China and Russia recently piled on new tech regulations. For China, that includes new data security and personal information laws, and for Russia, a requirement that foreign tech firms open an office in-country. U.S. businesses and foreign law enforcement agencies are at loggerheads over one increasingly important thing: data, or more specifically access to data.
It’s well-known that U.S. companies gather data on Americans, but they also collect enormous volumes of data on people around the world: data about citizens of foreign countries, about interactions between those citizens, and, most critically, about the alleged criminal activities of those foreign citizens. Foreign law enforcement agencies need access to that data to do their jobs, and governments the world over, including in Beijing and Moscow, are inventing ingenious ways of ensuring that access. That includes requiring companies to have employees and offices in-country—which make for very convenient bargaining chips.
In the good old days, law enforcement had an easier job accessing the data they needed to investigate and prosecute crimes. As the vast majority of their citizens had very little if any interaction with companies located abroad, they needed only to utilize domestic mechanisms. Think local phone companies, business records stored on the premises, court or county records, or even witnesses—all were generally located in the same country. So, the country’s lawmakers could empower their law enforcement agencies as they saw fit. Cases entangled with a multinational were rare, and the imperfect system of mutual legal assistance treaties, police-to-police cooperation, and letters rogatory (from one country’s judge to another) functioned because of the low number of data requests.
The past decade’s data explosion has upended this landscape, and the number of requests across jurisdictions has exploded, with the vast majority directed at the United States. American firms have tons of data on foreign citizens—from the likes of Facebook, Amazon, Google, and Microsoft to payment providers, messaging apps, and many other companies. Many people around the world also use these services, including for criminal (or “criminal”) activity. To boot, Amazon, Google, Microsoft, and others operate physical internet infrastructure, such as globally distributed cloud networks, that hold data. And because of the U.S.’ nexus in the global internet network, up to 70 percent of all global internet data traffic passes through one small city in Virginia. The United States has become a de facto decider of which country’s data requests are legitimate and which deserve the very meager resources allocated to fill law enforcement requests for data. Some data requests reflect legitimate ones made by U.S. allies, such as with investigations into local robberies or murders, or the distribution of child sexual abuse material. Unsurprisingly, however, many requests take an authoritarian view of “illegal” activity—the state moving against journalists, dissidents, citizens. If they run afoul of U.S. law, they aren’t fulfilled.
Authoritarian countries, especially China and Russia, want this data from U.S. firms. Wielding new data localization and other legal authorities, they are bringing these requests to U.S. companies’ doorsteps—because even if the data is overseas, employees and offices may be well within reach.
Chinese and Russian law enforcement agencies will directly approach U.S. companies to ask for this information on their citizens; intelligence and security services may also harass or intimidate employees on the ground in local offices, pointing to data access laws and demanding they hand it over. Sometimes, the threat is made quietly or implicitly. Other times, failure to comply is met with outright force: When Google and Apple refused to delete an opposition app in September 2021, the Kremlin threatened staff on the ground in Russia and sent armed, masked thugs to sit around Google’s Moscow office. Particularly as U.S. tensions continue to heighten with China and Russia, there is little indication this pressure will fade.
To be clear, U.S. businesses are not just dealing with these issues in China and Russia. Many countries, including U.S. allies and partners, legitimately need access to information around criminals, terrorists, and spies in their borders. This need has catalyzed everything from renegotiations of the U.S.-EU Privacy Shield framework to Washington’s executive CLOUD Act agreement with the U.K., which permits a British judge to decide, under certain circumstances, whether U.K. law enforcement meets the burden of proof to request data from a U.S. firm. A key driver of data localization proposals in India, to give another example, is the horribly slow and inefficient process for Indian law enforcement to file data requests to the U.S. government.
The risks are pronounced in authoritarian regimes, however, for at least two main reasons: Companies are now forced to decide which requests are legitimate and which are aimed at repression. Should they reject a request, those countries may turn around and threaten employees, haul executives to jail, or otherwise jeopardize the physical safety of in-country offices and employees. Even in India, a crucial U.S. partner, the state raided a Twitter office in March 2021 (though no employees were there) when the company wouldn’t comply with demands.
Washington is feeling enormous pressure from allies and partners to make data much more accessible. For the administration, the key lies in continuing to negotiate cross-border data flow and data access requirements—including where that pressure is driving data localization, like in India. The U.S. can also work with individual countries to speed up and standardize the process for requesting data from American firms.
Companies operating in authoritarian regimes are staring down far more difficult decisions. For those businesses that touch priority issues for Beijing and Moscow—like online speech, elections, and dissent—keeping offices and employees in those jurisdictions is very likely going to enable those regimes to coerce compliance. Broadly, U.S. companies need to learn to navigate multiple legal jurisdictions at the same time, where this navigation will require them to synchronize their international behavior with unique data regimes. In the meantime, it’s employees and offices on the ground that form the front lines of this fight—and authoritarian regimes have them in their crosshairs.