DOCSLIB.ORG

Making the Cut? | SPECIAL REPORT | Sept

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

DATA PRIVACY & SECURITY SPECIAL REPORT SEPT. 24, 2020 After EU judges struck down the Privacy Shield data-transfer agreement, what’s next for US tech Making giants, thousands of other companies and regulatory the Cut? regimes around the world? INSIGHT | COMMENTARY | ANALYSIS Editor’s Letter Lewis Crofts MLex Editor-in-Chief We have arranged it in three thematic sections to reflect the multiple moving parts of the topic: 1) the EU court’s decision and immediate effects on Facebook and other companies; 2) the scramble by the US and EU to work out what to do about replacing the binned agreement and making SCCs more robust; and headache. A bombshell. A seismic shift. 3) the concerns and responses by other affected However dramatic you might like your countries around the world — including the UK, A metaphors, there is little doubt that EU Japan and Australia. judges delivered an extraordinarily significant We trust you enjoy reading this report and ruling on July 16. In striking down Privacy Shield, find it a useful guide to a complex, evolving issue. the EU-US data-transfer framework, they instantly The reporting here is a brief example of the threw into doubt the operations of more than insight and predictive analysis that MLex brings 5,000 US companies that relied on it. subscribers to our data privacy and security The ruling — essentially based on the failure service every day. of the mechanism to protect EU citizens’ data The stories included were all published from US government snooping — doesn’t as events unfolded, bringing our subscribers prevent companies transferring data between unrivalled insight into the significance of the EU and other foreign countries under developments and the likely next steps in an issue “standard contractual clauses.” But these can’t that will affect the operations of many thousands protect data in countries, including the US, that of businesses around the world. don’t have protections for citizens’ rights and Data privacy and security represent a new privacy as tough as those in the EU. That drives major front in regulation, enforcement and a cart and horses through the procedures of compliance worldwide. MLex has been at the thousands more US and European companies, forefront of providing forensic and predictive notably Facebook and other tech giants. insight, commentary and analysis on this This special report is a collection of key emerging area of regulatory risk for years. stories published by MLex in recent weeks To find out more about our range of areas making sense of this muddle, highlighting the of interest and subscriber services — and to ask areas of greatest regulatory risk for businesses for a trial — see the contact details on the back and looking ahead, where possible, to spot page of this report or visit our website directly at emerging fixes. mlexmarketinsight.com. n MLex is an investigative news agency solely dedicated to uncovering regulatory risk and uniquely positioned to provide exclusive, real-time market insights, news and analysis. We monitor the activity of governments, agencies and courts to identify and predict the impact of legislative proposals, regulatory decisions and legal rulings. MLex’s unique reporting by our journalists across 14 international bureaux. Antitrust • Data Privacy & Security • Financial Crime • M&A • Sector Regulation • State Aid • Trade MAKING THE CUT? | SPECIAL REPORT | SEPT. 24, 2020 2 << RETURN TO CONTENTS << Contributors Mike Swift Sachiko Sakamaki Laurel Henning Chief Global Digital Risk Correspondent Senior Correspondent, Tokyo Senior Correspondent, Sydney Formerly chief Internet reporter for the San Sachiko covers antitrust, anti-bribery & Laurel is a senior correspondent covering Jose Mercury News and SiliconValley.com, corruption, and privacy & cyber security. data privacy and security, antitrust Mike has covered Google, Facebook, Apple She has an undergraduate degree from and mergers and acquisitions across and other major Silicon Valley companies Waseda University in Tokyo and a Australia and New Zealand. Prior to that, closely as he followed trends in search, the master’s degree in communications from Laurel spent a year spearheading MLex’s mobile web and online social networks. He United States International (now Alliant activist investment coverage, looking helps coordinate MLex coverage of privacy International) University in California. She at boardroom disputes and shareholder and data security worldwide. A former John previously worked as a journalist for Time campaigns agitating for changes to S. Knight Fellow at Stanford University, he is magazine, the Far Eastern Economic Review, company strategy. Laurel joined MLex a graduate of Colby College. He is an award- Bloomberg News, and the Washington Post in 2013 and reported for five years on winning journalist with expertise ranging in Japan. European energy and climate policies from from the business of professional sports to Brussels. In that time, Laurel covered the computer-assisted reporting. regulation of emissions and technological Dave Perera developments pertaining to the energy Data Security & Privacy Reporter sector within the EU. A graduate of the Matthew Newman University of Liverpool, Laurel studied Dave joined the Washington DC office Chief Correspondent, Europe English and French before beginning a as our new technology reporter as we career in journalism with MLex. Matthew writes about mergers, antitrust built out that part of our coverage. He is a and cartel investigations as well as digital veteran cybersecurity reporter for Politico risk. Matthew began covering competition and a former editor for FierceMarkets Jakub Krupa at the Luxembourg courts in 2004 and publications. Dave studied Spanish and then moved to Brussels. After working as a Italian literature at the University of Digital Risk Correspondent spokesman for the European Commission Colorado, and has a Master’s degree Jakub joined MLex’s London team in until April 2012, he spent several months from the Columbia University School of August 2020 to handle data privacy in Washington, DC writing about mergers International and Public Affairs. and security. Based in the UK since for MLex. He spent a year studying French, 2012, he previously worked as the UK history and communications in Grenoble, correspondent for the Polish Press France and is a graduate of Boston Joanna Sopinska Agency, leading the coverage on Brexit, University with degrees in history and Trade Correspondent UK politics and relations with the EU. journalism. His stories also featured in other leading Joanna covers trade in Brussels. Formerly outlets, including The Guardian and the trade editor of EU Trade Insights, she Evening Standard. He is also a regular Vesela Gladicheva has many years’ experience reporting commentator on Poles in the UK. on trade, investment policy and foreign Senior Technology, Media affairs. Before that, she spent nine years and Telecom Correspondent at Europolitics news agency writing on Vesela reports on topics including telecom trade, agriculture policy and foreign affairs. regulation, privacy, cybersecurity and Before moving to Brussels in 2006, Joanna copyright, focusing on EU regulatory worked as an analyst at the Polish Institute and legal risk in the telecoms, media and of International Relations (PISM) in Warsaw. technology (TMT) sectors. She holds a She holds a postgraduate diploma in the Master’s degree in journalism from City European public affairs from Maastricht University London, and works in English, University in the Netherlands and an MA in Spanish, French and Bulgarian. international relations from University of Lódź in Poland. MAKING THE CUT? | SPECIAL REPORT | SEPT. 24, 2020 3 << RETURN TO CONTENTS << Introduction Mike Swift Chief Digital Risk Correspondent A data crisis erupted in July, when EU judges annulled the EU-US Privacy Shield and raised doubts about cross-border transfer mechanisms used by the likes of Facebook and other big Internet platforms. What happens next? ax Schrems just won’t go away. For the second time in five years, the legal basis M for much of the world’s data transfers has been thrown into question as a consequence of the Austrian privacy advocate’s relentless efforts; after EU judges’ invalidation in 2015 of the EU-US Safe Harbor trans-Atlantic data transfer framework in what became known as the “Schrems I” decision, this July came “Schrems II” that annulled that machanism’s successor, Privacy Shield. As EU and US officials this autumn negotiate a response to the EU Court of Justice’s latest decision, which also dented the viability of “standard contractual clauses,” or SCCs, as an international data transfer mechanism, their hope is to avoid experiencing déjà vu all over again, as baseball player Yogi Berra once put it in a trademark malapropism. “I don’t want to speak about a ‘Schrems III’ decision after another five years,” EU justice commissioner Didier Reynders said ruefully Double trouble: Austrian privacy during a recent video conference organized by campaigner Max Schrems. the Brookings Institution in Washington. “Please Photo: Manfred Werner not a Schrems III! So we need to find solutions.” Goodwill and rueful joking aside, crafting a trans-Atlantic data transfer system that will defeat or avoid a third challenge by Schrems won’t be easy. It certainly won’t be as MAKING THE CUT? | SPECIAL REPORT | SEPT. 24, 2020 4 << RETURN TO CONTENTS << straightforward as negotiations following the EU Court nation to permanently harmonize its local privacy laws of Justice’s Schrems I decision five years ago. That’s in with Europe’s General Data Protection Regulation. part because of the timing of the US national elections That goal has in recent years been on the minds this fall, the likely need for US legislation to create of lawmakers and regulators in Japan, Canada, New a more durable solution this time around, and the Zealand, South Korea and Brazil — countries that potential handover of power in the White House and have passed or are in the process of updating national Congress. privacy laws to be more in harmony with GDPR, with an The stakes are particularly high for US Internet eye to gaining an adequacy ruling with the EU.
Recommended publications
  • Data Localization the Unintended Consequences of Privacy Litigation

    Data Localization the Unintended Consequences of Privacy Litigation

    American University Law Review Volume 67 | Issue 3 Article 6 2018 Data Localization The ninU tended Consequences Of Privacy Litigation H Jacqueline Brehmer American University Washington College of Law Follow this and additional works at: http://digitalcommons.wcl.american.edu/aulr Part of the Computer Law Commons, and the Privacy Law Commons Recommended Citation Brehmer, H Jacqueline (2018) "Data Localization The ninU tended Consequences Of Privacy Litigation," American University Law Review: Vol. 67 : Iss. 3 , Article 6. Available at: http://digitalcommons.wcl.american.edu/aulr/vol67/iss3/6 This Comment is brought to you for free and open access by the Washington College of Law Journals & Law Reviews at Digital Commons @ American University Washington College of Law. It has been accepted for inclusion in American University Law Review by an authorized editor of Digital Commons @ American University Washington College of Law. For more information, please contact [email protected]. Data Localization The ninU tended Consequences Of Privacy Litigation Keywords cybersecurity threats, data localization, data privacy, Electronic Communications Privacy Act, Microsoft Ireland This comment is available in American University Law Review: http://digitalcommons.wcl.american.edu/aulr/vol67/iss3/6 NOTE DATA LOCALIZATION: THE UNINTENDED CONSEQUENCES OF PRIVACY LITIGATION H JACQUELINE BREHMER* This Note addresses a key unintended consequence of recent data privacy litigation before the European Court of Justice and the U.S. Supreme Court. Two cases—Data Protection Commissioner v. Schrems and United States v. Microsoft Corp.—contravene the principles upon which the internet was founded by removing legal and scalable mechanisms for cross-border data transfers. While these cases do not directly create data localization regimes, they highlight the irreconcilably different approaches to data privacy held by the United States and the European Union and eliminate valid options for transfer such that localization is the only remaining scalable solution.
  • Summary of U.S. Foreign Intelligence Surveillance Law, Practice, Remedies, and Oversight

    Summary of U.S. Foreign Intelligence Surveillance Law, Practice, Remedies, and Oversight

    ___________________________ SUMMARY OF U.S. FOREIGN INTELLIGENCE SURVEILLANCE LAW, PRACTICE, REMEDIES, AND OVERSIGHT ASHLEY GORSKI AMERICAN CIVIL LIBERTIES UNION FOUNDATION AUGUST 30, 2018 _________________________________ TABLE OF CONTENTS QUALIFICATIONS AS AN EXPERT ............................................................................................. iii INTRODUCTION ......................................................................................................................... 1 I. U.S. Surveillance Law and Practice ................................................................................... 2 A. Legal Framework ......................................................................................................... 3 1. Presidential Power to Conduct Foreign Intelligence Surveillance ....................... 3 2. The Expansion of U.S. Government Surveillance .................................................. 4 B. The Foreign Intelligence Surveillance Act of 1978 ..................................................... 5 1. Traditional FISA: Individual Orders ..................................................................... 6 2. Bulk Searches Under Traditional FISA ................................................................. 7 C. Section 702 of the Foreign Intelligence Surveillance Act ........................................... 8 D. How The U.S. Government Uses Section 702 in Practice ......................................... 12 1. Data Collection: PRISM and Upstream Surveillance ........................................
  • CJEU Gives Green Light for Facebook Lawsuit in Vienna

    CJEU Gives Green Light for Facebook Lawsuit in Vienna

    This is version 2 of this first statement. Get the latest version of this update here. 25.1.2018 CJEU gives Green Light for Facebook Lawsuit in Vienna The Court of Justice of the European Union (CJEU) confirms that Max Schrems can litigate in Vienna against Facebook for violation of EU privacy rules. Facebook’s attempt to block the privacy lawsuit was not successful. However, today the CJEU gave a very narrowly definition of the notion of a “consumer” which deprives many consumer from consumer protection and also makes an Austrian-style “class action” impossible. Max Schrems: „For three years Facebook has been fighting nail and toe against the Courts jurisdiction in Austria and lost. Now, we can finally go ahead with the case. Facebook will now have to explain to a neutral Court whether its business model is in line with stringent European privacy laws. This is a huge blow for them. Unfortunately the Court of Justice has not taken up the golden opportunity to finally establish collective redress options in Europe, but kicked the ball back to the legislator.“ Short Summary: In the “Facebook-Lawsuit” (C-498/16, FBclaim.com) the CJEU has decided on national jurisdiction in consumer matters. Vienna Courts have jurisdiction to hear Schrems v. Facebook Case “Model Case” on Facebook’s misuse of personal data is admissible in Vienna, according to CJEU. For the first time a broad review of Facebook’s compliance with EU data protection laws will be possible (e.g. illegal privacy policies, online tracking, sharing of data with US authorities and alike).
  • Canadian Cross-Border Data: Your Data May Be Heading South Even When You Are Not

    Canadian Cross-Border Data: Your Data May Be Heading South Even When You Are Not

    Canada Institute | May 2019 Canadian Cross-Border Data: Your Data May Be Heading South Even When You Are Not By Jacqueline Orr Canadian data: what goes where? Canada is fast becoming a technology powerhouse with cities across the country such as Waterloo, Calgary, Toronto, Montreal, and Edmonton transforming into tech hubs. They promise that their research centers and internet companies are going to light the way for Canada’s innovation economy. But the state of Canada’s internet is increasingly becoming an oxymoron. While Canada’s internet economy might be self-sustaining, the Canadian internet itself is not. Issues of territoriality are fluid and unbound. This is because Canada’s network infrastructure relies on American networks to transfer and store data. But, when Canadian data enters the United States, it becomes foreign data and is not protected by the same privacy rights as those accorded to U.S. domestic data and its owners. CIRA, the Canadian Internet Registration Authority, states that three-quarters of the Canadian population spends three to four hours a day online.1 CIRA also reports 64 percent of Canadians are concerned about the security of their personal information when it is routed through the United States. Are these concerns justified? This Canada Institute briefing explores key questions about cross-border data travel to better understand the risks and opportunities facing Canadians in an increasingly inter-connected world. There is a glossary at the end of the document. Is it legal for the U.S. government to collect data from Canadians? Yes. U.S. government agencies may collect any foreign data that crosses into U.S.
  • A/74/130 General Assembly

    A/74/130 General Assembly

    United Nations A/74/130 General Assembly Distr.: General 30 July 2019 Original: English Seventy-fourth session Item 109 of the provisional agenda* Countering the use of information and communications technologies for criminal purposes Countering the use of information and communications technologies for criminal purposes Report of the Secretary-General Summary The present report has been prepared pursuant to General Assembly resolution 73/187, entitled “Countering the use of information and communications technologies for criminal purposes”. In that resolution, the General Assembly requested the Secretary-General to seek the views of Member States on the challenges that they faced in countering the use of information and communications technologies for criminal purposes and to present a report based on those views for consideration by the General Assembly at its seventy-fourth session. The report contains information on the views of Member States submitted pursuant to the aforementioned resolution. __________________ * A/74/150. V.19-08182 (E) 190819 200819 *1908182* A/74/130 Contents Page I. Introduction ................................................................... 4 II. Replies received from Governments ............................................... 4 Argentina ..................................................................... 4 Armenia ...................................................................... 6 Australia ..................................................................... 8 Austria ......................................................................
  • Mr. Bruno Gencarelli Head of Unit for International Data Flows and Protection European Commission JUST-C4@Ec.Europa.Eu

    Mr. Bruno Gencarelli Head of Unit for International Data Flows and Protection European Commission [email protected]

    Mr. Bruno Gencarelli Head of Unit for International Data Flows and Protection European Commission [email protected] 26 July 2019 Re: Access Now Responds to Privacy Shield Review Questionnaire - Third review Dear Mr. Gencarelli, Thank you for your invitation to provide information and observations on the European Commission’s third annual review of the EU-U.S. Privacy Shield arrangement, the mechanism to facilitate the transfer and processing of the personal data of individuals from the European Union to and within the United States. Access Now is an international organisation that defends and extends the digital rights of users at risk around the world.1 By combining innovative policy, user engagement, and direct technical support, we fight for open and secure communications for all. Access Now maintains a presence in 13 locations around the world, including in the policy centers of Washington, DC and Brussels.2 Access Now regularly analyzes data transfer arrangements under EU law, including the Safe Harbor arrangement that was invalidated by the Court of Justice of the European Union in 2015, and the Privacy Shield which replaced it.3 Users benefit from a free, open, and secure internet that is enabled by legal certainty for stakeholders to operate. Robust data transfer frameworks which ensure a high level of data protection in the free flow of data are key to deliver these benefits for all actors. The Privacy Shield continues to be inadequate to protect fundamental rights. Since negotiations began in 2016, Access Now has provided detailed analysis and recommendations to the EU Commission on how to improve the Privacy Shield.
  • Trends in Privacy and Data Security

    Trends in Privacy and Data Security

    TRENDS IN PRIVACY AND DATA SECURITY JEFFREY D. NEUBURGER PARTNER PROSKAUER ROSE LLP Jeff is co-head of the firm’s Technology, Media & Telecommunications Group, head of the firm’s Blockchain Group, and a member of the firm’s Privacy & Cybersecurity Group. His practice focuses on technology, media, and intellectual property-related transactions, counseling, and dispute resolution. 24 April/May 2019 | Practical Law © 2019 Thomson Reuters. All rights reserved. As large-scale data breaches and other cyber incidents continue to pose significant threats worldwide, privacy and cybersecurity remain top priorities for regulators and companies alike. To minimize risks and reduce potential liability, companies and their counsel should stay updated on privacy and data security-related enforcement activity, notable litigation, new regulations, and key emerging issues. the-lightwriter /iStock photo © 2019 Thomson Reuters. All rights reserved. The Journal | Litigation | April/May 2019 25 ompanies must keep up with the dynamic legal Children’s privacy practices. The FTC approved obligations governing privacy and data security, modifications to the Entertainment Software Rating Board’s understand how these obligations apply in practice, (ESRB’s) COPPA safe harbor program. The ESRB is a self- improve their cyber intelligence, and manage their regulatory organization for the video game industry. Ccompliance to minimize risks. This article reviews important Mobile device security. The FTC issued a report titled FTC privacy and data security developments over the past year and Recommends Steps to Improve Mobile Device Security highlights key issues for 2019. Specifically, it addresses recent: Update Practices (available at ftc.gov), which makes several Federal regulation and enforcement actions.
  • Data Transfers to the US Since the Schrems II

    Data Transfers to the US Since the Schrems II

    Data transfers to the U.S. since the Schrems II judgement: An analysis seeking to integrate GAFAM and major providers in the E.U. enforcement strategy Tilburg Institute for Law, Technology and Society, Tilburg University LL.M. Law and Technology Janvier Parewyck SNR 2065486 June 2021 Supervisor: Prof. Dr. Eleni Kosta Second Reader: Dr. Irene Kamara Table of Content Chapter 1 – Introduction ...................................................................................................................... 4 1.1 Background ................................................................................................................................... 4 1.2 Problem Statement ........................................................................................................................ 8 1.3 Methodology and limitations ......................................................................................................... 8 1.4 Narrative structure ......................................................................................................................... 9 Chapter 2 – Lawfulness of data transfers in EU law up to the Schrems II judgement and the invalidation of the Privacy Shield ...................................................................................................... 10 2.1 Introduction ................................................................................................................................. 10 2.2 The GDPR regime and the ‘accountability’ principle ................................................................
  • The Implications of the Schrems Judgment of the European Court for Data Transfers to the U.S

    The Implications of the Schrems Judgment of the European Court for Data Transfers to the U.S

    The implications of the Schrems judgment of the European Court for data transfers to the U.S. Prof. Lokke Moerel1 In the Schrems judgment the Court of Justice of the European Union (CJEU) invalidates the EU- US Safe Harbor Framework for data transfers to the US, but does this judgement also have consequences for the alternative data transfer instruments, like the EU Standard Contractual Clauses (SCCs) and so-called Binding Corporate Rules (BCR)? Are data transfers to other countries outside the EU like China and India now also at risk? Does the new EU-US Privacy Shield agreement solve the data transfer issues to the US? 1. Summary findings The Schrems judgment relates to an ‘adequacy decision’ of the European Commission based on Article 25 of the European Privacy Directive (Directive). These adequacy decisions are of a completely different nature than the decisions of the Commission or national Data Protection Authorities (DPAs) based on Article 26 Directive, authorizing alternative data transfer instruments, such as SCCs and BCR. In the first case, the Commission evaluates whether the legal regime of the country of destination is adequate, as a result whereof data transfers can take place without implementing additional contractual safeguards. In the second case, the Commission or national DPA evaluates whether a set of contractual measures/BCR provide for sufficient safeguards in case the legal regime of the country of destination is not adequate. These two assessments: (1) whether the law is adequate or (2) whether contractual measures can provide sufficient safeguards when the law is not adequate, are different assessments based on different criteria.
  • EU Digital Policy and International Trade

    EU Digital Policy and International Trade

    EU Digital Policy and International Trade March 25, 2021 Congressional Research Service https://crsreports.congress.gov R46732 SUMMARY R46732 EU Digital Policy and International Trade March 25, 2021 A “Europe fit for the digital age” is a top European Union (EU) priority and a key part of EU economic recovery efforts from the Coronavirus Disease 2019 (COVID-19) pandemic. Under the Rachel F. Fefer European Commission’s digital policy roadmap, “Shaping Europe’s Digital Future,” the EU aims Analyst in International to strengthen the EU economy and improve the region’s digital competitiveness, especially with Trade and Finance the United States and China. The EU initiative may raise several issues for Congress, such as the impact on U.S. firms doing business in the EU and U.S. leadership in setting global digital rules and standards. The initiative may also offer the potential for partnership between the United States and the EU to address areas of common concern. The EU has several digital efforts underway, including The draft “Digital Markets Act (DMA)” that aims to establish competition rules for large online platforms designated as “gatekeepers” and specify a list of “do’s and don’ts” among other requirements. The draft “Digital Services Act (DSA)” that seeks to modernize the 2000 E-Commerce Directive, which set the legal framework for online services in the EU, and set liability rules related to illegal online content and products, transparency, and other requirements for all online intermediary services. The enacted General Data Protection Regulation (GDPR), which took effect in 2018 and creates obligations on firms and rights for individuals regarding processing of personal data, including cross-border data flows.
  • European General Data Protection Regulation (GDPR) and Fake News Policy in Slovakia

    European General Data Protection Regulation (GDPR) and Fake News Policy in Slovakia

    European General Data Protection Regulation (GDPR) and Fake News Policy in Slovakia Europe has the toughest privacy laws in the world; one’s right to privacy is a fundamental right under European law. However, many corporations largely ignore it by using private information for their financial gain. This led to the application of General Data Protection Regulation (GDPR), which is a European privacy and security law. It had been put into effect on May 25, 2018. Viennese activist Max Schrems asserted the rights it gives people over the data that companies want to collect about them. It is valid in EU countries today. With the significant development of social media, we tend to give out personal information, sometimes without any hesitation. In terms of accessing the use of a significant social networking app, we give permission to collect data about ourselves that the companies keep. This can turn into a risk circle that some may or may not know about. These companies such as Google, Facebook, Instagram and many more act illegally by forcing users to accept intrusive terms of service, or lose access. According to this Max Schrems stated that there needs to be an option to make a choice. Therefore he filed all the complaints and started working on this big project dedicated to data protection. As it was slowly getting the attention of important authorities, Andrea Jelinek, who leads Austria’s and European Data Protection Board, expressed interest in Schrems´s idea. Jelinek very clearly stated: “If there is forced consent, there is no consent.” Max Schrems showed that a pop up message on Facebook gets the approval to use our data.
  • Data Localization and the Role of Infrastructure for Surveillance, Privacy, and Security

    Data Localization and the Role of Infrastructure for Surveillance, Privacy, and Security

    International Journal of Communication 10(2016), 2221–2237 1932–8036/20160005 Data Localization and the Role of Infrastructure for Surveillance, Privacy, and Security TATEVIK SARGSYAN American University, USA Due to the increased awareness of the politics embedded in Internet technologies, there has been a growing tendency for state and nonstate actors around the world to leverage Internet infrastructure configurations to attain various political and economic objectives. Governments push for infrastructure modifications in pursuit of economic development, data privacy and security, and law enforcement and surveillance effectiveness. Information intermediaries set and enact their infrastructure to maximize revenue by enabling data collection and analytics, but have the capacity to implement tools for protecting privacy and limiting government surveillance. Relying on a conceptual framework of the politics of infrastructure, this article explores tensions and competing interests that emerge around intermediaries’ technical and policy infrastructure through analysis of (a) data localization strategies in a number of countries and (b) privacy and security undertakings by information intermediaries. Keywords: privacy, security, Internet infrastructure, surveillance, data localization The Politics of Infrastructure Governments across the world have come to recognize the importance of information intermediaries’ infrastructure for national security, public safety, and other political interests. Law enforcement and intelligence agencies are tasked with addressing various challenges, including the growth of terrorism, cyberattacks, cybercrime, fraud, and—in some regimes—political opposition and social movements. To pursue these goals, government agencies often need to access communications data that are beyond their immediate control, facilitated by a handful of information intermediaries. These companies mediate content by providing online services and communication platforms to global users.