Apple revealed on Aug. 15 that it had decided to add China Telecom to its list of data center providers to “increase bandwidth and improve performance for our customers in mainland China.” The company stressed that all of the data would be encrypted, and that China Telecom would not have access to the content.
The move is at odds with the positions of other major technology companies, including Google Inc., which has taken the stance that it will not use Chinese servers to store its user data because of security and censorship concerns. But attorneys say Apple's decision makes sense from a business standpoint in light of the growing skepticism within China over the company's ability to adequately protect consumer data from misuse by internal and external sources.
“Apple had to do something to prevent loss or restricted access to the huge China market,” McCarter & English LLP partner Richard Green said. “What they've decided to do, to store organic China-based data in its country of origin, was a pretty easy and natural fix to choose because it not only goes a long way toward solving the issues it was having with the Chinese government but is likely to make for a genuinely improved user experience for China-based consumers.”
Scrutiny by China and other countries over the security of user data stored with U.S.-based service providers such as Apple has grown significantly since June 2013, when Edward Snowden began releasing a cache of classified government documents that revealed the scope of the National Security Agency's surveillance efforts and the extent of service providers' role.
With each new revelation stoking privacy and security concerns abroad, attorneys say it is only a matter time before other service providers that were swept up by the Snowden leaks follow Apple's lead and begin to store data locally, not only in China but also in other locales where users reside.
“Apple's move sends a message that this is what companies believe they need to do to compete in the difficult foreign market, and fuels the perception that this is what's to be expected,” Hunton & Williams LLP partner Paul Tiao said. "We’re likely to see more localization of data in the future."
While the idea of storing user data in a country such as China that has a less-than-stellar reputation for respecting its citizens' privacy is still concerning, the Snowden leaks have allowed the notion to become less controversial, attorneys say.
“The reality, post-NSA scandal, is that you'd be hard-pressed to make a threshold distinction between the risk of storing organic China-data in China versus the United States,” Green said. “The actions that the government may take against you are likely worse in China, but threshold differences between China and the United States when it comes to privacy from government intrusion of stored data have been very greatly reduced.”
The shift in sentiment and growing pressure on service providers to address the concerns raised by the Snowden leaks have made it necessary for companies like Apple to reassess their position on storing data locally, according to experts.
“As HP, Cisco and other tech and cloud vendors have reported in recent months, enterprises in China are giving increasing thought to where data is physically being processed and stored,” said Gerry Grealish, the chief marketing officer of cloud computing security company Perspecsys Inc. “This, of course, is not just isolated to China, but rather is a growing sentiment among any cloud provider who has foreign-located data centers.”
In Apple's case, the Chinese government and local users have been wary of not only Apple's relationship with U.S. intelligence agencies — which was stoked by a Snowden document released last June that indicated that Apple and other major service providers have voluntarily participated in the NSA's PRISM Internet surveillance program — but also by Apple's internal data-tracking practices.
The Chinese state media last month declared Apple's iPhone a threat to national security due to the smartphone's ability to track and time-stamp users' locations and reveal information about them. Apple immediately struck back at the allegations, saying it doesn't track iPhone users' locations.
“China is certainly concerned about the security of the data that is being stored in the cloud, so having it done outside of China and outside of where they would have both physical access and legal control of it is something that is a concern to the Chinese government,” Bentley University law professor Steve Weisman said. “And it's not just China; other countries have been putting that pressure to store data locally on companies as well.”
Brazil took one of the most aggressive steps to force companies' hands shortly after the Snowden revelations. Lawmakers tacked a provision onto proposed Internet regulation legislation that would have required multinational service providers such as Apple and Google to store locally the data they collect from Brazilians.
But after intense backlash from companies such as Google, the parliament reported in March that its members had reached an agreement to drop the provision from the bill, which was signed into law without the data localization requirement in April.
“Like in almost any other contractual dealing or business arrangement, it's about who has more bargaining power,” Weisman said. “China does, and Brazil does not.”
The main concerns raised by opponents of storing local user data in countries like China is that the data becomes subject to that country's privacy laws and that the move may make it easier for the active hacking community within the country to intercept the data.
And attorneys question the benefit of trying to shift data away from the prying eyes of intelligence agencies such as the NSA in this way, given the unresolved nature of the U.S. government's ability to access data stored overseas.
"Data localization is one method for trying to prevent the access that the U.S. government is perceived to have to user data, but it's uncertain whether that will be successful,” Tiao said. “The ability of the U.S. government to access data overseas comes down to fact-specific jurisdictional questions in an area of law that is complicated and unsettled.”
The most notable example of this uncertainty is the fight brewing in the Second Circuit over the government's bid to execute a search warrant that would allow it to access user data stored by Microsoft Corp. in a data center located in Ireland.
While the data at issue in the Microsoft case is believed to be tied to a U.S. citizen, the recent holding by U.S. District Judge Loretta Preska that the government's ability to access to data hinges on a service provider's control over rather than the physical location of the information could have widespread implications for service providers hoping to counter spying concerns by storing data outside the U.S., attorneys say.
“Companies are going to continue to store data locally as a business matter due to the Snowden disclosures and the market perceptions that have developed as a result, and they are likely to pursue legal arguments to support their business strategy,” Tiao said. “But until we get a ruling from the Second Circuit and possibly other circuits, we don't really know where the law is going to land.”
--Editing by Kat Laskowski and Richard McVay.