Apple’s announcement in mid-August that, for the first time, it would store user data in mainland China, highlights the growing complexity of preserving data privacy across multiple jurisdictions.
The move will house Chinese iCloud data on servers maintained by China’s state-owned telecommunications company, China Telecom Corporation Ltd (中国电信). The shift has two advantages for Apple, which has experienced a number of PR challenges in the Chinese market in recent years. First, storing data in-country may improve the user experience for Chinese customers accustomed to glitchiness in foreign companies’ products. For example, apps like Gmail can be slow to load and difficult to access in China, prompting some users to abandon them for competing services. Second, it addresses reported concerns on the part of the Chinese government that storing Chinese user data on foreign servers poses potential risks under Chinese State Secrets law, which prohibits broad categories of data considered pertinent to national security from being sent abroad. In the wake of Edward Snowden’s 2013 release of classified information and related revelations about the Prism Program (English), the topic of offshoring Chinese data has become especially sensitive.
The announcement has prompted concerns about Chinese user data’s vulnerability to searches by Chinese regulators and comes at a time when Apple is seeking to distinguish itself from the competition by championing user privacy. Apple recently announced that it will not be able to bypass personal passcodes on devices running iOS 8, rendering it technically incapable of assisting U.S. law enforcement with formal requests for user information. At virtually the same time, Apple announced it is recruiting a head of law enforcement in Beijing to handle user data requests from the Chinese government. The head of law enforcement will be responsible for managing the “increasing number of third-party requests for access to Apple controlled data within China.”
Apple’s decision to store iCloud data in mainland China may signal the beginning of a trend for other high tech companies in the market. While Apple’s arrangement with China Telecom appears to be motivated by business concerns – there is no requirement under Chinese law that such user data be held in China – the Chinese government appears increasingly concerned with limiting the transmission of domestic data overseas. For example, in May of this year, the Chinese government banned Microsoft’s Windows 8 operating system, which was seen by some as a move to limit data leakage out of the country. And, in a highly-regulated industry such as telecommunications, the government has substantial negotiating leverage to set the terms of market access for aspiring entrants.
In the short term, the move to keep data local may improve the user experience for the Chinese consumerand assuage Chinese government concerns about sensitive information going offshore. However, the distribution of data across multiple jurisdictions, subject to varying legal and technical standards, runs the risk of creating further security challenges for multinationals trying to maintain consistent standards across different markets. At a minimum, it will drive the need for tech-savvy counsel, familiar not only with the rapidly evolving legal landscape of big data, but also with the specific data privacy laws of each jurisdiction in which global technology companies operate. These advisors will also need to understand the extent, and limits, of government authority to access user data.