In July Apple announced it was setting up a new data centre in China in response to a new law on cybersecurity, which was passed in 2016 and came into force in June. The law requires companies to store Chinese citizens’ user data on servers housed on Chinese soil. It also demands that collection and movement of data emanating from Chinese citizens be monitored. The data centre, which will be powered entirely by renewable energy, is to be built in the province of Guizhou, which is noted for producing a grain alcohol beverage called Baijiu. The centre will form part of Apple’s wider investment in the area, totalling $1 billion. As the new regulations require that the data centres be managed by a Chinese company, it will be operated by Guizhou Cloud Big Data – a firm which was co-founded by the local Guizhou government in partnership with Apple for the purpose of processing high volumes of data. The Guizhou government is aiming to transform the poor mountain region into a bastion of data storage in order to attract middle class people to the area.
Apart from its desire to comply with new regulations, Apple’s decision is also motivated by an ambition to increase the speed of iCloud – Apple’s Cloud Computing service – for users in China. It will be iCloud data that is stored in the new centre. This is a first in the sense that Apple has never before teamed up with a local operator to manage its Cloud service. However, Apple is not the first tech giant to opt for local storage for its Chinese data. In this context Apple could even be called a laggard, suggests Thomas Fischer, Global Security Advocate at Digital Guardian, a firm specialising in data protection.
“Google, Microsoft and Amazon have all for a long time now been building data centres to host user information locally. With the new law on cybersecurity in China, Apple, having put off the decision for quite a while, has been forced into line. We shouldn’t forget that China accounts for 20% of Apple’s market, so they can’t afford not to supply local services. It’s about complying with the regulations in force, but it’s also about strict cost management and infrastructure distribution,” Fischer explains.
Laws on data location mushrooming all over the world
China is indeed a strategically important market for Apple. Earlier this year, the digital equipment giant announced its intention to set up two R&D centres in the Middle Kingdom. Last year, Apple invested a billion dollars in Didi Chuxing, a Chinese startup that enables users to book a taxi or a private car-share. Nevertheless, the company has faced some setbacks, including the closure last year of its iBooks Store and iTunes Movies services by the Chinese authorities, just six months after they were set up there. The decision can therefore be seen as an attempt to ensure good relations with the local regulators. Nor is Apple the only US company that has now reacted to the new cybersecurity law: last year Airbnb also announced that it was relocating Chinese users’ data to a local site in response to the new regulations.In addition to mandating local hosting of data, the new Chinese cybersecurity law contains other provisions including an obligation on electronic messaging service users to use their real identities, stricter controls on cutting-edge technologies deployed in China, plus a requirement to assist government officials carrying out security-related enquiries. The rules on local hosting of data also apply to Chinese companies.
China is only adopting measures that are already in place in a number of other countries.
While it might be tempting to see such measures as a desire on the part of the Chinese government to step up its surveillance of citizens and restrict the freedom of the Web, the Beijing authorities are far from being the only ones to create this kind of legal arsenal. “China is only adopting measures that are already in place in a number of other countries,” points out Thomas Fischer, underlining: “Local hosting of data is nothing new. In the European Union, Germany is the champion of these policies, especially as regards user data. The law restricts in particular the transfer of personal data outside national territory without the consent of the people concerned. A number of companies, including Apple, Google and Amazon, have had to build data centres in Germany in order to comply with German legislation and alleviate users’ concerns. Other EU member states, including France, have also passed legislation mandating local data storage.”
Similar legal provisions have been adopted outside the EU. Says Thomas Fischer: “Argentina, Canada, Israel, Switzerland and New Zealand have all drawn up similar regulations to those that you find in the European Union. Russia also has a rather restrictive legal framework as regards data storage location. Last but not least, most of the Middle East states, such as Dubai, the United Arab Emirates and Qatar, have had similar laws in place for a long time, the official reason being to protect their citizens.”
Meanwhile Microsoft last year won a legal victory (confirmed following a counter-appeal early this year) after appealing against the issuance of a search warrant authorising seizure of non-US users’ data stored outside the United States, a decision applauded by other tech giants that joined Microsoft in the appeal. The Appeal Court ruled that the US Department of Justice was not competent to seize data hosted on servers outside the country, even though they were operated by a US company. This ruling illustrates just how fundamental is the whole question of where data is stored. If the regulators had originally required Microsoft to store its user data in the United States, the firm would almost certainly have been forced to hand it over on request to the Department of Justice.
Mandating local data storage is thus one way for governments to exercise some degree of control over companies, which would very much prefer to be free to act as they see fit on such issues. Firms can also use data protection laws in force in certain countries to deflect pressure from other countries’ authorities. By announcing its plans to open new data centres for its Azure Cloud computing service platform in Germany, Microsoft has made it clear that, pursuant to German regulation, information stored on the servers there cannot be transferred to any government agency outside Germany, which includes the United States. “All the data stays in Germany,” stresses Rainer Strassner, who manages the Microsoft Cloud programme in Germany.
privacy protection laws are dangerously out of date" Alex Abdo, attorney.
Thus both governments and companies are now claiming that they are working towards greater data security and privacy for their users. In this new world some people are pushing for regulations that provide greater protection to Internet users. "This is a major decision, and the case is a reminder that US online privacy protection laws are dangerously out of date,” Alex Abdo, an attorney who works for the American Civil Liberties Union, was quoted as saying by the New York Times following Microsoft’s victory over the US Federal Justice Department.