Government entities implement data residency rules to maintain “digital sovereignty” and control in a fast-evolving digital realm.
These requirements raise valid national security concerns. Dictatorship and repressive governments can exploit them to undermine democracy, limit the participation and capacities of security actors. This also increases the danger of cybersecurity threats.
This guide focuses on the impact of data residency laws on national security in today’s internet age, as it manifests.
What are These Data Residency Laws?
Data residency laws are the rules governing where consumers’ data should be stored. There are different types of data residency laws, and they vary from country to country.
Governments mandate corporations to maintain data on their national territory under data residency regulations. Data residency regulations typically focus on personal data, although some governments gather geolocation and other data.
Organizations store data in the countries it originates from or across their borders via cloud computing or storage as a service (learn more here). However, firms may raise data residency concerns when they supply hosted services over the internet.
Customers using cloud storage and STaaS are often unaware of the geographical location of their data. However, customers should understand their country’s or local jurisdiction’s data residence governing rules. This is because cloud or STaaS providers can store data globally in various data center locations.
Data residency laws are becoming increasingly important due to the rise of cloud computing. In certain countries like the US, there is a law called the Data Protection Act. It states that if a company collects personal information from an individual in one country, it must store it in another country.
This is done to protect people’s privacy and ensure that their data is not mishandled or misused by a foreign company.
Data residency laws are implemented to protect the data of its citizens from access by foreign governments. This is a very sensitive subject, as it can be perceived as protectionism or an invasion of privacy.
Why These Arguments are Flawed
Here are some of the ways data residency laws pose a threat to national security.
Limits Global Interactions
Data residency laws undermine the global interconnectedness poised by post-WWII peace and alliances. It has also been linked to a general reduction in internet freedom.
Data residency laws can hamper coordination between military, law enforcement, intelligence and other security actors. This is because they make it difficult for different nations to access information across borders.
This creates a favorable environment for malicious actors who are good at gray area tactics such as illegal financial practices and harbors the ability of targeted countries to fight or investigate them.
It can also significantly alienate countries culturally, making diplomacy and peacebuilding efforts more difficult.
In particular, if certain types of data residency laws (such as hard or hybrid) are widely used, they may hamper research into terrorist organizations’ financial patterns, jeopardize informants, and jeopardize national security.
Digital authoritarianism, according to a CSIS policy, is “the utilization of the internet or any digital technologies by leaders with dictatorial governments to diminish faith in public institutions, strengthen social and political control, and/or threaten civil freedoms.”
Data residency territorialized collected information so that national governments and, by extension, service providers can assert jurisdiction over it.
Nations that are tightening controls on their citizens, expanding their reach abroad, and exporting digital authoritarianism’s tools and techniques may become tomorrow’s national security worries for various countries.
This makes it easier for these countries to crack down on “free expression, privacy, and a spectrum of human rights,” particularly in jurisdictions with authoritarian governments or weak democracies.
These data localization rules are frequently enacted under the pretense of “protecting” individuals’ privacy or security, but the end consequence is frequently the inverse.
It’s a tool used to target minority groups, activists, and journalists, frequently under the guise of safeguarding them. This limits democracy and human rights.
It makes intuitive sense for a country to plan to retain “vital,” “highly sensitive,” data under control. Otherwise, it may slip into the hands of unscrupulous foreign entities.
However, as the definitions of these criteria become broader and more subjective over time, this expanding control has the potential to harm civil society, democracy, and human rights.
Online criminals, particularly those not affiliated with hostile governments or terrorist organizations, threaten national security. Cybercriminals can hack into financial institutions, government websites, or electricity infrastructures to steal or extort money.
They may also engage in cybercrime to further an ideological cause. State and non-state actors employ new technologies to gain an economic and military advantage, cause instability, enhance control over cyberspace material, and achieve other strategic aims.
Organizations in nations with stringent data residency and access laws, on the other hand, will gain less critical information in emergency cases because foreign business associates or governments do not trust them.
A free, open, secure, and dependable internet is essential to global trade and prosperity. Balkanization of the internet risks inhibiting competition, innovation, and commerce that provide better services for customers and can impair data security.
Evidence reveals that data raises pricing and “limited the availability of ICT products and services while producing few data center jobs” in the information and communications technology (ICT) sector.
Although cross-border data flows can make local web-based businesses less competitive, there is little evidence that data residency laws foster local economic development, whether online or offline.
Barrier-building efforts may bring short-term commercial benefits to newly advantaged domestic enterprises, but at the expense of innovation and long-term global economic progress.
Suppose a country needs to take over a bank, energy business, or a vital infrastructure provider incase of an emergency (perhaps due to conflict with other countries or international companies). In that case, all relevant data must be maintained locally and accessible without needing external collaboration.
However, until such a takeover is required, any important firm will be harbored by data residency laws. The business will be unable to utilize cutting-edge cloud computing, machine learning, and other technologies developed and hosted elsewhere.
Businesses constrained by data residency restrictions incur higher costs, use less efficient technologies, and are more likely to be taken over in a crisis.
Some countries technically assume that vital citizen’s data is safer in their home country rather than overseas storage.
Countries with isolated or obsolete data storage technology, unfortunately, are less able to protect locally held data from outside enemies or cyber criminal threats. Furthermore, an insular approach to cybersecurity can limit access to cutting-edge worldwide best-in-class solutions.
For example, when documents and storage devices holding the data are on local territory and may be taken in a raid, police, secret services, and other government officials can more easily compel access to the material.
Most private data collected by businesses is not critical for national security and is not accessed by governments because of respect for individual privacy and freedoms. As a result, demanding that corporations keep all personal data locally is neither required nor proportionate.
In addition, to control government access to data, companies must ensure remote access to data or maintain local backup copies, which businesses could create on a daily or weekly basis at a much lower cost than duplicating primary systems locally, would suffice.