The Internet was designed to cross geographical borders. As such, all the means implemented to reproduce these borders on the Internet are unnatural and will prove useless at best, and counter-productive at worst. The Internet is not a space without laws, but we must understand that its laws are not related to those of the geographical space.
The real question of data is not where it is stored, but who has access to it. This distinction is specific to digital and it is fundamental. In the “real world”, anyone who stores an object has access to it. In the “digital world”, one can store data, but be unable to access it, because it is encrypted and one does not hold the key.
The digital frontier is not geographical, it is encryption: on the one hand there is data in plain text, on the other hand encrypted data. There are even two categories of encryption, which induce different possibilities and constraints:
- Symmetric encryption, where the “passport” to cross the border is a key, the same for both crossing directions.
- Asymmetric encryption, where you need a different “passport” for each direction, i.e. two separate but complementary keys that you generate at the same time. They are called public key (it allows encryption) and private key (it allows decryption). It is also very difficult to infer one from the other, so that the public key (hence its name) can be safely disseminated. Anyone can use it to encrypt the data to be communicated to us, and only we will be able to decrypt it using the corresponding private key.
In the digital world, thanks to encryption, each user can be sovereign over his data, even if he is not the one storing it. He has his own territory where his data is in clear. Outside this territory, his data is encrypted. His keys, which only he owns, allow his data to cross the border. The physical storage location is irrelevant in the digital world.
The GDPR (General Data Protection Regulation) is a major step forward on many points, and its intentions are extremely laudable. It is just unfortunate that it tries to regulate the location of storage, rather than recognize encryption as the true frontier for digital data.