Recently, while browsing, I ran into a ‘Balkanization’ issue due to the EU GDPR (General Data Protection Regulation).
I was browsing from Zurich (I wasn’t actually in Zurich) to a US Company (sporting goods) web site.
The US site simply blocked the session with a message saying they couldn’t allow access to the US Site due to GDPR. I’ve since discovered multiple US Companies doing this. They’re taking the easy way out – they think – because ‘blocking internet Access from EU soil’ to a Web Site ‘belonging to a US Company, with the Web Server located on US soil’ does not cut it to comply with GDPR.
If say the ‘web user’ is an EU Citizen/Resident on holiday in the US and ‘transacts’ with the “Company on US soil site”, that site ‘will need to know that the user is EU Resident/Citizen’ and has to comply with GDPR – i.e. not capture or store PII (Privately Identifiable Information) for that User except as allowed by GDPR and then storage must be “on EU Soil” and so on. This has little to do with where the Browser physically is or where the Server physically is, it’s to do with “Who the Browser User is” and “Who the Company is” and “Where that Company manages and stores data for that User” – it’s about the Legal Domicile of the transacting parties, complying with legislation relevant to each – in the case of GDPR complying (internationally) with the stringent Data Privacy Provisions of GDPR for EU Residents/Citizens.
Californian Law which became effective early in 2020 requires similarly to GDPR. Other US States are churning in confusion as to which way to go. It’s going to end up in a quagmire as has US Tax on e-commerce.
China of course blocked things off long ago – Chinese Users’ traffic ‘stays inside China’ (unless they have certain very specific technical expertise and want to risk jail time). Apple, Google, et al have complied to “operate within the boundaries of China”.
Russia has passed legislation. Russia can “at the pull of a switch” – well they think so – “keep Russian Traffic inside Russia”.
South Africa POPI Legislation finally started taking effect ~2017 about 3-4 years after originally being defined.
This ‘splintering’ (Balkanization) of the Internet is being forced by multiple and very different pressures – China by authoritarian ‘supposed censorship’ measures; Russia by ‘national security’ measures; EU and the State of California by ‘privacy measures’; Facebook and Google and Apple et al by ‘plain economic activity legal compliance’ measures.
A few months back the EU Court killed the “arrangement” between the EU and US, primarily Google, Facebook, Microsoft, Apple, et al, which ‘bypassed’ GDPR and allowed storage of and access to data of EU Parties on US Soil and vice versa.
The result now is that Companies are scrambling to work out how to comply – and the easy way is for Web Sites to simply refuse to interact based on the Geo IP ‘location’ of the End Point transmitting traffic to a Server (as happened for me). I (the Human) was not “on EU Soil”; I was not an EU Resident/Citizen. I was a US person located physically in the US. The issue all round is that web sites have little ability to actually truly determine who the Human interacting with the Web Site is – or any true ability to determine the truth of that Person’s Identify and Domicile so as to be able to comply with Laws relating to PII Data.
I expect this quagmire is quickly going to expand.
The necessary consequences are that the Apples, Googles, Facebooks, et al of the world have to start ‘dividing up their stuff’ and “actually know” within which domicile a user is, if they store something about/for that User. They had to do it for China. They will do it for the European Union.
Global e-commerce is going to be impacted as Banks and Credit Card Companies start denying transactions. I’ve already had this experience some years ago with Ireland. Trying to purchase a Microsoft Office Product to be installed to a Server in Ireland, the use of a US Card (issued by the Largest Commercial Bank in the US) was denied with a message saying the Purchase needed to be concluded with a “Card issued in Ireland by an Irish Bank”.
EU Resident ‘stuff’ – emails, Facebook postings, etc. will need to be stored on EU Soil; Californians’ on US Soil, etc.
Beyond this, Russian Law about “internet isolation” within the confines of Russia became effective in late 2019 – not yet in operation but able to be applied within short order to ISPs and Network Carriers.
Entities within South Africa have started asking questions about the possible need for an isolated South African Internet – I believe this is entirely inappropriate and unnecessary. I’m not aware that any of the effects described above, or pressures, are yet specifically occurring due to POPI and SA Gov actions, though I expect pressure will ramp up.
The “Central Hub” position which the US held as the “transit point” for internet traffic between the East and the West for the first 30 years of the life of the Public Internet is fast fading.
The new Data Traffic Transit Point between East and West – as it was for European to Far East Maritime Trade Routes from the 1400s until the present – is coming to be South Africa — US ‘direct’ to the Far East via Cape Town; EU ‘direct’ to the Far East via Cape Town, with multiple very high capacity Optical Undersea Cables being taken into full operation by 2022. Google and Facebook are the most recent, installing their own undersea Optical Cables between Europe and Cape Town, then Cape Town to the Far East.
There are two other high capacity Optical Fiber cabling initiatives to go live in 2021, connecting the West to the East via Cape Town – one via Brazil.
Where previously the US was carrying a majority of Internet Traffic between Europe and the Far East, the South Africa ‘routes’ will be taking its place.
Where previously the International Tier 1 Network Carriers were US Companies controlling traffic on their Fiber Routes around the world, it’s Google and Facebook and Tata and EU based Carriers supplanting them, carrying the International Traffic on their own fiber circuits, bypassing US control.
These Undersea Optical Fiber initiatives via Cape Town ‘give network effect’ now to BRICS – Brazil, Russia, India, China, South Africa – the ‘emerging’ economic block, each with significant influence on regional affairs.
So where is this all going?
It is certainly Splintering the Internet into “Many Geopolitical Intranets”.
The result will be that a Company “which wants a presence on the Internet” will very likely “need to have an actual physical presence” within each of the “Balkanized Intranets” within which it wants to do business. This “physical presence” will need to be Two Fold – an actual “Registered Company Entity” and an “IT/Server/Services Presence”, both physically/legally within each “Balkanized Internet Geo-Political Domain” within which it wants to do business.
If a German Resident is on Holiday in California and wants to do Internet Business with Company X, that person’s “Internet interactions” will need to be Routed to EU Soil and handled, managed, stored etc, on EU Soil by the EU Registered Company X Entity.
The “Rise of Edge Computing” – pulling a lot of ‘server processing’ out of remote cloud data centers and executing ‘very close’ to the End User at CDN (Content Delivery Network) POPs – will facilitate this. The CDNs thus are no longer primarily for caching and delivering static content – they’ve been expanding ‘local data processing capability’ for some time; they are fast becoming significant “Edge Processing Hubs”.
Image credit: newsmax.com