The Washington PostDemocracy Dies in Darkness

The U.S. wants to maintain cross-border data flows. That may be tough.

Visitors at the Google booth during the China International Electronic Commerce Expo. (AFP via Getty Images)
Placeholder while article actions load

Karen Kornbluh, the former U.S. ambassador to the Organization for Economic Cooperation and Development (OECD), has a new cyber brief making the case for open cross-border data flows at the Council on Foreign Relations website (full disclosure: I authored an earlier brief in this series). Kornbluh argues that foreign jurisdictions pose an increasing threat to open flows of data across networks such as the Internet. They are imposing “data localization” requirements that force e-commerce companies to maintain personal data within national borders, require them to treat this data in certain ways, and make it available to law enforcement officials when they want. Kornbluh hence argues that the United States should:

explore new avenues to prevent these restrictions on the free flow of data. Given that the majority of the world’s largest Internet companies are headquartered in the United States, tensions erupt most frequently when foreign citizens’ data is held by U.S. companies or stored on U.S. soil.

However, (as Kornbluh almost certainly realizes) it is going to be very hard to really open up flows of data across borders for basic political science reasons.

States don’t agree on open data flows

The fundamental problem that Kornbluh wants the United States to address is as follows: The Internet and similar technologies are supposed to promote open flows of information. However, these networks span the borders of very different states with very different priorities. Some formally value freedom of the press, while others do not. Some believe in strong privacy limitations on how businesses can use personal data, while others prefer a free for all. Some are democracies, others autocracies.

These differences lead states to regulate information flows to protect and promote their own interests and values, even when this clashes with the values of others. For example, the European Union has sought to make U.S. companies respect its understanding of privacy laws, including the so-called “right to be forgotten.” States such as China have tried to get domestic and foreign e-commerce firms to provide information and access that would allow them to keep an eye on what their citizens are doing and to block certain kinds of information flows. Both of these, for different reasons, are at odds with American priorities and make life hard for U.S. companies which find themselves obliged to obey rules set by foreign governments.

However, the United States may not be able to do much about it

The problem is that this reflects basic realities of international politics. States have different interests and understandings of how to maintain political order. The United States sees open political argument as a core strength of its system of government. The People’s Republic of China, in contrast, sees open political argument as a potential threat to its system of one-party rule. As Jack Goldsmith and Tim Wu argue, cross-border data flows mean that the preferences of countries such as the United States and the preferences of countries such as China are inevitably going to come into conflict with each other. Furthermore, where the clashes are fundamental (e.g.: where they reflect basic disagreements about how to organize politics), there will be little scope for compromise.

“Open cross-border data flows” may sound like something delicious and uncontroversial, like ice cream and apple pie, that everyone would prefer if they were only thinking straight. Yet in a world of fundamental disagreements over politics, they are anything but uncontroversial. States fight over them. As my own research discusses, private actors, such as e-commerce firms, are likely to suffer as they are pressed into service by different states using them to try to extend their jurisdictional grasp.

The United States isn’t always sure about open cross-border data flows itself

Another problem is that the United States itself wants restrictions on cross-border data flows. Most obviously, it has pushed for strong intellectual property rules worldwide, to protect U.S. media providers and technical patents. Those rules, by definition, restrict the flow of worldwide information, leading to retaliation against countries that aren’t tough on the copying of movies and songs, and preventing businesses in other countries from copying the industrial processes of U.S. firms. The United States didn’t use to be this way — in the 19th century, the United States provided very little protection to foreign authors (leading to complaints from writers such as Charles Dickens, whose books were pirated by U.S. publishers) or inventors (allowing U.S. firms to play catch-up with their European competitors). Now, in contrast, it is considering banning imports of Chinese steel to retaliate against Chinese firms who have taken advantage of U.S. industrial secrets.

The United States is currently engaged in the kind of behavior that Kornbluh criticizes. The Department of Justice is in a major battle with Microsoft over access to information held on servers located in Ireland. Microsoft’s lawyers argue that this would lead to “a global free-for-all” in which “any country with jurisdiction over a provider can reach into any other country and plunder our e-mails.” In one sense it is unsurprising that the United States is doing this — states often tend to use all the tools at their disposal to advance their goals. Yet it also makes it hard for the United States to go to international fora and criticize other countries that are undertaking similar measures.

Reaching agreement is hard

Kornbluh implicitly argues against the skeptics by pointing to what she describes as “several recent diplomatic successes, including the Privacy Shield agreement between the European Union (E.U.) and the United States, as well as ongoing U.S.-U.K. negotiations to streamline access to data in criminal cases.” However, it is not clear that these offer a real precedent. The U.S.-U.K. negotiations are not concluded — but they also present a best-case scenario, involving cooperation between two countries with very similar legal systems, similar values, and histories of strong international cooperation and information exchange. Extending this kind of agreement to other democracies with different systems of justice (so-called “civil” systems rather than “common law” systems) would be very hard. Working with non-democracies would be far harder again.

The Privacy Shield, for its part, is unlikely to remain a diplomatic success. Recent developments in the European Union suggest that the agreement is a dead man walking. European national data protection officials, the European Union’s top privacy official and the European Parliament have all come out against it, demanding basic changes to the deal that the United States will not want to agree to. The agreement is certain to be challenged at the European Court of Justice (the E.U. equivalent of the Supreme Court) and is highly unlikely to survive the challenge.

The United States will need to make changes, too

All this suggests that reaching agreement on cross-border data flows is hard. It is especially hard because the United States, unsurprisingly, would prefer to reach agreements that reflect its basic preferences and don’t involve hard compromises. However, other states, obviously, have their own interests, and will want the United States to make major compromises in order to reach agreement.

Kornbluh recognizes this and suggests that the United States needs to show flexibility on exchanging information, providing limited privacy rights to foreigners and other questions. Likely, the United States will have to do considerably more than Kornbluh proposes if it is to reach agreement with the European Union, let alone with those whose interests clash more starkly.

To be clear: It is extremely plausible that Kornbluh recognizes these problems (while perhaps disagreeing with some of the arguments outlined above), even if she does not say so explicitly. If it is the job of academics to draw on research to point out problems and difficulties, it is the job of policy officials to try to figure out how to resolve those problems that can be resolved, while papering over the others. As a former (and perhaps future) U.S. high official, Kornbluh may also prefer not to say things that might be taken as implicit concessions in future negotiations.

There also are some reasons to think that academics may sometimes be too skeptical. For example, one may want to temper some of Goldsmith and Wu’s arguments. After all, cross-border data flows are still happening more than a decade after their book, albeit with restrictions. If we aren’t in the world that Internet zealots dreamed of, where state authority would be undermined by free flows of information, nor are we in a world of complete state control. Instead, we are seeing complex and unresolved struggles between states — and between states and private actors — over who is going to set the rules. In this context, carefully aimed policy interventions can have real consequences, even if they are unlikely to lead to major transformations.