Posting without Hosting: Implications of Russia’s Recent Removal of LinkedIn

If you had hoped to check out your career prospects on LinkedIn from Russia this past week, you might have been puzzled by the site’s failure to load. LinkedIn has been blocked following the Court of Appeal’s (for Moscow’s Taginsky District) recent decision that LinkedIn violates a Russian data protection law, Federal Law No. 242-FZ (“No. 242”), on two counts: not storing data about Russians on servers located in Russian territory; and processing information about individuals who are not registered on the LinkedIn website and who have not signed the company’s user agreement. Following the court’s decision, Roskomndazor, Russia’s telecommunication and media authority, formally announced its intent to enforce the court’s ruling by blocking access to the website.

Roskomondazor’s decision to block LinkedIn is considered the first application of No. 242 since it officially went into effect in September 2015. The law represents the latest step taken by Russia to further isolate access to user data from foreign interference.[1] Such efforts seem counterintuitive in this day and age where cross border Internet traffic continues to exponentially grow. The McKinsey Global Institute estimates that “global online traffic across borders grew 18-fold between 2005 and 2012,” with forecasts of an additional eightfold increase by 2025. SpaceX recently applied to the Federal Communications Commission (“FCC”) for the right to launch a global Internet service, powered by satellites placed in Earth’s orbit. The company’s effort follows additional initiatives undertaken by Boeing, Samsung, and Facebook.

However, Russia is not the only nation that has taken proactive steps toward curtailing the transmission of certain information outside its country. To date, countries including Australia, China, India, and South Korea, and organizations like the European Union, have enacted similar data localization laws. Most of these efforts primarily derive from Edward Snowden’s disclosure of the wide-scale surveillance undertaken by the United States National Security Agency (“NSA”).

Following the wake of the scandal, a number of countries enacted “protective” measures, citing the possibility of foreign surveillance as a reason for preventing data from crossing their borders. Although these laws are designed to enhance the privacy and security of personal information against unwarranted intruders, they usually end up having the opposite result.

As Anupam Chander and Uyen Le note in their article on data nationalism, there are two primary reasons why these measures weaken the privacy and security of a nation’s personal data.[2] First, any requirement that calls for localized data servers reduces a country’s ability to distribute information across multiple servers in different locations.[3] The resulting consolidation of user data into a single server creates a “jackpot” of information, making it easier for criminals to access large amounts of data at once.[4] Second, nations may increase the likelihood of a substantial data breach by designating data security responsibilities exclusively to local providers.[5] This concern has been raised by a number of information technology associations from Europe, Japan, and the United States, who argue “security is a function of how a product is made, used, and maintained, not by whom or where it is made.”[6] This line of reasoning was also advanced in an Australian court of law, wherein Microsoft asserted, “[the Australian government’s] focus on storing electronic health records within Australia’s borders ‘could have a detrimental effect’ on security.” In spite of Microsoft’s argument, the Australian court ultimately decided to uphold the legislation.

As such, Russia’s decision to prevent LinkedIn from operating in its country serves as a signal of the current tension underlying the data nationalism movement. On the one hand, Russia claims that it is acting in the best interest of its citizens by preventing large multi-national corporations from improperly storing and using the personal data of its citizens. However, one could contend that Russia’s decision to localize the data undermines its protection efforts. Moreover, a number of Internet experts believe that data localization ultimately serves to suppress free speech because the concentration of data actually facilitates new and more efficient forms of surveillance that allow for greater government interference.

Governments have the responsibility to improve national security in the face of unwarranted foreign intrusions. What determines an appropriate protective measure ultimately rests on a sliding scale that the general public has to carefully monitor. There are a number of corrective tools readily available to governments, including: contracts requiring companies to observe strict privacy protocols, audits of foreign suppliers, reviewing the local laws of the foreign suppliers for their privacy protections, and reputational sanctions.[7] However, any measure that serves to further fragment and isolate a country from the Internet should be evaluated with a critical eye.

 

[1] Prior to the enactment of No. 242, Russia had Federal Law No. 97-FZ, which requires individuals and legal entities that are information organizers on the Internet to store all data for at lease six months in Russian territory.

[2] Anupam Chander & Uyen Le, Data Nationalism, 64 Emory L.J. 677, 719 (2015).

[3] Id.

[4] Id.

[5] Id.

[6] JEITA, http://www.jeita.or.jp/english/topics/2012/0622/release_2012_en.pdf (last visited Nov. 29, 2016).

[7] Anupam Chander & Uyen Le, Data Nationalism, 64 Emory L.J. 677, 739 (2015).

Comments are closed.