It was only a matter of time before populist-minded skeptics sounded privacy alarms over provisions the US government is currently negotiating in trade agreements to prevent "data protectionism." File it under the category of "no good deed goes unpunished."
Case in point, Emma Woollacott’s recent Forbes article that incorrectly asserts that trade negotiators have slipped provisions into the Trade in Services Agreement (TISA) that threaten privacy and security. In reality, these terms are meant to reduce barriers to trade in services – such as banking and health care – among 24 World Trade Organization member countries.
But Ms. Woollacott contends that people’s privacy could be threatened because language in TISA "could bar countries from trying to control where their citizens’ personal data is held or whether it’s accessible from outside the country." In making this assertion, she cites a TISA provision stating that "no party may require a service supplier, as a condition for supplying a service or investing in its territory, to: (a) use computing facilities located in the Party’s territory." She goes on to warn us "there are clear implications for privacy – as well as security from hacking. EU privacy regulations currently require companies to store EU citizens’ personal data locally, to make sure they comply with the region’s strict legal requirements for data processing."
Of course, Woollacott is not alone – in the US or abroad – in trying to connect TISA’s provisions to an abrogation of privacy rights. Writing in Slate, Margot Kaminski contends, "states bargain away citizens’ freedoms behind closed doors" with TISA. Of course, privacy is one of those freedoms implicated. Likewise, Patricia Ranald, coordinator of the Australian Fair Trade and Investment Network, asserts that TISA contains "rules that would threaten privacy and civil rights protections for digital personal data."
But the notion that data must be stored locally to be secure or to maintain privacy protections is patently false, as the Information Technology and Information Foundation has shown in a detailed report. The security of data does not depend on where it is stored, only the measures used to store the data securely.
With regard to privacy, the entities that leverage a consumer’s data in the course of their business activities must adhere to the privacy laws a country imposes; thus where that data is stored is immaterial. It’s either in compliance with the privacy laws and regulations of the home nation or it is not. For example, American companies must comply with the privacy provisions of HIPAA (the Health Insurance Portability and Accountability Act), which regulates US citizens’ health data privacy rights, or the Gramm-Leach-Bliley rules regulating the privacy of financial data, whether they store a customer’s data on their own server in the US or on a third-party cloud server in another nation.
A business simply cannot evade a nation’s privacy and security laws by moving the data to another nation. Besides, the provisions do not in any way prevent a government from making a decision about where to store personal data used in the delivery of government services – whether tax or benefits data or personal health records – but it does foreclose a government’s ability to mandate that such data (or data collected by a private company) could be stored only within the geographic confines of a country.
So why are US negotiators pushing to add this kind of provision to trade agreements such as TISA, the Trans-Pacific Partnership (TPP), and Transatlantic Trade and Investment Partnership (TTIP) agreements?
Just as trade negotiators fought to remove barriers to trade in physical goods in the 20th century in order to maximize economic growth and prosperity, they need to remove barriers to trade in digital goods and services in the 21st century.
When organizations can choose to store their data with any provider anywhere in the world, they have access to best-of-breed solutions providers – whether they’re located in the cloud or are using servers in another country – that have the best documented track records of securely managing a citizen’s or customer’s data and protecting their privacy rights. But if countries were allowed to mandate local data storage requirements or require an Internet company to use only local computing facilities to store data or deliver digital services, they then foreclose this option for their citizens and enterprises. Moreover, such policies would unnecessarily add additional costs (for example, by forcing companies to open more local data centers than necessary), which would raise the cost of digital services for end users. Finally, one overlooked impact of allowing mandatory data localization policies is on the environment. If firms are forced to build redundant data centers they will end up using more energy for redundant facilities than if they can optimize data center location.
Data increasingly represents the lifeblood of the global economy. The reality is that the terms the US seeks in TISA, TPP, and TTIP are designed to facilitate the exchange of information, data, and knowledge that make the world work today. It is not a coordinated campaign to undermine individuals’ privacy rights; rather, it is an effort to prevent new, disruptive forms of digital protectionism in the 21st century.
Stephen Ezell is vice president for global innovation policy for The Information Technology & Innovation Foundation, a nonpartisan Washington think tank. Follow him on Twitter @sjezell.