John Selby

Data localization laws: trade barriers or legitimate responses to cybersecurity risks, or both?

Laws requiring data to be hosted within a particular jurisdiction tend to upset existing ideas about how the Internet should work. Some countries, particularly the USA, have labelled such laws as trade barriers. Other countries, such as Russia and China, have claimed they are pursuing legitimate strategies to protect their citizenry. With a particular focus upon the BRICs, this article aims to make an original contribution to this discourse by synthesizing insights from the disciplines of international trade law and internet governance to analyse and separate the rhetoric from the reality of these competing claims. Drawing upon evidence from information leaked by Edward Snowden about the activities of the US National Security Agency, the article argues that underlying these tensions is the battle to retain or reduce the comparative advantage the US has historically enjoyed in economies of scale for its Internet signals intelligence capabilities. Underneath the debate over trade issues, this article argues that data localization laws are being supported by some countries not only as a means to reduce their comparative disadvantage in Internet data hosting, but also to reduce their comparative disadvantage in Internet signals intelligence. K E Y W O R D S : data localization, International trade law, cybersecurity, BRICs I N T R O D U C T I O N While trade over the Internet is rapidly growing, challenges are emerging from the historical separation which has existed between the two fields of trade regulation and internet governance. Decisions made by stakeholders about how to regulate the Internet are being challenged as trade barriers. This article explores one instance of the emerging collision between trade and the Internet: whether policies that require the local hosting of data should be considered trade barriers. While other scholars have described data localization generally or regionally and provided a detailed study of how different countries around the world have * Macquarie University, Optus-Macquarie Cybersecurity Hub, Building E4A, Room 325, Sydney, New South Wales, Australia. E-mail: john.selby@mq.edu.au 1 See, for example, Daniel Castro, ‘How Much Will PRISM Cost the US Cloud Computing Industry? (2013) Information and Technology Foundation <http://www2.itif.org/2013-cloud-computing-costs.pdf> VC The Author (2017). Published by Oxford University Press. All rights reserved. For Permissions, please email: journals.permissions@oup.com. 1 International Journal of Law and Information Technology, 2017, 00, 1–20 doi: 10.1093/ijlit/eax010 Article introduced data localization laws, this article fills a gap in the literature identified by Chandler and Le, when they commented that ‘we leave for a later study a crucial additional concern—the fundamental tension between data localization and trade liberalization obligations’. The section ‘The concept of data localization’of this article provides a brief explanation of data localization. Section ‘What motivates the Usa to resist foreign countries’ proposals for localized data hosting?’ explores the rationale underlying opposition to data localization by US-based stakeholders, including the US government. The section ‘Limitations on data localization contained in next generation trade agreements’ describes how data localization has been contested in five of the next-generation of regional trade agreements: three agreements promoted by the USA which prohibit data localization (and exclude China) and two agreements promoted by China which do not. Section ‘Domestic laws implementing data localization’ examines successful and failed attempts to introduce data localization policies within domestic legal frameworks in four of the US’ largest trade competitors: the BRICs (Brazil, Russia, India and China). The section ‘Separating theory and rhetoric from reality’ analyses four policy debates about data localization, distinguishing rhetorical claims from underlying realpolitik so as to identify potential reasons why it is such a contested policy issue. T H E C O N C E P T O F D A T A L O C A L I Z A T I O N One of many fundamental assumptions that the Internet has been built upon is universal connectivity, ie that every node can freely communicate with every other node. Another fundamental assumption has been that the network is dumb at the centre and smart at the edges, ie that it is Internet users who control what they do over the Internet, whereas network providers only route traffic between those users without applying further policy controls over the contents of those communications. Data localization is a concept which challenges those assumptions. Data localization has two meanings. The first is a policy whereby national governments compel Internet content hosts to store data about Internet users in their country on servers located within the jurisdiction of that national government (localized data hosting). The data stored in the local jurisdiction may be either the sole copy of the data or a required local copy of data sent for storage or processing in another jurisdiction. The second form of data localization is a policy, whereby national governments compel Internet service providers to route data packets sent between Internet users located in their jurisdictions across networks located only within their jurisdiction (localized data routing). This article addresses only the first type of data localization. accessed 18 December 2016; Kuan Hon and others, ‘Policy, Legal and Regulatory Implications of a European Only Cloud’ (2016) 24 IJLIT 251. 2 Anupam Chander and Uyen Le, ‘Data Nationalism’ (2015) 64 Emory LR 677. 3 Chander and Le (n 2) 713. 4 Jerome Saltzer and others, ‘End-to-End Arguments in System Design’ in Amit Bhargava (ed) Integrated Broadband Networks (Artech House 1991); Lawrence Lessig, Code Version2.0 (Basic Books 2006) 38–60. 5 Chander and Le, above n 2, 680. 2 Data Localization Laws

Recent proposals to reform data protection laws in the EU and Australia: a comparative analysis

̧ John Selby, Macquarie University/Annelies Moens, Information Integrity Solutions P/L, both Sydney. This article reflects the personal opinion of the authors and is not an official statement of either employer. Further information about the authors at p. 96. Data protection laws designed to balance the desire for individual privacy with business and government usage of personal information have spread around the world over the last few decades. After the first wave of regulation in the 1980s and 1990s, the continued growth of internet usage has highlighted shortcomings in those regulations. This has spurred a more recent wave of reform in data protection laws in many jurisdictions. This article gives an overview of recent data protection reform efforts in two federal regulatory systems, the European Union and Australia. It then explores the history of those reform efforts and compares several significant differences between these approaches.

eBay's Paypal: Balancing Marketplace and Regulatory Regimes

This article analyses the reasons why eBays April 2008 attempt to force its Members to only use PayPal for their auction transactions failed to gain approval from the Australian Competition and Consumer Commission. It describes and analyses the complex interplay between eBays marketplace, Australian Competition law and Australian Payments Systems law to determine why eBay was unsuccessful when it had been so successful in the past in imposing changes on its Members. It provides a guide to Members in countries outside of Australia on one method to challenge eBays dominance and a salutary lesson on the complexity of Internet regulation.

A Fine Line Between Legal Access And Circumvention

The High Court of Australias decision handed down on 6 October 2005 was a finely reasoned analysis concerning the fine balance within Australian copyright law and the rules of statutory interpretation. The Court sided with the appellant, Mr Stevens, when it held that his mod chip was not a circumvention device within the meaning of the Copyright Act 1968 (Cth) (the Act) as it did not function to overcome a technological protection measure as defined in s10(1) of the Act. Combined with its rejection of Sonys arguments relating to temporary copies in RAM, it would appear that this decision was a great victory for groups such as the Australian Digital Alliance. Nevertheless, with the signing of the Australia-US Free Trade Agreement (AUS-FTA), this victory is likely to be temporary at best.