Information and organisation: Cross border data flows and spying

Information and organisation: Cross border data flows and spying

Phuah Eng Chye (26 October 2019)

It is difficult enough to assess the complexities of regulating surveillance in a domestic setting where the issues are confined to privacy rights, public safety and convenience. But the regulation of surveillance across borders is complex as it involves sensitivities related to national security and sovereignty and international competitiveness. There are two aspects to analyse. The first relates to regulation of data flows across borders. The second relates to regulation of surveillance (spying) on foreign citizens and countries.

The regulation on cross border data flows is at the forefront of discussions for smart city projects. Aria Bendix relates “one of the many fears circulating throughout the Toronto area is that data will be shared with other governments or entities outside Canada…Though Sidewalk Labs has promised to make all of its public data anonymous, the company has not agreed to keep its data local. Sidewalk Labs believes that data can be governed under Canadian law without exclusively residing in the country. This would allow companies – and particularly startups – outside Canada to compete in the global digital market”. Aria Bendix notes there are proposals to protect the data through “strong contracts and methods of encryption. But the nature and terms of these contracts remain unclear.  If you don’t define a boundary, you don’t know when there’s a breach”.[1]

Nancy Scola notes the issue of data residency – “where the machines that hold the data generated by Quayside will actually reside” – requires resolution, “in part, because the laws of that place will largely govern how it can be used”. She elaborated that “the information economy depends on highly networked, decentralized systems that share data across companies, devices and borders. This data sharing has lately become a political issue, in part because the United States’ handling of data has been the subject of global suspicion since the revelations of Edward Snowden. Some countries, including China, Russia and Brazil, reacted to evidence of U.S. companies’ sharing of user data with the U.S. government by demanding so-called data localization or data sovereignty – requiring that information that affects a country’s people must be physically housed inside its borders”.

However, it may not be feasible to ensure that data can be “collected, processed and stored on Canadian servers”. There are “instances where it makes sense to let the data migrate, such as if the expert best able to solve an issue with a sensor in Toronto is located in, say, New York. Or if a company providing a service riding on top of the Sidewalk-powered digital layer is housed on the other side of the world. Keeping all the data strictly in Canada…is a layer of making sure we’ve got an entire help desk, call center, or whatever it is here in Canada – and that, she says, might not be practical”[2].

Sidewalk Labs notes “Canada’s federal private-sector privacy law does not require data to be stored or processed solely within Canada. Instead, it seeks to make organizations accountable by imposing obligations to ensure that data is properly safeguarded. Similarly, the federal and provincial public-sector privacy laws that may be applicable do not dictate data residency”. In addition, “the decision on where to store data (known as data residency) is based on many considerations, including whether there is sufficient technical and physical architecture to store the data securely, the cost of storing the data abroad versus in the organization’s home country, and applicable laws”.

In this context, “Sidewalk Labs commits to using its best efforts at data localization – for storage, processing, and communication – as long as there are Canadian-based providers who offer appropriate levels of security, redundancy, and reliability. To the extent that it is deemed infeasible to store data solely in Canada, Sidewalk Labs would be transparent about such a decision…The Chief Data Officer and the board would also develop protocols on when and how data could be stored outside of Canada”.

To ensure responsible data use, Sidewalk Labs proposed the establishment of an independent government-sanctioned entity called the Urban Data Trust to manage urban data[3]. It proposed the “Urban Data Trust establish a set of Responsible Data Use[4] Guidelines…to safeguard the public good while enabling innovation, including by making de-identified or non-personal data publicly accessible by default”. This would be reinforced by urban data agreements which would be “similar to data sharing agreements or data licence agreements and include parameters that govern the collection, disclosure, storage, security, analysis, use, and destruction of urban data. Since these terms would be stipulated in the contracts, the breach of any term would be legally enforceable, with breaches actionable in court by the Urban Data Trust entity”.

These issues highlight that relative to the movement of goods and people, there are huge gaps in the global rules on cross-border data flows.  Matthias Bauer, Martina F. Ferracane and Erik van der Marel notes the “regulation of data flows represents a relatively new feature in the broader spectrum of services regulation. It concerns rules on how personal data is utilized and processed by firms in the interaction between consumers and producers, or between producers. Consumers can be exposed to the release of their personal data on numerous occasions – for example, while using credit cards for economic transactions – or during instances ranging from using social media to accessing health care services. In many cases, the consumer and producer are located in different geographical locations, which motivates the transfer of data domestically or across borders…Data flow regulations aim to regulate this flow of data between parties or across countries”.

They suggest the “policy makers’ challenge is to find the right balance between developing necessary regulations that are linked to a particular social objective (or negative externality) and implementing these regulations at minimum cost, in terms of economic welfare, so they do not create an unnecessary cost burden for firms. Yet, new rules on the regulation of cross-border consumer data for producers could also have detrimental economic effects. This is because data services regulations have a side effect of restricting transactions between domestic and foreign-using operators, which in turn limits the efficient sourcing of data processing activities…data are used by all sorts of so-called data-using industries (for example, downstream industries) as part of their input structure for production. In fact, services sectors are the main users of data. Regulatory restrictions of data can therefore inhibit the performance of sectors such as financial or business services or even new technological sectors using platforms”.

For example, Matthias Bauer, Martina F. Ferracane and Erik van der Marel notes in China, “a plethora of complex data privacy laws make compliance very difficult for companies that collect personal information. In addition, cross-border data transfer restrictions are imposed by various industry guidelines for the information services sector. These guidelines frequently serve as a regulatory baseline for law enforcement authorities to assess whether or not a business is in compliance with Chinese data privacy laws. Moreover, banks and financial institutions operating in China are prohibited from storing, processing or analysing any personal financial information outside China that has been collected in China”. However, across countries, they note “the landscape of legislative data localization requirements is highly diverse”.

The results of their study reveal the communication services sectors, data-intensive business and financial services show relatively high losses in productivity due to their high dependency on data inputs covered by data regulations. In relation to economic output, “the production of data intensive manufacturing and services sectors shrinks in all countries due to regulations on the free flow of data. Losses are notably taking place in the services sectors…less data intensive sectors are less affected by data regulations. The general patterns in the results indicate a shift in production from the services and manufacturing to the primary sector as a result of restrictions on the flow of data. Accordingly, tight regulations on the free flow of data tend to cause an economy’s production structure to shift (back) toward less innovative and relatively volatile sectors such as agriculture, raw materials and natural resources”.

Meng Jing notes unlike the European Union which regulates cross-border transfer of personal information to protect privacy, China is a proponent of cyber sovereignty which emphasises on national security or “the right to regulate the internet within their own borders”. Recent draft rules published by the Cyberspace Administration of China (CAC) aimed at “protecting personal information security, maintaining cyberspace sovereignty and national security”, all network operators including internet service providers, are required to do assess the security implications and notify cyberspace authorities before exporting personal information. These draft rules are expected to raise compliance costs for companies that need to send personal information (such as salaries, health or customer data) across borders. China also requires “information infrastructure operators to evaluate national security risk when purchasing foreign products and services” which is seen as a way of banning foreign tech suppliers on national security grounds.

The different national approaches to and attitude on privacy protection creates a quandary as it is very difficult, if not impossible, to apply national solutions to limit data flow as information is abundant and non-rivalrous. In other words, copies are easily made and it is hard to control their destination and use.

Similarly, it is difficult to contain the global spill-over effects of national laws on data. Neil M. Richards and Jonathan King notes that “even where domestic law is silent, the global nature of the information economy” means that actors will “increasingly fall within the regulatory authority of foreign data protection authorities”. For example, court judgements on privacy protection or content in one country can lead to subsequent litigation in other countries or affect global practices. “Although judgments of these sorts rarely have extraterritorial application as a matter of law, they tend to have extraterritorial application as a matter of effect”. “The point here is not whether these controversial foreign judgments are correct, but to observe that precedent changing decisions are occurring and to consider their global effect regardless of their merits as they do”.

Neil M. Richards and Jonathan King note though “competition around privacy itself can also serve as a form of soft regulation”. Some tech companies invest “in privacy research and development”. “As privacy revelations continue to gain headlines, the initial reactions and resulting competitive dynamic offer promise to organically advance privacy” with firms voluntarily providing “users more insight and control over the data”. In this regard, “regulation in the digital, networked, global society can occur from a variety of perhaps unexpected sources, and that the failure of the U.S. Congress to pass an American data protection law does not stop other regulatory entrepreneurs such as state or foreign governments or unexpected federal regulators like the FTC from stepping into the regulatory vacuum to make or influence regulatory policy. Perhaps the most unexpected and encouraging of all is the emerging industry trend of innovating, advocating and competing for privacy, not just technology”.

Once concerns on information are extended beyond privacy and commercial issues, the cross-border issues become even more murky as they have to address the regulation of surveillance (spying) on foreign citizens and countries. First, it is interesting to review how technology is disrupting the traditional intelligence industry. In a fascinating analysis, Edward Lucas notes “old staples of spycraft” (such as the dead-letter box and the use of dead babies’ birth certificates to create a cover identity) have become obsolete. He explains “a cover identity that would have been almost bulletproof only 20 years ago can now be unravelled in a few minutes” through the use of facial recognition software and AI to “cross-check such data with the slew of personal information that most people voluntarily and habitually upload online”. “The most crucial element of the technological storm engulfing intelligence agencies is the mobile phone. This device not only records your communications once hacked…it also acts as a tracking beacon”. “The more that intelligence agencies know about what normal behavior looks like, the more that anomalies and coincidences stand out…these techniques have severely constrained the ability of intelligence officers and their sources to operate safely and secretly. The cloak of anonymity is steadily shrinking”.

Edward Lucas notes “traditional spycraft has always relied on deception based on identity”. Spotting, developing, recruiting, running, and servicing intelligence sources involves concealing what you are doing. If you fail, your adversary may find out what you’re up to, endangering your source and totally undermining your efforts…use it to discover more clues or feed you false or tainted information”.

He points out “the shift toward electronic intelligence collection also creates new risks and political difficulties for all parties because it blurs the distinction between espionage work and warfare. In the world of human intelligence, the difference between the intelligence services and armed forces was in theory clear-cut. An intelligence officer’s job was always to find things out, not to make things happen…In the online world, attributing motive is far harder. An intrusion into another country’s sensitive computers and networks for the so-called innocent purpose of reconnaissance can easily be mistaken as an act of sabotage or at least preparation for it. The potential for misunderstanding intent pushes cyberespionage practitioners into unfamiliar political and legal territory. Human intelligence agencies have developed norms, which to some extent substitute for the lack of legal regulation in what can never be a law-governed space. For example, toward the end of the Cold War, both sides refrained from physical attacks on each other’s intelligence officers or their families. There are, to date, no similar arrangements in cyberspace”.

Another major change is that “the boundaries between public and private sector intelligence work are becoming increasingly blurred”. Edward Lucas notes the “intelligence profession is increasingly overlapping with the corporate world. The world of spies used to be cloistered…That has changed…a spell in a senior position in intelligence or defense…is increasingly a launchpad for an interesting career in corporate intelligence or other advisory work…Government intelligence agencies have stopped battling the commercialization of espionage; instead, they embrace it. Security clearances in the United States and United Kingdom used to lapse on retirement. Now, retired intelligence officers are, in many countries, encouraged to maintain them. Retirees may be hired as contractors, or they can make job offers to people still inside the service”.

“The rise of commercially available spying technology has led to some savings for governments in money, risk, and time. Investigative outfits…using open-source information, commercial databases, and material hacked or leaked by sympathetic allies, have produced startling scoops and exposes…Competition raises standards, in spycraft as in other fields. Intelligence agencies need to work with other actors outside the spy world, both in order to find out what is going on and in order to influence it”.

Hence, “spies today increasingly need to work with lawyers, both to counter adversaries’ reliance on lawfare – the use of the legal system to delegitimize an enemy or win a public relations victory – and to test the legality of their own operations”. In addition, “privacy and human rights laws are placing more and more constraints on intelligence agencies’ activities…Intelligence agencies…now employ lawyers and public affairs specialists to monitor data protection and other laws”. “And when the tricks of the trade – bugging, impersonation, hacking – are illegal, they can simply be outsourced to a suitably unscrupulous subcontractor.” “Given this changing landscape, spies also need to be at home in the worlds of business and finance…spy agencies will not be able to maintain the levels of operational secrecy that they have come to regard as routine if they enlist the help of lawyers, journalists, accountants, business executives, and academics. If you hire a law firm, what happens if its computers are hacked or its staff suborned? The wider you spread the zone of secrecy, the more fragile it becomes”.

Edward Lucas adds that “spies and intelligence chiefs need to be media-savvy, countering and mounting information operations. In the old days, spymasters told spies that any contact whatsoever with a journalist was a sackable offense. That dividing line is now thin and full of holes. Intelligence officers find plenty to talk about with journalists. They can discuss the credibility of open sources and the difficulties of operating in hostile environments. Intelligence officers involved in active measures -making things happen rather than just finding out about them – can find it useful to brief journalists, either highlighting solid facts and logic that help their case or on occasion inventing or twisting source material in order to produce new coverage with the requisite slant or spin”.

Public intelligence techniques are also seeping into private sector intelligence work. Edward Lucas points out that “modern life encourages people and institutions of all kinds to adopt the thinking and practices of the spy world…Anyone responsible for a company’s cybersecurity now has to think like a counterintelligence officer.” “As the cost of conducting espionage operations – in money, time, and effort – has shrunk, spying has become less esoteric. These days it is an integral part of business, finance, sports, and family litigation over divorce and child custody…date… prospective hires”.

Edward Lucas startling observation is that “the biggest impediment to successful spying today is not leaks but excessive classification…Overclassification and excessive secrecy do not protect countries from their adversaries. Such methods only protect bureaucrats from scrutiny. Intelligence agencies use the supposed need to protect sensitive sources and methods to justify their concealment of blunders or activities that deserve public scrutiny. This excessive secrecy makes spy services timid, introverted, risk-averse, and calcified by procedure. Taxpayers end up paying ever greater bills for ever less impressive results”.

He cautioned the bigger danger in the future is that “the intelligence services of democratic countries may become too flexible and too deeply involved in the institutions and procedures of a free society. The temptation to do so will be particularly strong in countries facing the full blast of hostile influence operations…Intelligence-led criminal justice sanctions and regulatory sanctions – arrests, asset freezes, deportations, banning media outlets, and so forth – that should be the exception could become the rule”.

It has become more critical to find a common approach to regulate spying as technology advances means that surveillance is increasingly intruding into the lives of ordinary citizens. Ashley Deeks notes “until recently…most scholars agree that international law either fails to regulate spying or affirmatively permits it…nothing in international law forbids states from spying on each other and that the practice of spying is widespread…act in self-defense…for a state to be able to accurately anticipate and prepare for an armed attack before it occurs, it must be lawful for that state to gather intelligence on foreign military and governmental decision-making”. But others suggest “international law today prohibits espionage…this presumably is due in large part to the fact that spying usually violates the spied-upon state’s domestic laws, which makes it more complicated to assert a right to spy.”

Ashley Deeks explains “spying has proven hard to regulate…First, the act of spying tends to implicate a state’s core national security interests. States are heavily invested in obtaining critical information about other governments while protecting their own secrets against foreign espionage[5]…Second, espionage by definition is intended to occur without detection…difficult for one state to detect [or prove] a violation of an agreement that reciprocally limits spying…Third…it is difficult for states seriously to discuss ways to limit spying on other states without revealing certain information about their own capabilities…Fourth, different states have very different surveillance capabilities…powerful countries…have strong interests in resisting excessive regulation of surveillance”.

However, due to recent developments, states now appear more willing to consider international regulation of spying. Ashley Deeks points out in the past, there was less need for international law to regulate human intelligence collection…since human intelligence collection is more costly, time-intensive, and detectable…Bulk human intelligence collection did not exist…public pressure to curtail spying previously was minimal, because spying was not seen to affect the average citizen”.

“Although states surely continue to view espionage as critical to their core interests, many believe that state surveillance has expanded beyond those central national security interests…to identify threats within the large and complex system of modern global communications…in which ordinary people share fiber-optic cables with legitimate intelligence targets…By virtue of the NSA’s techniques of accumulating large amounts of data of ordinary people…States therefore now face serious critiques that the type of information they are collecting exceeds what is necessary to protect their true security interests…This type of surveillance implicates the communications of average citizens, not just a narrow range of critical targets”.

Revelations of intelligence and military electronic surveillance is provoking “a public outcry about surveillance previously unseen in the espionage context. Sustained public pressure on governments from citizens and corporations from multiple countries provides an impetus for change on both the domestic and international fronts…States also may realize that widespread surveillance, and the suspicions engendered therefrom, may cause the Internet to fragment in ways that will disadvantage their economies…Not only are the reasons not to regulate becoming less persuasive, however; the reasons affirmatively to regulate foreign surveillance have strengthened”.

In particular, Ashley Deeks notes “Snowden’s revelations also have affected U.S. companies that provide cloud computing services…These companies fear the perception that they enabled NSA spying, and are suffering a significant loss of business overseas from customers who suspect that they will be easier targets for U.S. surveillance if they use U.S. products. U.S. companies also are concerned that it will become more difficult for them to move their own business data from foreign affiliates to their home offices if foreign states begin to regulate more aggressively the movement of data overseas or mandate that domestic companies and affiliates use domestic products”. Some companies responded by calling for reform of government surveillance by imposing restrictions or making it more transparent. Countries such as Brazil, China, Germany and France have either ceased using or are vetting more strictly the use of American technology and services. The public outcry has thus triggered recognition of the need to engage the public and other countries on accepted and unacceptable behavior in cyberspace and to “establish norms that strike a new balance between privacy and national security”.

In seeking to establish new international norms and laws, one major challenge is to reconcile the differences between the regulation of domestic and international surveillance. At the moment, domestic privacy laws curb “improper surveillance of the citizenry (based, for example, on political views or associations)” to prevent “those currently holding power to suppress the opposition and unlawfully remain in power”. But “states arguably need greater flexibility to collect communications intelligence overseas because they have fewer alternative tools to use there than they do domestically (where states can rely on police investigations, warrants, national security letters, and so on)”. The disparity in treatment between citizens and foreigners “undergirds much of the international outcry about foreign surveillance…the justifications for disregarding foreigners’ privacy entirely are difficult to uphold, and many existing domestic laws provide some protections to foreigners’ communications, albeit in unpredictable ways”.

Hence, Ashley Deeks notes “there is a new focus on and understanding of the contents of states’ domestic surveillance laws, and the way in which those laws regulate foreign surveillance. Concerns about whether one state will comply with arrangements it makes with other states to limit spying will diminish if and as states adopt domestic laws and policies that overtly regulate foreign surveillance. There is good reason to expect that states will comply with their domestic laws. If the laws of those states are in line with the (likely less specific) international norms that develop, it is reasonable to expect those states to act consistent with both bodies of law. Compliance with international norms becomes more likely”.

Relatedly, “states will be faced with new decisions by human rights courts and treaty bodies that seek to extend the right to privacy extraterritorially[6]”. These bodies might “conclude that mass surveillance, as distinct from targeted surveillance”, violates certain aspects of international law “because it is arbitrary, unless a state can show probable cause or a threat of imminent harm. Some of these decisions will bind the defendant states and force them to alter their domestic laws. Others will simply be hortatory. But history illustrates that even hortatory statements by these bodies ultimately impact the way states view their international and domestic obligations”.

Ashley Deeks notes another substantive area being discussed is the imposition of “use limits is intelligence about foreign companies to share with domestic companies, to provide the latter with economic advantages”. But this was a relatively fine line to draw as the “United Kingdom and United States conduct espionage against economic targets to enforce sanctions regimes and detect bribery that may disadvantage their domestic industries” while “states such as China and France will be unreceptive to an approach that prohibits economic espionage to advantage domestic industry, because both states conduct extensive economic espionage to aid such industries and see limited distinctions between economic and military security”.

Ashley Deeks suggest “norms formed to limit the subjects of electronic surveillance should focus on the uses to which governments may put available data (whether held by themselves or by telecoms and ISPs), rather than attempt to limit the collection of data ex ante…Three principles may be interwoven with the development of a norm on collection or use limitations: (1) the idea that collecting metadata is less intrusive than collecting the contents of those communications; (2) the idea that bulk collection of data is less privacy-intrusive than the targeting of individual communications; and (3) the sense that targeted surveillance by State A that captures the communications of foreign ordinary citizens warrants greater oversight (or more stringent restrictions) than A’s surveillance of State B’s government officials and activities”.

There are various challenges to shaping global norms on technological surveillance of foreign nationals. “Full public accountability over surveillance operations poses a challenge, because one must have access to classified information in order to assess the full scope of the government’s performance”. While there are ways for states to “limit the collection and use of surveillance data to a fixed list of objectives[7]”, the objectives may be framed so broadly so “as to be virtually limitless”. In addition, Ashley Deeks notes the difficultly of imposing restraints “when those communications take place partly or entirely outside the surveilling state’s territory, using electronic means, including cyber-monitoring, telecommunications monitoring, satellites, or drones”.

For example, privacy advocates have called for the imposition of strict limits on the use of satellite imagery. In this regard, Christopher Beam notes greater erosion of privacy is likely as “every year, commercially available satellite images are becoming sharper and taken more frequently. In 2008, there were 150 Earth observation satellites in orbit; by now there are 768”. Satellite imagery is useful for creating live maps, detecting illegal activities, keeping tabs on crops and tracking movements. But where satellite imagery was previously reserved for military and intelligence use, these tools have become increasingly accessible to a wide range of users such as businesses, investors, terrorists and criminals. He notes “satellite and analytics companies say they’re careful to anonymize their data, scrubbing it of identifying characteristics. But even if satellites aren’t recognizing faces, those images combined with other data streams – GPS, security cameras, social-media posts – could pose a threat to privacy”.

However, Christopher Beam explains that “the Outer Space Treaty, signed in 1967 by the US, the Soviet Union, and dozens of UN member states, gives all states free access to space, and subsequent agreements on remote sensing have enshrined the principle of open skies.” Hence governments have little jurisdiction over satellites launched by other countries and the sale of imagery, “but it can regulate how American customers use foreign imagery. If US companies are profiting from it in a way that violates the privacy of US citizens, the government could step in”.

He concludes that “protecting ourselves will mean rethinking privacy itself. Current privacy laws…focus on threats to the rights of individuals. But those protections are anachronistic in the face of AI, geospatial technologies, and mobile technologies, which not only use group data, they run on group data as gas in the tank…Regulating these technologies will mean conceiving of privacy as applying not just to individuals, but to groups as well. You can be entirely ethical about personally identifiable information and still kill people…Until we can all agree on data privacy norms…it will be hard to create lasting rules around satellite imagery…It’s not like anything’s riding on it except the future of human freedom.”[8]

Overall, Samantha Hoffman highlights the broader concerns when “tech-enhanced authoritarianism is expanding globally…it often relies on technologies that provide useful services…notably those associated with smart cities, such as internet of things (IoT) devices…Whoever has the opportunity to access the data a product generates and collects can derive value from the data. How the data is processed, and then used, depends on the intent of the actor processing it. The Chinese party-state intends to use bulk data collection to support its efforts to shape, manage and control its global operating environment, and to generate cooperative and coercive tools of control”. In this context, she warns of the threat posed by the Chinese Communist Party (CCP) in

“leveraging state-owned enterprises (SOEs), Chinese technology companies and partnerships with foreign partners – including Western universities – the CCP is building a massive and global data-collection ecosystem. The creation of that ecosystem gives the party control over large data flows. And, when the data is combined with artificial intelligence (AI) processing, the result can help build tools that can be used to shape, manage and control, including propaganda tools and the social credit system”.

Hence, getting a consensus on a global governance framework is a major challenge. Simone McCarthy notes China is proposing a framework for “cyber governance in which states have sovereign right to maintain strict controls on internet and technology infrastructure for social stability. Under such a system, states have the right to censor, collect data, and restrict online access within their borders”. In contrast, “a group of 27 nations, including the United States, Japan, South Korea and a host of European countries…for a free, open cyberspace that upholds democracy and human rights. This was broadly seen by observers as a rebuke of the Chinese and Russian models of internet regulation, which restrict online activities and monitor the tech sector in the name of social stability”. “But a closed or open internet is not the only battleground for the duelling ideologies…There are differences in how countries view tangible national security concerns such as cyber warfare”.

In this context, it will be possible (though inefficient) to decouple technology through adopting different standards and erecting firewalls to reduce connectivity between different geographical areas. But it is not evident how it would be possible to decouple information (covering data, algorithms and ideas) as these are virtual rather than physical. These issues are part of the growing clash between China’s state surveillance model and the Western model.


Aria Bendix (21 October 2018) “There’s a battle brewing over Google’s $1 billion high-tech neighborhood, and it could have major privacy implications for cities”. Business Insider.

Ashley Deeks (1 September 2014) “An international legal framework for surveillance”. Virginia Journal of International Law (2015); Virginia Public Law and Legal Theory Research Paper Series (2014).

Christopher Beam (26 June 2019) “Soon, satellites will be able to watch you everywhere all the time. Can privacy survive?” MIT Technology Review.

Edward Lucas (27 April 2019) “The spycraft revolution”. Foreign Policy.

Matthias Bauer, Martina F. Ferracane, Erik van der Marel (May 2016) “Tracing the economic impact of regulations on the free flow of data and data localization”. Centre for International Governance Innovation and Chatham House. Global Commission on Internet Governance.

Meng Jing (13 June 2019) “China cybersecurity rule on exporting of personal information seen raising compliance costs for firms”. SCMP.

Nancy Scola (July/August 2018) “Google Is building a city of the future in Toronto. Would anyone want to live there?” Politico.

Neil M. Richards, Jonathan King (19 October 2014) “Big data and the future for privacy”. Handbook of Research on Digital Transformations (Elgar 2016). or

Samantha Hoffman (19 October 2019) “Engineering global consent: The Chinese Communist Party’s data-driven power expansion”. Australian Strategic Policy Institute (ASPI)’s International Cyber Policy Centre. Policy brief Report No. 21/2019.

Samuel Petrequin (4 October 2019) “EU court: Facebook can be forced to remove content worldwide”.

Sidewalk Labs (17 June 2019) “Sidewalk Lab’s proposal: Master innovation and development plan”.

Sidewalk Labs (17 June 2019) “Sidewalk Lab’s proposal: Master innovation and development plan”. Volume 2 Chapter 5 “Digital Innovation”.

Simone McCarthy (30 September 2019) “Could China’s strict cyber controls gain international acceptance?”. SCMP.

[1] Quote attributed to Saadia Muzaffar, who resigned from the project’s Digital Strategy Advisory Panel to protest the lack of transparency. See Aria Bendix.

[2] Quote attributed to Kristina Verner. See Nancy Scola.

[3] According to Sidewalk Labs definition, urban data is broader than the definition of personal information and include personal, non-personal, aggregate, or de-identified data collected and used in physical or community spaces where meaningful consent prior to collection and use is hard, if not impossible, to obtain. Non-personal data is data that does not identify an individual or isn’t about people e.g. aggregated data sets, weather, temperature or machine data.

[4] A publicly auditable Responsible Data Use (RDU) Assessment or an in-depth review would be triggered by a proposal to collect or use urban data. The assessment would be based on RDU Guidelines that incorporate globally recognized Privacy by Design principles to be followed by all entities seeking to collect or use urban data. Privacy by Design outlines principles to be implemented from the beginning of a data activity to embed privacy protections into the design, operation, and management of a product, project, operation, or service.

[5] Information relating to hostile activities, terrorism, military capabilities, violations of sanctions regimes and foreign leaders’ intentions.

[6] The extraterritorial effects are evident in the recent European Court of Justice ruling “that individual member countries can force Facebook to remove what they regard as unlawful material from the social network all over the world”. Facebook charged the decision “undermines the longstanding principle that one country does not have the right to impose its laws on speech on another country.” See Samuel Petrequin.

[7] Objectives include information to detect and counter espionage and various threats (terrorist, cyber, military and criminal).

[8] See Christopher Beam. Arguments attributed to Nathaniel Raymond.