Week 5:
Network Sovereignty and Data Localisation:
- Another horizontal issue- that impacts the internet across the board
- Data localisation + sovereignty
Overview:
- Definitions and the Emergence of Data Localisation Laws
- The Free Flow of Non-Personal Data in the EU
- Cross-Border Personal Data Flows, Adequacy and the GDPR
- The Rationale(s) and Challenges of Data Localisation
- Consider net neutrality - idea that we treat all data packets equally. 2 key principles: best service and end-to-end-
o Data localisation- not allowing the data to leave the UK
o Or keeping a copy of the data in the UK
o Or only letting some individuals access content hosted in the UK
Measures that interfere with the general packet neutrality
And possibility to interfere w/ content neutrality that we spoke about last week
Setting the scene:
Data localisation:
- Defined very broadly:
o “Measures that ‘specifically encumber the transfer of data across national border’, including:
Rules preventing information from being sent outside the country; [bans on data exports]
Rules requiring prior consent before transfer; [if individual, of the individual]
Rules requiring the domestic storage of copies; [keeping a copy of all data generated but allowing
export]
Taxes on data exports. [proposed in France]
Chander and Le
- Data=harder to keep in boundaries- trying to get the better of digital data
Data localisation
Legal definition:
- ‘Any obligation, prohibition, condition, limit or other requirement provided for in laws, regulations or administrative
provisions of a Member State or resulting from general and consistent administrative practices…, which imposes the
processing of data in the territory of a specific Member State or hinders the processing of data in any other Member
State’
o Art 3(5), Regulation 2018/1807
Personalisation of data across borders
Danger posing the internet - infrastructure- content neutrality and net neutrality. but rights perspective-
freedom to information, freedom to choose best service provider.
Seen as an intrinsic threat to the internet and internet freedom
Data localisation- Peoples Republic of China:
- Since Xiping came into power- introduced network sovereignty quickly
- Part of ‘Network Sovereignty’ strategy (Cyberspace Administration of China oversees)
o China’s right to police the internet within its borders and participate in managing international cyberspace
(including the need to safeguard key information infrastructure operators).
o Emphasis on ‘secure and controllable’ IT systems
[across the county]
The internet, as a form of industrial policy, china wouldn’t be reliant on third parties at all
Other states are considering this e.g. Huaweii’s involvement in 5G in the UK- discussing the UK’s
network sovereignty- will giving a strategic role to an external organisation negatively impact the UK?
Cybersecurity Law- Art37:
- Chinese Law- weird hybrid of protecting economic interests and an internet law:
o “‘All personal information [and important business data] collected and produced by critical information
infrastructure operators during their activities within the PRC shall be stored within the territory’”
Some limited exceptions to this:
“‘…where due to business requirements it is truly necessary to provide it outside the
mainland, a security assessment shall be conducted according to the measures jointly
formulated by the national cyberspace administration and the relevant departments of the State
Council. Where laws or administrative regulations provide otherwise, those provisions apply’
o A two-step test:
General rule= data localisation
If specific business need to export, can only take place after a security
assessment.
Something Chander and Le would categorise as a data localisation
requirement
o Has been developed in subsequent guidelines:
The PRC: Status Quo:
, - Security Assessment Measures for the Cross-Border Transfer of Personal Information and Important Data (‘Cross-Border
Measures’, or CBM)
- Entered into force on 1 June 2017, but network operators given until 1 December2018 to comply
- Restrictions on the overseas transfer of personal data and ‘important information’
o What constitutes a CII? [Critical Infrastructure Information provider]- many saying that it doesn’t apply to them
[ISPs]
- CII and network operators may not provide personal data or important information outside China unless:
o Completed security assessment set out under the CBM;
o The individual has been notified of the purpose and scope of transfer and the country in which recipient is
located; and,
o The individual has consented (save in emergency where life or property is jeopardised).
Security assessment plus individualised consent
BUT- still more circumstances where you can’t transfer the data even if all has been achieved
- However, no transfer may occur notwithstanding if:
o It will violate any laws or regulations;
o It would result in risks to national security or public interests, or cause harm to vital interests (eg economic or
technological security)
o If any relevant regulator deems the transfer to be inappropriate.
Widely defined and therefore widely interpreted
The free flow of non-personal data:
- Depending on nation and aim, can be wide like the PRC, or very specific like medical data in Australia
- Can be looked at as economically beneficial - data being seen as the new oil- the input of may products/services like AI
- Some argue that the free movement of data will assist economic development in the same way that free movement of
people can
- Counter - data localisation can be looked at as protectionist measures- interfering with trade
- Or can be seen in a security lease.
- In the EU- as a reaction, the EU this year introduced a free-flow of non-personal data regulation. Primarily aims
to eliminate data localisation laws except where strictly necessary for national security measures. Has to be
justifiable
Regulation 2018/1807:1 EU
- Suggests the ‘effective and efficient functioning of data processing is a fundamental building block in any data value
chain’.
o From business and public service perspectives- data as critical for the efficient running of operation
- Seeks to eliminate obstacles to data mobility in the Internal Market; without prejudice to the GDPR.
Data localisation:
- Data localization requirements shall be prohibited unless they are justified on public security grounds and are
proportionate. Article 4
o General prohibition
o Proportionality test
Mutual Trust and Access to Data:
- Regulation shall not affect the powers of competent authorities to request or obtain access to data for the
performance of official duties. Article 5
o Sets up a contact point between MS- trying to facilitate trust between the states in a way that will allow data
to flow across borders
Data portability:
- The Commission shall encourage and facilitate the developments of self-regulatory codes of conduct at EU level to
contribute to a competitive data economy. Article 6
- We as individuals have the right to go to our ISP and move our data to another- exercising our control over our own
data
- Made to encourage data portability between companies.
o e.g. companies are also individuals. e.g. a hotel on one booking platform being able to move to another
platform without losing its goods reviews. Unlocking competition by enabling the flow of data.
Adequacy and the EU framework:
- Many say that this [Regulation] will miss the point
o Because, if we look at the GDPR, it puts in place a form of data localisation sy stem [a weak form, but a system
nonetheless]
o We work off the presumption that personal data can flow freely between EU MS because each EU MS has
enacted the GDPR. Everyone is ensuring a minimum level of protection of our personal data.
o However, if you want to export data from within the EU to outside the EU, then have to show that the third
party has adequate data protection. One of the reasons why GDPR has been used as a blueprint- allowing
economic transaction between the EU and a third party. EU regulatory supremacy.
Mechanisms to ensure flows:
- 4 mechanism in which you can ensure data flow from EU to non-EU countries:
1
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32018R1807
Network Sovereignty and Data Localisation:
- Another horizontal issue- that impacts the internet across the board
- Data localisation + sovereignty
Overview:
- Definitions and the Emergence of Data Localisation Laws
- The Free Flow of Non-Personal Data in the EU
- Cross-Border Personal Data Flows, Adequacy and the GDPR
- The Rationale(s) and Challenges of Data Localisation
- Consider net neutrality - idea that we treat all data packets equally. 2 key principles: best service and end-to-end-
o Data localisation- not allowing the data to leave the UK
o Or keeping a copy of the data in the UK
o Or only letting some individuals access content hosted in the UK
Measures that interfere with the general packet neutrality
And possibility to interfere w/ content neutrality that we spoke about last week
Setting the scene:
Data localisation:
- Defined very broadly:
o “Measures that ‘specifically encumber the transfer of data across national border’, including:
Rules preventing information from being sent outside the country; [bans on data exports]
Rules requiring prior consent before transfer; [if individual, of the individual]
Rules requiring the domestic storage of copies; [keeping a copy of all data generated but allowing
export]
Taxes on data exports. [proposed in France]
Chander and Le
- Data=harder to keep in boundaries- trying to get the better of digital data
Data localisation
Legal definition:
- ‘Any obligation, prohibition, condition, limit or other requirement provided for in laws, regulations or administrative
provisions of a Member State or resulting from general and consistent administrative practices…, which imposes the
processing of data in the territory of a specific Member State or hinders the processing of data in any other Member
State’
o Art 3(5), Regulation 2018/1807
Personalisation of data across borders
Danger posing the internet - infrastructure- content neutrality and net neutrality. but rights perspective-
freedom to information, freedom to choose best service provider.
Seen as an intrinsic threat to the internet and internet freedom
Data localisation- Peoples Republic of China:
- Since Xiping came into power- introduced network sovereignty quickly
- Part of ‘Network Sovereignty’ strategy (Cyberspace Administration of China oversees)
o China’s right to police the internet within its borders and participate in managing international cyberspace
(including the need to safeguard key information infrastructure operators).
o Emphasis on ‘secure and controllable’ IT systems
[across the county]
The internet, as a form of industrial policy, china wouldn’t be reliant on third parties at all
Other states are considering this e.g. Huaweii’s involvement in 5G in the UK- discussing the UK’s
network sovereignty- will giving a strategic role to an external organisation negatively impact the UK?
Cybersecurity Law- Art37:
- Chinese Law- weird hybrid of protecting economic interests and an internet law:
o “‘All personal information [and important business data] collected and produced by critical information
infrastructure operators during their activities within the PRC shall be stored within the territory’”
Some limited exceptions to this:
“‘…where due to business requirements it is truly necessary to provide it outside the
mainland, a security assessment shall be conducted according to the measures jointly
formulated by the national cyberspace administration and the relevant departments of the State
Council. Where laws or administrative regulations provide otherwise, those provisions apply’
o A two-step test:
General rule= data localisation
If specific business need to export, can only take place after a security
assessment.
Something Chander and Le would categorise as a data localisation
requirement
o Has been developed in subsequent guidelines:
The PRC: Status Quo:
, - Security Assessment Measures for the Cross-Border Transfer of Personal Information and Important Data (‘Cross-Border
Measures’, or CBM)
- Entered into force on 1 June 2017, but network operators given until 1 December2018 to comply
- Restrictions on the overseas transfer of personal data and ‘important information’
o What constitutes a CII? [Critical Infrastructure Information provider]- many saying that it doesn’t apply to them
[ISPs]
- CII and network operators may not provide personal data or important information outside China unless:
o Completed security assessment set out under the CBM;
o The individual has been notified of the purpose and scope of transfer and the country in which recipient is
located; and,
o The individual has consented (save in emergency where life or property is jeopardised).
Security assessment plus individualised consent
BUT- still more circumstances where you can’t transfer the data even if all has been achieved
- However, no transfer may occur notwithstanding if:
o It will violate any laws or regulations;
o It would result in risks to national security or public interests, or cause harm to vital interests (eg economic or
technological security)
o If any relevant regulator deems the transfer to be inappropriate.
Widely defined and therefore widely interpreted
The free flow of non-personal data:
- Depending on nation and aim, can be wide like the PRC, or very specific like medical data in Australia
- Can be looked at as economically beneficial - data being seen as the new oil- the input of may products/services like AI
- Some argue that the free movement of data will assist economic development in the same way that free movement of
people can
- Counter - data localisation can be looked at as protectionist measures- interfering with trade
- Or can be seen in a security lease.
- In the EU- as a reaction, the EU this year introduced a free-flow of non-personal data regulation. Primarily aims
to eliminate data localisation laws except where strictly necessary for national security measures. Has to be
justifiable
Regulation 2018/1807:1 EU
- Suggests the ‘effective and efficient functioning of data processing is a fundamental building block in any data value
chain’.
o From business and public service perspectives- data as critical for the efficient running of operation
- Seeks to eliminate obstacles to data mobility in the Internal Market; without prejudice to the GDPR.
Data localisation:
- Data localization requirements shall be prohibited unless they are justified on public security grounds and are
proportionate. Article 4
o General prohibition
o Proportionality test
Mutual Trust and Access to Data:
- Regulation shall not affect the powers of competent authorities to request or obtain access to data for the
performance of official duties. Article 5
o Sets up a contact point between MS- trying to facilitate trust between the states in a way that will allow data
to flow across borders
Data portability:
- The Commission shall encourage and facilitate the developments of self-regulatory codes of conduct at EU level to
contribute to a competitive data economy. Article 6
- We as individuals have the right to go to our ISP and move our data to another- exercising our control over our own
data
- Made to encourage data portability between companies.
o e.g. companies are also individuals. e.g. a hotel on one booking platform being able to move to another
platform without losing its goods reviews. Unlocking competition by enabling the flow of data.
Adequacy and the EU framework:
- Many say that this [Regulation] will miss the point
o Because, if we look at the GDPR, it puts in place a form of data localisation sy stem [a weak form, but a system
nonetheless]
o We work off the presumption that personal data can flow freely between EU MS because each EU MS has
enacted the GDPR. Everyone is ensuring a minimum level of protection of our personal data.
o However, if you want to export data from within the EU to outside the EU, then have to show that the third
party has adequate data protection. One of the reasons why GDPR has been used as a blueprint- allowing
economic transaction between the EU and a third party. EU regulatory supremacy.
Mechanisms to ensure flows:
- 4 mechanism in which you can ensure data flow from EU to non-EU countries:
1
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32018R1807
