December 2018 · Number 3 Trade, Cross-Border Data, and the Next Regulatory Frontier: Law enforcement and data localization requirements 1 Fig. 1. Global Internet traffic Martín Molinuevo and Simon Gaillard Introduction Policy-makers and regulators are striving to tackle the challenges brought by the recent exponential growth of cross-border data. One sensitive policy concern is how to ensure access to data by law enforcement, which has led countries to impose data localization requirements or other heavy-handed responses. Existing regulatory tools are poorly equipped to address these challenges of the digital age. Innovative regulatory solutions, focused on cooperation and the recognition Source: Cisco Systems, reproduced by Wikipedia that firms may be required to produce data regardless its physical location, can help bring To visualize this exponential growth of internet a balance between free data flows and the need traffic (Figure 1) that all global data to ensure effective law enforcement. communications were in the format of an MP3 song (the music you can listen in your phone or mobile device). To listen to all the data What do digital communications mean for transmitted globally in the year 1990, you international trade? would have needed about 25 years –about the Cross-border data flows are becoming the time span of one generation. Today, to listen to defining hallmark of international trade in the one single minute worth of data flows will 21st century. While trade in goods has slowed require the MP3 song to play for some 4,600 in the last decade, cross-border flows of data years. Or the entire human written history. have surge dramatically (MGI 2016). Cross- This boom of digital communications has border data multiplied more than 100 times, equally impressive economic implications: between 2005 and 2017, and this number is some studies estimate that data flows have expected to nearly quadruple by 20212. contributed USD 7.8 trillion to global economic activity during the last decade, amounting to 10% of global GDP (MGI 2016). 1 This note was prepared by Simon Gaillard (consultant) and Martín Molinuevo (Senior Counsel, MTI). The authors are grateful to Caroline Freund (Director, MTI), David Satola (Lead Counsel, LEG), Anupam Chander (Professor, Georgetown University), Michael Ferrantino (Lead Economist, MTI), and Yanina Budkin (Senior Communications Officer, MTI) for their insightful comments and suggestions. 2 TheAtlas.com https://www.theatlas.com/charts/rJvTuVL0e. This colossal global exchange of information (and no quantitative analysis) consider the has novel implications for business and for rationale behind such measures, and whether public policy. For businesses, cloud computing data localization requirements may in fact be allows firms to organize and structure their an adequate response to legitimate policy operations more efficiently, boosting concerns. Chander and Lê (2015)7 review data outsourcing services, and creating new localization regulations around the world and opportunities for firms to join, and expand, judge that alternative measures exist in all global value chains. In the realm of policy- cases to achieve the purported policy goals. making, cross-border data flows bring a series of unprecedented situations to the attention of One of the policy goals often prompting data the regulator –situations that include key localization requirements is the need to ensure public policy concerns such as national the access to data by law enforcement. 8 security, individual privacy, economic Whereas other rules on data governance, such development, and law enforcement. All these as on privacy protection, are desirable as a tool policy matters present specific challenges and to increase trust in the digital markets, require dedicated attention. This note focuses disciplines on data governance and its on the relationship between cross-border data relationship with law enforcement provide and law enforcement and highlights possible courts with effective regulatory tools to carry alternatives to balance these policy goals. 3 out their law enforcement duty in the era of digital communications, while at the same time What challenges do cross-border data flows ensuring that online services are not bring to regulators? unnecessarily burdened in that process. The tension arises when law enforcement agencies Countries are adopting diverse regulatory need to access data that is stored in a foreign responses to the increasing volumes of cross- jurisdiction and lack specific tools to compel border data. Among them, bans on the online provider to produce the data. In that transferring data abroad or the obligations to case, courts may fail to obtain the necessary store data in servers physically located in the information –potentially leaving a case country (“data localization requirements”) unsolved as a result- or may resort to draconian have attracted particular attention. Some measures that unnecessarily burden services studies have focused on the costs that such providers and impact consumers –hence measures entail for the economy –predicting hampering the global digital market. alarming declines in GDP, foreign investments (Bauer et al, 2015 4 ), international trade How can cross-border data flows hamper law (Kommerskollegium, 2014 5 ) and productivity enforcement – and vice versa? (van der Marel et al, 2016 6 ), and concluding that “any gains stemming from data localization are too small to outweigh losses in Some recent high-profile cases illustrate the terms of welfare and output in the general challenge that global data flows can bring to economy” (Bauer et al, 2015). Yet few studies law enforcement: The recent case United States 3 In particular, the discussion focuses on the ability Companies Based in Sweden”, National Board of of ordinary courts, including in civil and criminal Trade of Sweden, 2014. 6 cases, to access data retained by online services van der Marel, E., H. Lee-Makiyama, M. Bauer providers. This note does not discuss the ability of and B. Verschelde (2016) "A Methodology to intelligence services or other law enforcement Estimate the Costs of Data Regulation", organizations, such as specialized anti-terrorism International Economics, Vol. 146, Issue 2, pages agencies, to retrieve such data covertly, often 12-39 7 without the knowledge of the online service Chander, Anupam and Le, Uyen P., Data provider itself. Nationalism (March 13, 2015). Emory Law 4 Bauer, M., H. Lee-Makiyama and E. van der Journal, Vol. 64, No. 3, 2015. Available at SSRN: Marel (2014), The Costs of Data Localisation, https://ssrn.com/abstract=2577947 8 ECIPE, 2014. Chander, Anupam and Le, Uyen P., Data 5 Kommerskollegium, “No Transfer, No Trade - Nationalism (March 13, 2015). Emory Law The Importance of Cross-Border Data Transfers for Journal, Vol. 64, No. 3, 2015. Available at SSRN: https://ssrn.com/abstract=2577947 December 2018 · Number 3 · 2 vs. Microsoft Corp 9 demonstrated the linkages requirements in the U.S., companies like between cross-border data flows and the ability Microsoft, which has over 100 data centers in of courts to investigate and legitimately 40 countries, could potentially move data persecute unlawful conduct. In this case, US swiftly for business purposes and thus hamper federal prosecutors investigating a drug law enforcement work. 11 If firms are free to trafficking case in 2013 served a warrant to transfer and store data in any physical location Microsoft Co. to provide the emails of an of their choosing, how can law enforcement individual. Microsoft handed data stored on agencies obtain access to such information? U.S. servers, the person’s address book, but How can policy-makers ensure that data didn’t deliver the actual content of the regarding offenses occurring within their individual’s emails, arguing that they were jurisdiction, by their own nationals, being stored in a Microsoft data center in Dublin, stored by a domestic company remains Ireland, and the warrant by US authorities did reachable? not have extraterritorial application. U.S. prosecutors argued that, because the facts of Courts from developing countries have also the case took place in the United States and faced similar challenges in retrieving data from Microsoft is a U.S.-based company 10 , foreign jurisdictions, resorting at times to producing a copy of such information does not heavy-handed measures to overcome them. entail extraterritorial effects of the warrant, but Brazilian courts have come in multiple a mere compliance with a warrant by a U.S. occasions to stand-offs with online services court. The case was brought to the United who refused to produce data. An early case in States Supreme Court but ended without a 2006 entailed an order from a federal judge ruling due to the passage of the new Clarifying issued to Orkut, a social media platform owned Lawful Overseas Use of Data Act (“CLOUD by Google and one of Brazil’s most popular Act”) on March 23, 2018. This law allows websites at the time, to provide details on over federal law enforcement to compel U.S.-based twenty Brazilian nationals alleged to be using technology companies via warrant or the social platform for spreading child subpoena to provide requested data stored on pornography and selling drugs. After an initial servers regardless of whether the data are refusal by Orkut on the argument that the stored in the U.S. or on foreign soil. information was not stored in Brazil, but in Google’s servers in the U.S. –for which the The circumstances of this case raise substantial judge imposed a fine of USD 23,000 a day-, questions related to the regulation of cross- Google agreed to cooperate with the Brazilian border data flows and law enforcement judge’s request and hand over the procedures. With no data localization information.12 A similar case occurred in 2016, 9 Matsakis, Louise, “Microsoft Supreme Court case 11 Barnes, Robert, “Supreme Court to consider has bign implications for data”, Wired, February major digital privacy case on Microsoft email 27, 2018, https://www.wired.com/story/us-vs- storage”, Washington Post, October 16, 2017, microsoft-supreme-court-case-data/ https://www.washingtonpost.com/politics/courts_la 10 Given the confidentiality of the procedures, it w/supreme-court-to-consider-major-digital- remains undisclosed the nationality of the privacy-case-on-microsoft-email- individual, or whether the emails were generated storage/2017/10/16/b1e74936-b278-11e7-be94- within the United States, or the reasons why the fabb0f1e9ffb_story.html?utm_term=.85a60c2da3d account content was physically stored in Ireland. 0 This latter fact may relate to the individual having 12 Nakashima, Ellen, “ Google to Give Data To indicated Ireland as its country of citizenship or Brazilian Court”, Washington Post, September 2, residency, or simply to a business decision by the 2006, http://www.washingtonpost.com/wp- Microsoft. On the facts of the case, see Harvard dyn/content/article/2006/09/01/AR2006090100608 Law Review, “Microsoft Corp. v. United States”, .html; Morphy, Erika, “Google to Comply With 130 Harv. L. Rev. 769, December 6m 2016, Brazilian Court Order”, TechNewsWorld, https://harvardlawreview.org/2016/12/microsoft- September 5, 2006, corp-v-united-states/ and Lawreview, “Microsoft https://www.technewsworld.com/story/52830.html; Corp. v. United States”, 102 Minnesota Law and Wikipedia, “Orkut”, Review 6, February 23 2017, https://en.wikipedia.org/wiki/Orkut#Brazil. http://www.minnesotalawreview.org/2017/02/micr Eventually, Orkut went further in the cooperation osoft-corp-v-united-states/ with Brazilian authorities, granting the federal December 2018 · Number 3 · 3 in an judicial attempt to retrieve data from an they entail, but also due to the limited encrypted end-to-end chat mobile app resources often available for this kind of (WhatsApp). 13 Faced with WhatsApp non- international cooperation.17 They are designed compliance, the judge ordered first the arrest of for courts to reach assets, companies, and Facebook’s (WhatsApp parent company) people, that are less mobile than the fleeting executive vice-president (released one day later storage of bytes. Further, if the data controllers by order of the Court of Appeals, who deemed are free to move personal data around at will, the arrest arbitrary and unjustified) 14 and later and could disregard injunctions to produce to block WhatsApp services in Brazil altogether required information by legitimate authorities, for 72 hours (overturned on appeal only hours nothing prevents businesses from storing data later) 15 . Another similar, but unrelated case in specific jurisdictions that are unresponsive involving WhatsApp in 2016 entailed the to judicial cooperation, hence effectively freezing of Facebook’s bank accounts in Brazil providing a safe haven from legal prosecution. for over US$ 6 million in fines, as a result of Unscrupulous firms could build a business months of non-compliance with a court order model around such practices. issued in an investigation of an alleged international cocaine smuggling ring.16 What other solutions can help law enforcement while fostering seamless cross- What are the existing tools for cooperation in border data flows? law enforcement in the digital age? Policy makers who wish to support global Mutual Legal Assistance Treaties (MLATs) are trade and investment flows with an open cross- to date the main tool for international border data regime should be able to do so, cooperation in law enforcement. MLATs are without sacrificing their domestic law traditionally oriented to fulfilling criminal and enforcement capacity. Data localization public investigation procedures like obtaining requirements, while potentially effective to testimony of witness located abroad, executing ensure access to data by law enforcement, do search warrants in foreign jurisdictions, or entail costs that can hamper businesses. obtaining records of financial institutions Innovative regulatory solutions should abroad. reconcile these policy objectives. However, MLATs are poorly suited to address • Legislation may grant domestic courts the these challenges of the digital age. MLATs can ability to request its citizens and firms to be cumbersome and time-consuming, not only produce data regardless of its physical due to the rigorous legal requirements that location, overcoming the need for data police direct access to Orkut’s accounts and to the rio.html?utm_source=push&utm_medium=app&ut ability to monitor and even to delete users accounts m_campaign=pushg1; Farivar, Cyrus, “Brazilian in real time, without the need for a judicial order appellate judge rescinds WhatsApp block”, (Pagnan, Rogério, “Orkut dá à PF "atalho" para arsTechnica, May 3, 201, barrar páginas”, Folha de S.Paulo, November 28, https://arstechnica.com/tech- 2006. policy/2016/05/brazilian-judge-blocks-whatsapp- https://www1.folha.uol.com.br/folha/informatica/ul for-72-hours-but-it-still-works-over-vpn-wi-fi/; t124u21063.shtml). BBC News, “WhatsApp in Brazil back in action 13 Wikipedia, “Whatsapp”, after suspension”, BBC, July 20, 2016, https://en.wikipedia.org/wiki/WhatsApp#Brazil https://www.bbc.com/news/world-latin-america- 14 G1 Sao Paulo, “'Felizes', diz Facebook sobre 36836674. soltura de vice-presidente preso em SP”, O Globo, 16 Commuter, “”Brazil court blocks Facebook February 2, 2016, http://g1.globo.com/sao- funds over Whatsapp dispute: Report”, Commuter, paulo/noticia/2016/03/felizes-diz-facebook-sobre- n/d, https://worldcommuter.com/brazil-court- soltura-de-vice-presidente-preso-em-sp.html blocks-facebook-funds-whatsapp-dispute-report/. 15 G1 Sao Paulo, “WhatsApp: Justiça do RJ manda 17 Force Hill, Jonah, “Problematic Alternatives: bloquear aplicativo em todo o Brasil”, O Globo, MLAT Reform for the Digital Age”, Harvard July 19, 2016, National Security Journal, January 28, 2015, http://g1.globo.com/tecnologia/noticia/2016/07/wh http://harvardnsj.org/2015/01/problematic- atsapp-deve-ser-bloqueado-decide-justica-do- alternatives-mlat-reform-for-the-digital-age/. December 2018 · Number 3 · 4 localization requirements. The recently burdensome punitive measures on cross- approved CLOUD Act 18 distinguishes border providers that unnecessarily between data from Americans and non- disrupt the broader digital market. To that Americans held abroad on servers of end, a softly worded provision, similar to American companies. 19 This legislation existing provisions on e-commerce allows for the retrieval of data by American cooperation in the Comprehensive and citizens held abroad thus bypassing Progressive Agreement for Trans-Pacific MLATs, making it mandatory for firms to Partnership (CPTPP) or the EU – Canada comply with such court order. Conversely, Comprehensive Economic and Trade the CLOUD Act also permits foreign Agreement (CETA), could promote greater governments that have entered into collaboration between the parties in this executive agreements with the United field, or even serve as legal grounds for States government to obtain information courts to request data from non- from U.S.-based internet companies. established firms. • Other solutions may focus on • Finally, guidelines in the form of rules of strengthening cooperation between law conduct for firms responsible for data enforcement agencies and/or between storage and processing could also provide national data protection authorities. a valuable instrument to support domestic Stronger cooperation could focus on law enforcement efforts. Firms established expedited consideration and in the country, or firms located abroad who implementation of the request from foreign offer services in that country would need to authorities, while ensuring that privacy comply with such rules to facilitate law concerns of citizens and residents remain enforcement, much like the Privacy Shield well protected. Such regulatory agency between the US and EU provide a cooperation is hardly a novelty. framework for compliance with privacy Competition authorities, across the regulations. Atlantic and with many other countries, have established strong collaboration The interaction between cross-border data frameworks in cases related to flows and law enforcement offers an example transnational anti-competitive behaviors. of the challenges that new technologies can Specific to cybercrime, “24/7 Networks” bring to policy making. New forms of seek to ensure points of contact in law information sharing, and its sheer volume, enforcement agencies in different countries unthinkable only one generation ago, are that can respond in real time and jointly to creating formidable opportunities for business, cyberattacks and other cyber-crimes.20 spurring economic growth. These interactions, however, can affect sensitive public policies, • Trade agreements could support such as the need to protect privacy, establish a international rules on the interplay conducive environment for trade and between data flows and law enforcement. investment, or ensuring safety and security. By recognizing that court orders may, These policy-making challenges are only at under certain conditions, reach online their initial phases, and warrant careful, firms that are not established in the court’s balanced, and innovative regulatory responses. jurisdiction, they could help prevent 18 Hill, Rebecca, “CLOUD Act hits Senate to lube ised%20Government%20Access%20to%20Cloud up US access to data stored abroad”, The Register, %20Data%20Paper%20%2818%20July%2012%29 February 7, 2018, .pdf for a review the legislation of ten high-income https://www.theregister.co.uk/2018/02/07/big_tech countries on this matter. 20 _biz_back_us_proposals_to_ease_overseas_data_tr On MLATs, 24/7 Networks, and other forms of ansfers/. international cooperation specific to cybercrime, 19 Several countries have already in similar see World Bank and United Nations. 2017. procedures. See Maxwell, Winston and C. Wolf, Combatting Cybercrime: Tools and Capacity “A Global Reality: Governmental Access to Data Building for Emerging Economies, Washington, in the Cloud”, Hogan Lovell White Paper, 2012, DC: World Bank License: Creative Commons https://www.hldataprotection.com/uploads/file/Rev Attribution 3.0 IGO (CC BY 3.0 IGO). December 2018 · Number 3 · 5 About the author(s): Martín Molinuevo, Senior Counsel, World Bank’s Macroeconomics, Trade & Investment Global Practice mmolinuevo@worldbank.org Simon Gaillard, Consultant, Privacy and Cybersec, PWC sjhgaillard@gmail.com December 2018 · Number 3 · 6