From time to time, mobile network operators (MNOs) receive orders from government authorities to restrict services on their networks. These service restriction orders (SROs) require operators to shut down or restrict access to their mobile network, a network service or an over-the-top service. Orders include blocking particular apps or content, restricting data bandwidth and degrading the quality of SMS or voice services. In some cases, operators would risk criminal sanctions or the loss of their licence if they were to disclose that they had been issued with an SRO.
SROs can have a number of serious consequences. For example, national security can be undermined if the powers are misused and public safety can be endangered if emergency services and citizens are not able to communicate with one another. Freedom of expression, freedom of assembly, freedom to conduct business and other human rights can also be impacted.
Furthermore, individuals and businesses who are not the target of the SRO may no longer be able to pay friends, suppliers or salaries. This can have a knock-on effect on credit and investment plans, ultimately damaging the country’s reputation for managing the economy and foreign investment, and discouraging donor countries from providing funds or other resources.
MNOs also suffer. Not only do they sustain financial losses due to the suspension of services, as well as damage to their reputation, but their local staff can also face pressure from authorities and possibly even retaliation from the public.
What factors and alternatives should governments consider before planning an SRO?
What tools and methods can be used to avoid the need for an SRO or to avoid negative impacts if an SRO is the only option?
The GSMA discourages the use of SROs. Governments should only resort to SROs in exceptional and pre-defined circumstances, and only if absolutely necessary and proportionate to achieve a specified and legitimate aim that is consistent with internationally recognised human rights and relevant laws.
In order to aid transparency, governments should only issue SROs to operators in writing, citing the legal basis and with a clear audit trail to the person authorising the order. They should inform citizens that the service restriction has been ordered by the government and has been approved by a judicial or other authority in accordance with administrative procedures laid down in law. They should allow operators to investigate the impacts on their networks and customers and to communicate freely with their customers about the order. If it would undermine national security to do so at the time when the service is restricted, citizens should be informed as soon as possible after the event.
Governments should seek to avoid or mitigate the potentially harmful effects of SROs by minimising the number of demands, the geographic scope, the number of potentially affected individuals and businesses, the functional scope and the duration of the restriction.
For example, rather than block an entire network or social media platform, it may be possible for the SRO to target particular content or users. In any event, the SRO should always specify an end date. Independent oversight mechanisms should be established to ensure these principles are observed.
Operators can play an important role by raising awareness among government officials of the potential impact of SROs. They can also be prepared to work swiftly and efficiently to determine the legitimacy of the SRO once it has been received. This will help establish whether it has been approved by a judicial authority, whether it is valid and binding and whether there is opportunity for appeal, working with the government to limit the scope and impact of the order. Procedures can include guidance on how local personnel are to deal with SROs and the use of standardised forms to quickly assess and escalate SROs to senior company representatives.
All decisions should first and foremost be made with the safety and security of the operators’ customers, networks and staff in mind, and with the aim of being able to restore services as quickly as possible.
The global digital economy depends on cross-border flows of data to deliver crucial social and economic benefits to individuals, businesses and governments.
When data is allowed to flow freely across national borders, it enables organisations to operate, innovate and to access solutions and support anywhere in the world. Enabling cross-border flows of data can help organisations adopt data-driven digital transformation strategies that ultimately benefit individuals and society. Policies that inhibit the free flow of data through unjustified restrictions or local data storage requirements can have an adverse impact on consumers, businesses and the economy in general.1
Cross-border flows of personal data are currently regulated by a number of international, regional and national instruments and laws intended to protect individuals’ privacy, the local economy or national security.
While many of these instruments and laws adopt common privacy principles, they do not create an interoperable regulatory framework that reflects the realities, challenges and potential of a globally connected world. Emerging frameworks such as the Asia-Pacific Economic Co-operation (APEC) Cross-Border Privacy Rules and the EU’s Binding Corporate Rules allow organisations to transfer personal data generally under certain conditions. These frameworks contain accountability mechanisms and are based on internationally accepted data protection principles.
However, their successful adoption is undermined by the implementation by governments of ‘data localisation’ (also known as ‘data sovereignty’) rules that impose local storage requirements or use of local technology.2 Such localisation requirements can be found in a variety of sector- and subject-specific rules created for financial service providers, the public sector or to maintain professional confidentiality. They are sometimes imposed by countries in the belief that supervisory authorities can more easily scrutinise data that is stored locally.3
1 International Chamber of Commerce, Trade in the Digital Economy, 2016; ECIPE, The Cost of Data Localisation, 2014 2 Emory Law Journal: Anupam Chander and Uyen Le, Data Nationalism, 2015; Hague Institute for Global Justice: Jonah Force Hill, The Growth of Data Localization Post-Snowden, 2014 3 European Commission Paper: Building a European Data Economy Communication
How can industry, legislators, regulators and civil society engage effectively to develop policy that supports cross-border flows of data?
How can data protection safeguards adequately address the legitimate concerns of governments that seek to impose localisation requirements?
Cross-border flows of data play an important role in innovation, competition and economic and social development. Governments can facilitate cross-border flows of data in a way that is consistent with consumer privacy and local laws by supporting industry best practices and frameworks for the movement of data and by working to make these frameworks interoperable.
Governments can also ensure that these frameworks have strong accountability mechanisms, and that the authorities can play a role in overseeing/monitoring their implementation. Governments should only impose measures that restrict cross-border data flows if they are absolutely necessary to achieve a legitimate public policy objective. The application of these measures should be proportionate and not arbitrary or discriminatory against foreign suppliers or services.
Mobile Network Operators welcome frameworks such as the APEC Cross-Border Privacy Rules or the EU’s Binding Corporate Rules, which allow accountable organisations to transfer data globally, provided they meet certain criteria. Such mechanisms are based on commonly recognised data privacy principles and require organisations to adopt a comprehensive approach towards data privacy.
This encourages more effective protection for individuals than formalistic administrative requirements, while helping to realise potential social and economic benefits. Such frameworks should be made interoperable across countries and regions to the greatest extent possible. This would stimulate convergence between different approaches to privacy, while promoting appropriate standards of data protection, allowing accountable companies to build scalable and consistent data privacy programmes.
Requirements for companies to use local data storage or technology create unnecessary duplication and cost for companies and there is little evidence that such policies produce tangible benefits for local economies or improved privacy protections for individuals.
To the extent that governments need to scrutinise data for official purposes, mobile network operators would encourage them to achieve this through existing lawful means and appropriate intergovernmental mechanisms that do not restrict the flow of data.
The GSMA and its members believe that cross-border data flows can be managed in ways that safeguard the personal data and privacy of individuals and remain committed to working with stakeholders to ensure that restrictions are only implemented if they are necessary to achieve a legitimate public policy objective.
National Data Privacy Regimes Should be Based on Shared,Core Principles and Provide Flexibility in Implementation
The challenge when regulating for data privacy, including cross-border flows of data, is to put in place measures that consistently provide consumers with confidence in existing and new services, without limiting service adoption or imposing significant additional costs on service providers.
To achieve this, it is crucial for privacy regulation to be based on shared core principles which, according to United Nations Conference on Trade and Development (UNCTAD) sit “at the heart of most national [privacy] laws and international regimes” as well as industry initiatives. This would allow companies to treat data consistently across their operations, innovate more rapidly, achieve larger scale and reduce costs. Consumers will also benefit from wider choice, improved quality and lower prices of services.
The 2009 Madrid Resolution on International Standards for the Protection of Personal Data and Privacy,1 for example, encourages consistent international protection of personal data and embraces privacy approaches from all five continents. As well as being designed “to ease the international flow of personal data, essential in a globalized world”, the resolution advocates six privacy principles to be adopted by policymakers:
Similar principles are reflected repeatedly in laws and policy initiatives around the world such as the Council of Europe Convention 108, the OECD Guidelines, the EU General Data Protection Regulation, the US Federal Trade Commission’s Fair Information Practice Principles and the APEC Privacy Framework. The mobile industry has also adopted the GSMA Mobile Privacy Principles to give consumers confidence that their personal data is being properly protected, irrespective of service, device or country.
Localisation Rules Risk Undermining the Protection of Personal Data
There are several reasons countries seek to impose data localisation rules, including the belief that supervisory authorities can more easily scrutinise data that is stored locally. An additional common reason is the desire to protect individual privacy and ensure it meets the expectations and standards of that country. However, there are solutions and principles that can mitigate these risks without restricting data flows and the benefits that ensue.
Restrictions do not necessarily lead to better protection for personal data. For example, a fragmented approach results in inconsistent protection (e.g., differences across jurisdictions and sectors in what can be stored and for how long) and causes confusion impacting the secure management of personal data. Fragmentation through localisation may also create barriers that make investments in security protection prohibitively expensive. Collectively, this may undermine efforts by mobile network operators and other service providers to develop privacy-enhancing technologies and services to protect consumers.
A key concern is that cross-border flows of data are currently regulated by a patchwork of international, regional and national instruments and laws. This does not create an interoperable regulatory framework that reflects the realities of a globally connected world. As a result, there is a need for frameworks that permit cross-border flows of data to be made interoperable across countries and regions to the greatest extent possible. Interoperability creates greater legal certainty and predictability, allowing companies to build scalable and accountable data protection and privacy frameworks.
Interoperable frameworks would also help foster appropriate mechanisms to ensure data is managed in ways that safeguard the rights and interests of consumers and citizens. Frameworks that incorporate effective accountability mechanisms can help strengthen and protect important rights that help individuals and economies flourish. For example, efforts to make the APEC Cross Border Privacy Rules system and EU Binding Corporate Rules interoperable have the potential to benefit industry, digital trade and consumer interests and rights.
Flows of data across borders are important for societal and economic reasons. Without them, we frustrate not only economic growth, but also potential benefits to society of digital transformation. It is therefore incumbent on governments, regulators, industry and civil society groups to reject localisation measures and instead find ways to enable the flow of data while protecting individuals.