Local Hosting and the Draft “Trade in Services Agreement” (Guest Blog Post)

by Guest Blogger Marketa Trimble

Photo credit: Clouds World Map // ShutterStock

Photo credit: Clouds World Map // ShutterStock

The leaked draft of the Trade in Services Agreement (“TiSA”) – the agreement that is being negotiated by a number of countries, including the United States – has attracted intense criticism: Glyn Moody on ArsTechnica UK called TiSA “the more evil sibling of TTIP and TPP,” and John Nichols in The Nation charged that TiSA is “using trade as a smokescreen to limit citizen rights.” Evgeny Morozov and the EFF have pointed to the heavy influence of industry in the negotiations and warned that the negotiations do not take into account the interests of all stakeholders. The EFF criticized TiSA repeatedly, for example for the secrecy of its negotiations, for the limits that it would place on countries’ “enacting free and open source software mandates,” and also for the “prohibition of local hosting mandates” that would compromise data privacy.

It is difficult to make any conclusions about the content of an international treaty when the conclusions are based on particular language in a treaty proposal in the early stages of treaty negotiations; language tends to evolve throughout any treaty negotiations. It is even more difficult to draw conclusions based on an unofficial and dated leaked draft. We may assume, however, that the leaked TiSA draft does reveal some core themes that the negotiating parties are considering. One theme, a theme that the EFF’s commentary calls the “prohibition of local hosting mandates,” appears in multiple places in the leaked draft; it is a prohibition against a country imposing an obligation on service providers to locate their servers (or have their data otherwise hosted) in that country as a condition for the providers to be permitted to do business in that country.

In the “age of the cloud,” it seems anachronistic to require that servers be located in any particular jurisdiction. Certainly, the “heavenly” imagery that the industry attempts to evoke by employing the “cloud” metaphor seems to suggest that data may now reside completely outside the reach of any jurisdiction. This is clearly not the case; physical infrastructure, including servers, and the “cloud-like” services that run on them, are located in a physical place, in some jurisdiction. And it is the nature of the network that the programs and data that are saved on the servers tend to be mirrored in multiple locations; as the EFF’s Jeremy Malcolm notes, “strong, end-to-end encryption and distributed, decentralized solutions provide a better defence” for data than the locating of servers in a single jurisdiction. Because data can be mirrored in multiple locations and in more than one jurisdiction, a jurisdiction that requires that data be hosted in its jurisdiction will probably not be able to effectively disable access to the data, even when the jurisdiction needs to disable that access.

The desire of a jurisdiction to be able to “turn off the switch” in order to enforce its laws is the motivation that drives countries to require local hosting. The concern is not so much about jurisdiction, because countries typically find a way to extend their jurisdiction over companies that conduct business in their country. The concern is that “TiSA will insulate companies from national laws outside of their home country” (Thomas O’Toole, TiSA: Is it the Future of E-Commerce Law?, BNA Tech. Telecom and Internet Blog, June 5, 2015) because even if it has jurisdiction over a company, a country might not be capable of enforcing its agencies’ and courts’ decisions against the company if the company has no assets and no servers in the country. The law could assist in solving this problem – at least partially – by facilitating improvements in countries’ cooperation in the recognition and enforcement of judgments. So far though, countries have not agreed – though they have tried – to negotiate a treaty that would achieve such improvements. Additionally, it is unclear whether and how countries could achieve the enforcement of administrative decisions against absent service providers; administrative decisions are the types of decisions for which foreign countries will typically not lend enforcement assistance. Studying the manner in which small jurisdictions with connectivity and other infrastructure issues have dealt with enforcement problems might be helpful. Regarding cross-border enforcement, the leaked TiSA draft seems to be putting the cart before the horse; but of course, sometimes the horse will start running if you push the cart in front of it.

Some companies have already objected to court orders directing them to provide data that reside on servers abroad, and have argued that privacy laws applicable in the jurisdictions where the servers were located prohibit the disclosure of the data to foreign jurisdictions. Leaving aside for now questions of whether the law of the country of the requesting court actually required that the companies provide the data, whether the law of the country where the server was located actually prohibited the data from being divulged to foreign authorities, and whether a request for the data under the Hague Convention on the Taking of Evidence Abroad would have been more appropriate, the question for industry in the context of TiSA should be whether, by arguing that the law of the place of the server governs requests for data, companies promote the notion that they should be free to choose the jurisdiction in which they locate their servers.

[For helping her keep track of TiSA developments the author thanks Andrew Martineau of the Wiener-Rogers Law Library at the William S. Boyd School of Law of the University of Nevada, Las Vegas.]

UPDATE: The CJEU press release from yesterday reports about the opinion by AG Yves Bot in C-362/14 which concerns “the powers of the national supervisory authorities” in the European Union to “take measures necessary to safeguard the fundamental rights protected” in the European Union with regard to data that are being transferred to servers located in the United States.