No matter how big or small your company currently might be, your company needs a geolocation policy that takes human rights into account if you are either: (1) gathering or storing data that personally identifies your customers; or (2) providing a platform for creating or storing user generated content.
Technology companies typically first think about geolocation when they have grown to the point where they need to locate data somewhere other than their home base for redundancy reasons or to reduce network latency. While companies usually don’t have much of a choice in deciding where to geo-locate their first servers (because the servers are located wherever the company was founded), companies should be conscious of the impact that the geolocation of data has on the privacy and freedom of expression rights of their users.
Two things need to be kept in mind above all else. The first is that locating data in a particular jurisdiction often means that the company acquires a physical presence in that jurisdiction. Local government authorities who want to access that data for whatever reason then gain the “nuclear option” of physically raiding a data center or holding one or more employees in contempt of court for failing to turn over the data being sought.
The second is that not all jurisdictions are created equally when it comes to their legal framework for protecting privacy and freedom of expression. China is the archetypal example of a country with weak protections for both privacy and freedom of expression–at least against government requests for information about the online activities of particular users. But even established democracies vary greatly in terms of the protections they afford personally identifying information or user-generated content against overly broad requests from law enforcement.
In order to protect both the human rights of their users as well as their corporate good name, companies should conduct a human rights impact assessment before geolocating data in a new jurisdiction. Such a review should begin by considering all local laws governing the disclosure of information to law enforcement and intelligence agencies in normal and emergency circumstances. If concerns are identified, the company should consider serving that market from a nearby jurisdiction that affords greater protections for human rights.
For example, it might be possible to serve China from Hong Kong, or parts of the Middle East from the eastern Mediterranean. Finally, if the only technologically feasible choice is to geolocate servers in a less than ideal jurisdiction, the company should think long and hard about what data it collects, how long it retains such data, and whether the data really needs to be retained in a way that makes it personally identifiable.
Even in a benign legal environment, it’s a good idea to reduce the amount of data your company collects and retains in order to minimize the harm that might be caused by a security breach. Building privacy and security into products by design makes it all the more easier for a company to service users far from home without compromising their rights or the company’s reputation in the process.