Server Location, Jurisdiction, and Server Location Requirements (Guest Blog Post)
by guest blogger Marketa Trimble
At the recent “Law, Borders, and Speech” conference at Stanford, several participants debated the relevance of server location in determining jurisdiction. Some Silicon Valley attorneys at the conference argued that the location of a server should not be just one of the factors in a jurisdictional inquiry, but that it should be the determinative factor for jurisdiction. Support for this position is consistent with the recent Microsoft (Data Stored in Ireland) decision in which the U.S. Court of Appeals for the Second Circuit, in dicta, suggested that the location of a server containing data should determine jurisdiction over that data (for commentaries on the decision see, for example, here and here). Does it make sense for internet companies (ISPs, content providers, etc.) to take this position?
The position that the location of a server should be determinative in a jurisdictional inquiry makes sense in the context of the companies’ fight against data location requirements – the rules through which countries mandate that companies locate their servers (and data) in the countries’ territory if the companies want to do business there. The USTR has criticized these data location requirements and has included “data localization [sic] requirements” among the “Key Barriers to Digital Trade.” [I favor the phrase “data location” over “data localization” for reasons I explain at the end of this post.]
Data location requirements have also been discussed in the ongoing negotiations of the Trade in Services Agreement (TISA): the May 2015 version of the Agreement’s draft Annex on Electronic Commerce included a provision that would prohibit countries from requiring a service supplier to locate servers in their territory “as a condition for supplying a service or investing in [the countries’] territory” (Article 9(1)). The October 2015 version of the draft was more nuanced, recognizing that some countries may have “a legitimate public policy objective” for which they may mandate that data be located within their territory (Article 9(3)).
The interaction between mandated server location and jurisdiction based on server location can play out in the following four scenarios. For purposes of the following brief analysis of the four scenarios, the term “jurisdiction” refers to both prescriptive jurisdiction (jurisdiction to prescribe laws and regulations) and adjudicatory jurisdiction (jurisdiction to adjudicate disputes), and refers to jurisdiction over internet companies – ISPs, content providers, etc. The analysis assumes that in each scenario, all countries would adopt the same rules for that particular scenario.
In Scenario 1, countries impose no data location requirements, but jurisdiction is based on the location of the server. This seems to be the scenario that internet companies currently promote. Using the location of a server to determine jurisdiction is not as common as sometimes alleged; although the Second Circuit Court did suggest in Microsoft (Data Stored in Ireland) that jurisdiction should depend on server location, courts do not usually find jurisdiction over actors not domiciled within a court’s jurisdiction based on server location alone. In the United States, for example, courts have found jurisdiction based on the location of servers when the servers were where a tort occurred (e.g., misappropriation of trade secrets). In other cases, however, courts take server location into account as one of several factors in the jurisdictional analysis, but do not determine jurisdiction solely based on server location.
Scenario 1 is useful for internet companies; they can freely decide where to locate their servers because there is no data location requirement; at the same time, locating their servers in a territory enables them to choose the jurisdiction that governs their activity. (Of course, the decision would not be completely “free,” as many factors influence the best location for servers, but the decision is free in the sense that server location is not mandated.) The scenario allows internet companies to shop for the most advantageous jurisdiction and benefit from the legal certainty of being subject to their jurisdiction of choice.
Whether this scenario is the best scenario for governments and users is questionable. Governments might lose the ability to extend jurisdiction in many instances when they might have legitimate policy reasons to have that ability; users are at the mercy of internet companies regarding the jurisdiction to which the users’ data is subject. Additionally, the scenario seems problematic from a technological perspective because it might be difficult to confine data to a single server or a group of servers in a single jurisdiction. (See also, for example, here and here.)
In Scenario 2, countries impose data location requirements, but jurisdiction is not based on the location of the server. Scenario 2 exists currently, for example, for regulated online gambling; jurisdictions (countries, states, etc.) that regulate online gambling typically require that data be located in their territory (see, for example, Nevada here). However, jurisdictions do not base their jurisdiction on the location of servers; rather, they exercise their jurisdiction based on where online gambling companies are doing business. For governments, the location of servers is not important for reasons of jurisdiction; rather, servers are the last resort for enforcement against companies that might have no assets or few assets located in the jurisdictions’ territory (“physically absent operators”). Access to a “switch” and/or the possibility to seize servers provides governments some enforcement power – even if the power is illusory to a certain degree, given the redundancy of data on the internet.
The importance of server location for enforcement rather than jurisdiction may be illustrated in the case of gambling regulation by Alderney: the island of Alderney is unsuitable as a server location, which is why Alderney allows online gambling operators to locate their servers in other jurisdictions – but for physically absent operators the server location may be only in jurisdictions from which Alderney can receive assistance with enforcement, if necessary (see here and here).
Scenario 2 is not appealing from the point of view of internet companies; they cannot choose where to locate their servers, nor do they have choice of jurisdiction. In this scenario, companies cannot benefit fully from the internet cloud model, nor will they receive the benefit of being subject to a single jurisdiction of their choosing. If jurisdiction is not based on server location, internet companies may be exposed to jurisdiction based on various other factors; for example, governments and courts may find grounds for jurisdiction over companies based on doing business or committing torts in the countries.
In Scenario 3, countries do not impose data location requirements, and jurisdiction is not based on the location of the server. Scenario 3 carries the same significant disadvantage for internet companies as Scenario 2 with regard to jurisdiction; companies cannot select which jurisdiction they will be subject to. It is true that without data location requirements, companies can choose where they locate data and therefore may fully utilize the cloud model; although their choice is subject to practical constraints, it is untainted by jurisdictional concerns because server location does not determine jurisdiction. But, as in Scenario 2, in Scenario 3 companies are not permitted to select a jurisdiction, and therefore are uncertain about which jurisdiction’s laws and adjudication they will be subject to. As suggested above, governments will find ways to extend their jurisdiction over operators on grounds other than a company’s server locations; for instance, in the “right to be forgotten” decisions, courts and agencies in the European Union countries found grounds for jurisdiction over ISPs without basing their jurisdiction on the location of ISP servers. As opposed to the case in Scenario 2, in Scenario 3 a government might face difficulties with enforcement against physically absent operators.
In Scenario 4, countries impose data location requirements, and jurisdiction is based on the location of the server. Scenario 4 is the ideal situation for governments; they dictate that servers be located in their territory and also base their jurisdiction on the location of the servers. Not only can governments promote their own policies by imposing their laws and decisions on the operators, but the servers, being within the governments’ physical reach, are a last resort for enforcement against physically absent operators. For companies, Scenario 4 is highly unappealing; while it provides certainty for companies regarding the jurisdiction to which they will be subject, under this scenario it is impossible for companies to fully utilize the advantages of the cloud. Although the scenario does result in legal certainty for companies, it deprives them of the opportunity for jurisdiction shopping.
As the above review of the four scenarios suggests, it is not surprising that companies would promote Scenario 1 through lobbying for the elimination of data location requirements and simultaneously making legal arguments in favor of server location as the determinative factor for jurisdiction. The question is whether Scenario 1 is the best for society as a whole, and a single scenario might not be ideal in all circumstances. As the previous paragraphs indicate, which scenario should apply and when cannot be answered by looking at the two components separately.
Coordinating the approaches for the two components is also complicated by the fact that the discussions of the approaches do not take place in the same fora; judiciaries seek to clarify rules for jurisdiction on the internet, while executives are exploring possibilities for eliminating or limiting data location requirements through international treaties. Thus far, attempts to align internationally the jurisdictional rules in civil and commercial matters have generally failed (see here).
Companies’ arguments against data location requirements are reinforced by the fact that the same requirements are used by repressive regimes that aim to restrict free speech. The elimination of the requirements is therefore presented as a solution that would both advance efficiency and combat governmental censorship. Nevertheless, the elimination of the requirements together with jurisdiction based solely on the location of the server might not be the best solution for society as a whole. As I explained elsewhere (see here), Scenario 3 (with no server location mandated and jurisdiction not based solely on server location) might make the most sense if the scenario is combined with a strengthened means of enforcement cooperation that provides sufficient safeguards for internationally-recognized fundamental rights and freedoms.
Note about Nomenclature
When countries mandate that data be located in their territory, it is correct to say that they create “data location requirements,” but not that they create “data localization requirements.”
To “localize” means “to adapt oneself … in order to conform to local circumstances or surroundings,” “to make local in character,” or “to associate with a particular place or location” in the sense of “to find or determine the location of.” (Oxford University Press. http://www.oed.com/view/Entry/109560?redirectedFrom=localize& (accessed November 28, 2016)). For example, content providers may localize advertising, meaning that the content providers will display ads on a webpage based on an internet user’s location. In conflict of laws, “localization” refers to the process of “the determination of the locality of … elements” (Josef Unger, The Place of Classification in Private International Law, 19 Bell Yard: J.L. Soc’y Sch. L. 3 (1937)). In this context, a “localization requirement” may indeed exist; for example, Article 4 of the proposed EU Cross-Border Portability Regulation mandates a particular localization of “[t]he provision of an online content service to, as well as the access to and the use of this service by, a subscriber” when it states that the acts “shall be deemed to occur solely in the Member State of residence” (see Article 4 on page 17 here).
To “locate” means “to establish, site, or place in a particular location” (Oxford University Press. http://www.oed.com/view/Entry/109569?isAdvanced=false&result=2&rskey=ESU48d& (accessed November 28, 2016)).