy leads the world in real-time wiretaps of communications.  But these points have started to ring a little hollow in the wake of the Snowden disclosures, and have prompted significant action. In short, watch this space.  Localization of Internet facilities and globalization of compliance with data regulation are likely to continue to increase in coming years.