Russia. China. Now Europe?
In a trend that has spooked Silicon Valley, senior EU officials are flirting with the idea of forcing companies to store and retain at least some of their data in Europe.
The push for so-called data localization has its biggest backer in Thierry Breton, a French former tech CEO who now oversees a swath of EU digital policymaking and told lawmakers last month that data produced in Europe “should be processed in Europe.” In 2018, while a tech executive, he went further, telling a French newspaper that EU privacy regulation should require data to be physically stored in Europe.
Breton, an ally of French President Emmanuel Macron, has won high-profile support for the idea from top data-protection, cybersecurity and diplomatic officials across Europe, including German Economy Minister Peter Altmaier, who is looking to launch a home-grown cloud storage service called Gaia-X to wean Europe off foreign suppliers.
Announcing the project late last year, Altmaier said that Europe needs “a data infrastructure that ensures data sovereignty,” adding that it is important that cloud solutions are not just created in the United States.
“Theres a correlation between governments that want to implement data-localization measures, and high levels of corruption and weak institutions” — Matthias Bauer, analyst
For now there is no suggestion that the blocs digital initiatives, set to be unveiled Wednesday, will include hard rules on data storage.
However, leaked documents outlining Europes grand digital strategy include talk about fostering an environment that will “lead to more data being stored and processed in the EU,” as well as an “open, but assertive approach to international data flows.”
The mere prospect of a European data grab has already alarmed firms from Silicon Valley to Chinas Shenzhen and Hangzhou regions, which have substantial operations in Europe and send large amounts of data overseas for processing.
For those players — which have a business incentive to keep data flowing freely across borders — a move toward localization in Europe would set a dangerous precedent.
German Economy Minister Peter Altmaier has said that Europe needs “a data infrastructure that ensures data sovereignty” | Bernd Thissen/AFP via Getty Images
Not only would it undermine the EUs own insistence on free data flows in negotiations with trade partners, they argue. It would also put the bloc in a league with authoritarian regimes in Russia and China, which use localization rules to clamp down on the circulation of information — splintering the notional world wide web into country-sized shards.
“Its not in line with EU positioning,” Thomas Boué of the Microsoft-backed trade group the Software Alliance (BSA), said of potential moves to keep data stored in Europe.
Alex Roure, of the Computer & Communications Industry Association (CCIA) lobby group, said he has not seen a “single case” where data localization benefits privacy, security or the economy. “If its to protect local incumbents, that would be problematic.”
But the fact that top EU officials, including the blocs data-protection supervisor, have voiced support for limits of some form on international data flows — as well as Europe-based cloud storage solutions — underscores the widening division and rivalry between Europe and the United States on tech.
One major signal that could determine the EUs stance on data is a landmark ruling at the Court of Justice of the European Union, expected later this year, that will determine whether EU citizens data can safely be transferred around the world.
If data transfer mechanisms are struck down, all overseas data flows would become subject to legal uncertainty — an implicit argument for keeping more of it on the Continent.
For critics of data localization, there is little doubt that such rules are a prelude to democratic backsliding. Among other examples they point to China, where a 2017 cybersecurity law forces operators of critical infrastructure to store all personal and “important” data they hold within China.
Exports of data are only allowed if a regulator agrees that they are genuinely necessary for business reasons. Even operators of non-critical infrastructure — so-called network operators, which can include anyone with a website — must submit security-assessment reports demonstrating a clear need for data to be transferred abroad.
Another standard-bearer for the approach is Russia, which has rules requiring a copy of data on Russian citizens to be stored in the country. It banned LinkedIn for flouting the rules, and recently fined Facebook and Twitter $63,000 each for failing to comply with a national data law.
India, under the leadership of Prime Minister Narendra Modi, is also leaning toward data-localization requirements, while countries close to China, like Vietnam and Malaysia, have similar rules.
“Theres a correlation between governments that want to implement data-localization measures, and high levels of corruption and weak institutions,” said Matthias Bauer of Brussels-based think tank ECIPE, who authored an influential study on data-localization rules.
European policymakers have repeatedly insisted on the need to guarantee high levels of privacy protections for EU citizens data.
Proponents of the policy insist it can ensure that valuable information and know-how isnt lost. But the evidence is scant that data localization boosts local industry in the way its proponents say it does. ECIPEs 2014 study into data localization estimated that such requirements could shave up to 1.7 percent off gross domestic product, a common measure of economic health.
Data localization is also widely believed to be used by autocratic regimes to gain a backdoor into information systems, and spy on their citizens.
But those who advocate for localization in Europe insist their version would be different.
There is little suggestion, for example, that policymakers are looking to improve their ability to snoop on citizens. European policymakers have repeatedly insisted on the need to guarantee high levels of privacy protections for EU citizens data, particularly in sensitive categories such as health or financial information.
Europes strict framework, the General Data Protection Regulation, is the strictest privacy regulation in the world on paper. But as privacy activists point out, the law gives regulators little oversight once data leaves the region.
Wojciech Wiewiórowski, Europes new data protection supervisor | Sebastien Pirlet/European Union