Are We Witnessing the Roots of US Data Isolationism?

header-cover If you're an American you probably don't spend much time thinking about where all of your data is stored. In reality it is probably spread across Gmail or some other email provider, Facebook, staples.com, your cell company, the Department of Motor Vehicles, etc, etc, etc. If someone you do business with got hacked or went out of business, you probably thought some about the impact of that situation. But US attitudes and behaviors towards data privacy suggest that it didn't stop you from using other services that keep copies of your data wherever they choose to.

If you're outside of the US, you likely have a different view. In many countries an authoritarian government controls the in-country network. Unfortunate citizens of these countries believe that all of their information ultimately gets to the government, and privacy only comes with extreme effort and risk, if at all.

By contrast, in much of the developed world outside of America, especially Europe, there is a much deeper support for data privacy rights of individuals as compared to the US. These rights are strongly supported by the populace and are also, in the EU and elsewhere, instantiated as policy in law. In the EU this combines is a lingering sense of nationality; Europe still has thousands of local and national-level service providers, at the same time US service providers have been massively consolidated, largely doing away with the smaller providers. As a result, in Europe and developed countries through the world there is heightened awareness and a stronger legal framework related to where individual data is stored.

If you're a company that deals with people's data, you're likely to be tuned into this heightened privacy awareness, even if you don't operate out a country with strict laws. You know that your customer base represents a spectrum of opinions from "unconcerned" to "paranoid", and that in some cases those concerns are supported by laws that you can be held responsible for. If you are one of the online giants (Google, Facebook, Amazon, etc), you are likely in direct discussions with a variety of governments around the world about privacy and the legal implications to your business.

As a result, companies are taking a more serious approach to where they keep their customers' data. For on-line giants this is a decision of where to put your own data centers. But for most organizations this is a question of whose existing data centers you use. In either case, some of the placement decision factors are practical: available bandwidth, proximity to a tech-savvy workforce, sources of reliable energy, etc. But now data privacy and protection are additional, critical factors in deciding where to store customer data.

Daniel Castro, at ITIF, argues in "The False Promise of Data Nationalism" that the reliability and security of your datacenter provider should be paramount, and that the geo-political location is less important. He closes with a suggestion that the US should lead an effort to create an international agreement on the free flow of data.

While this view emphasizes the nationalism that I've witnessed in Europe and elsewhere, my direct experience supports the news reports that suggest that the lack of strong data privacy laws in the US are the main reasons keeping many companies from allowing their data to be stored in America. For example, I've had IT executives in many countries, including Canada, tell me that their local laws prohibit storage of specific kinds of data in US facilities. And a recent Bloomberg report suggests that some companies are now requiring their service providers and suppliers to keep corporate data be kept outside the US.

Without debating the national security and privacy implications of US policy, the Patriot Act and related laws that provide US government agencies access to stored and transmitted information are in direct conflict with other countries' attitudes and laws regarding data privacy. This is in direct conflict with many individuals' views of data privacy around the world, as well as the laws of many economically important countries. So if you are a data service provider, it is impossible for you to store certain kinds of data from many countries in the US in a way that is compliant with the laws of those countries. Period. Nothing you can do about it.

From a US perspective we can cast other countries as pursuing nationalistic data policies, but the underlying truth is that we, the US, has adopted an isolationist policy that threatens to make us a island in the world of global data.