Pages

27 December 2023

Safeguarding Data in a Globalized World

Matthew Flug & David Rader

The U.S. has a glaring national and economic security risk which uniquely looms because of the everyday actions of normal citizens: generating data. That risk is that the U.S. does not currently have any laws or regulations regarding the storage of U.S. persons data on overseas servers or in the cloud. At present, huge quantities of personal data of Americans are unwittingly stored on overseas servers or in the borderless cloud because of cost, infrastructure, or contractual efficiencies. Accommodating frictionless business desires for national and economic security needs should be thoughtfully addressed. To do so, the U.S. should prioritize creating legislation which aims to protect the sensitive data of U.S. persons and obligate both government and industry to adequately safekeep our stored personal data to avoid deliberate or even accidental weaponization by its custodians.

In our current digital landscape, data serves as the cornerstone of our modern economy. The continuous flow of data across borders presents significant challenges in ensuring its security, particularly when it is stored overseas. This complexity is exacerbated by the absence of a comprehensive federal law or regulation specifically addressing the storage and transfer of data beyond U.S. borders. While some countries maintain robust data protection laws, their variations and incapacity to counter the nefarious actions of adversarial state actors magnify the challenge. This issue originates from problems in an already lacking export control regime, which complicates the supervision of U.S. authorities monitoring data transmitted overseas. Intangible remittance of sensitive data overseas should be built into revised export control regulations that sufficiently account for evolving concerns. The complexity here deepens when data is moved to a third-party country, further distancing it from direct U.S. oversight.

For example, the rise of cloud computing empowers businesses to store and handle their data on servers situated in various foreign territories, causing uncertainty regarding the data's location and accessibility. Broadly speaking, data localization is a possible solution in maintaining data assurance; however, it may severely limit commerce in a very interconnected world.

Although the U.S. upholds strong data protection laws in specific sectors like healthcare and finance, a comprehensive federal law governing the storage and transfer of data outside the country is noticeably lacking. Consequently, businesses have the freedom to transfer and store data to any country, irrespective of that nation's data protection laws and susceptibility of intrusion. This regulatory gap raises serious concerns, leaving the data of U.S. citizens and businesses vulnerable to theft, misuse, and exploitation by both state and non-state actors. Furthermore, investigating crimes abroad involving data becomes a complex challenge for U.S. law enforcement agencies – especially if the host nation is unable or unwilling to assist. In a world where data is the new currency, the absence of a comprehensive federal law leaves the door wide open to potential exploitation by both state and non-state actors, allowing the fate of sensitive information to hang precariously, accessible to those with ill intent and beyond the immediate reach of regulation.

The current regulatory landscape includes provisions such as the General Data Protection Regulation (GDPR) ensuring the security of outbound European data, the California Consumer Privacy Act (CCPA) protecting the data privacy of Californian residents, the Health Insurance Portability and Accountability Act (HIPAA) safeguarding sensitive health information in the healthcare sector, and the Gramm-Leach-Bliley Act (GLBA) governing the handling of private information within financial institutions.

Enforcing data protection measures outside the confines of the U.S. presents a significant challenge. While the Export Administration Regulations (EAR) and the International Traffic in Arms Regulations (ITAR) control the export and re-export of specific products and technologies, they do not cover U.S.-originated data stored overseas. This is particularly concerning as such data often comprises sensitive personal information or proprietary trade secrets that can be used to exploit U.S. interests.

While the Clarifying Lawful Overseas Use of Data (CLOUD) Act enables U.S. authorities to access data stored abroad by specific cloud providers under U.S. jurisdiction, the collective amalgamation of existing laws and regulations highlights a fragmented landscape. This landscape presents challenges in safeguarding data, creating substantial oversight gaps, especially when data transits through third-party countries, evading direct U.S. supervision. Once data leaves the U.S., little can be done to independently ensure its protection or provide recourse to an individual or entity for its misuse.

Establishing legislation would be a logical step towards ensuring the integrity of U.S. citizen and business data transferred and stored abroad. A proposed interagency committee, akin to CFIUS or Team Telecom, could evaluate and address data protection, national security, and law enforcement concerns related to foreign storage of U.S. person data. In July, the Senate overwhelmingly passed the Outbound Investment Transparency Act, necessitating U.S. businesses to report on foreign investments in "countries of concern," particularly in sensitive sectors with national security implications. This sends a strong signal from Congress that the flow of data or capital to overseas parties can pose a risk to national and economic security.

Nonetheless, last August, President Biden signed the Executive Order on Addressing United States Investments in Certain National Security Technologies and Products in Countries of Concern, often referred to as "Reverse CFIUS." A similar executive order could be implemented regarding companies engaged in overseas cloud computing or data storage, as an alternative to the lengthier legislative process. Analogous to the Department of Homeland Security's closer scrutiny of visa issuances from countries inadequately sharing biographical information, a new interagency committee could establish protocols based on the jurisdiction and nature of data – with the authority to pursue remedies when necessary.

The inadequacy of current U.S. data protection laws in addressing the burgeoning impact of cloud computing and data centers abroad, lack of transparency for consumers regarding data storage locations and accessibility, and insufficient safeguards against unauthorized access – both by foreign entities and those engaging in economic espionage on behalf of foreign governments – leaves citizens and companies susceptible to exploitation and misuse beyond U.S. borders. The multitude of gaps in regulation underscores the pressing need for a comprehensive framework to protect U.S. data beyond the nation's borders, ensuring both the security and privacy of U.S. citizens' information on a global scale.

No comments:

Post a Comment