Rethinking Data, Geography, and Jurisdiction

Towards a Common Framework for Harmonizing Global Data Flow Controls
Policy Paper
Feb. 22, 2018

The Internet, and the global free flow of data that it has enabled, has undercut long-standing legal, normative, and procedural arrangements governing the control of information. Across the globe, governments and multinational companies alike are discovering that the prevailing geography-centric approach to data and jurisdiction is simply incompatible with the world of globalized digital communications. They are finding that prior methods of controlling information—such as those used to protect privacy, enforce intellectual property rights, and provide law enforcement access to information for criminal cases—are increasingly being challenged by the hard reality that data today recognizes no national borders.

Through an analysis of the most notable legal, policy, and diplomatic challenges emerging out of the globalization of data—and the various responses to those challenges—this paper makes the case that the international community ought to reject geographic-based data control frameworks. Alternatively, it argues, nations should adopt jurisdictional and operational frameworks that are geography-agnostic and premised instead on data flow “control points,” the levers of control over a particular information system. The paper offers a control point framework for digital policymaking, which the authors derive from control point analysis and the contextual integrity model, two analytic methodologies designed to allow for technical policy discussions in computer engineering and digital privacy law, respectively. Finally, it proffers some recommendations for how the international community might harmonize various national approaches to digital law and policy in a way that is consistent with a control point approach.