A globe divided by a white grid

Geopolitical Conflicts, Cybersecurity and Data Localization

26 Feb 2016 by Shannon Danitz

The world has spent the past 25 years pushing toward globalization. Nations have come together at global peacekeeping summits and solidified trade pacts, while the World Wide Web has connected global citizens closer than ever before. As we enter into 2016, the tide appears to be shifting from a focus on globalization to one of localization.

Questions about the strength of the transatlantic alliance, China’s global economic strategy, and open versus closed Europe are only a few of the geopolitical conflicts that may have an impact on the global stability seen for the last two decades. Today, there is one element that is very different than in previous periods of global tension — the internet.

According to the “Top 11 Trends S&R Pros Should Watch: 2015” report published by Forrester on June 23, 2015, “geopolitical conflicts today increasingly have a cybercomponent, putting customer data and privacy at risk. Increased government surveillance and influence have exacerbated existing adversarial relationships between nations.” In today’s conflicts, the internet has become the weapon of choice used for information surveillance, criminal activity and, in some cases, destruction.

Power to the provider

With a globalized internet, any person, business or organization’s data is at risk, even those without a global presence. Data localization laws are becoming more common in an effort to protect and control the personal data of a country’s citizens. Data localization requires certain types of data collected to be stored and / or processed within the country’s border. Some experts argue that in addition to political motives, countries passing data localization laws may also have economic motives in mind.

“Data localization laws sometimes are referred to as ‘data sovereignty’ laws because they represent a particular country’s effort to establish sovereignty over certain types of data originating in that country,” says Courtney Bowman, associate litigation attorney at Proskauer Rose LLP who focuses on privacy and data security matters. 

“It’s an understandable goal in theory, although it may be difficult to accomplish in practice given the global nature of the internet. Some countries may feel they can derive additional benefits from requiring data to stay local, including the economic benefits of IT hosting, the prospect of large multinational companies opening offices there and the ability to restrict competition from foreign companies. Whether these perceived benefits may be realized is debatable, but regardless, they motivate countries to enact these types of laws,” Bowman says.

Navigating data sovereignty

Canada, Russia, Australia, France, South Korea and India are just a few of the nations that have put data localization requirements in place to protect its data. Since requirements vary significantly by country, organizations doing business in these regions must be cognizant of the local requirements and the respective impact on their data. Compliance can be costly, time-consuming and difficult especially for smaller organizations.

“Small companies may have a particularly hard time grappling with data localization laws, since they may not have the resources necessary to ensure compliance with a particular country’s law,” says Bowman.

“For example, a small-time app developer may collect data from citizens in a country with a broadly drafted data localization law requiring all personal data to be stored and processed in-country, but it probably would be hard for the developer to build a server in a foreign nation and segregate user data to ensure that all those citizens’ data is stored and processed within that jurisdiction. The developer may have difficulty simply keeping up with the requirements of the various data localization laws around the world, as laws differ significantly from country to country,” Bowman explains.

The question of trust

Data localization definitely has its drawbacks, the biggest being the potential impact on the global nature of the internet. Localizing data breaks up the global network into country-level networks resulting in the risk for cyberisolationism.

According to Colvey Martin, enterprise architect at Insight, “A service-based isolation is already happening today. For example, Hulu restricts access from certain geographic regions. The risk at that level is that I’m unable to access particular information that I may find useful. On a larger level, when you restrict the flow of information, you leave people vulnerable to whatever information is available or ‘approved’ for access.

“Some would argue that if we cut access to countries that have terrorist ties, it would be a good thing. But we have to remember there are people in that country that utilize the web for good as well,” Martin adds. “Isolating one’s self does not solve external problems.”

Given the global nature and adaptability of today’s internet service organizations, data localization is not going to be the thing that breaks the internet — but it is going to have an impact.

Global companies are going to have to learn to operate on a local level, requiring more time and resources. The efficient way of doing things is not often going to be the right way when navigating data localization laws. It is also going to require answers to some tough questions.

“The question is what comes of visibility across the services,” says Martin. “When you have friends on social media in other countries, does that now mean you can’t be friends because they are only allowed a local version of the system? Or does it simply mean a company like Facebook segments where the data is stored based on the user’s local offering?”

Data localization laws in Russia

As of September 1, 2015, Russia mandated that the collection, recording, systemizing, storing, updating, amending and retrieving of all personal data of Russian citizens be performed on servers within the country’s borders. Local companies, as well as foreign companies doing business in Russia, must notify the Russian Federal Service for Oversight of Communications, Information Technology and Mass Media, also known as Roskomnadzor, of the exact location of its data servers.

Roskomnadzor released a plan on January 13, 2016, to audit more than 300 domestic companies. Of those, only two were found to not be in compliance. Organizations found in violation may face government sanctions or monetary penalties, and the Russian government can also block access to the company’s website.

This article originally appeared in Volume 2, Issue 1 of Technically digital magazine.