April 2020
Susan A. Aaronson
Summary: Citizens of the United States, Canada and Germany know that the online world is simultaneously a wondrous and dangerous place. They have seen details about their activities, education, financial status and beliefs stolen, misused and manipulated. This paper attempts to examine why stores of personal data (data troves) held by private firms became a national security problem in the United States and compares the US response to that of Canada and Germany. Citizens in all three countries rely on many of the same data-driven services and give personal information to many of the same companies. German and Canadian policy makers and scholars have also warned of potential national security spillovers of large data troves. However, the three nations have defined and addressed the problem differently. US policy makers see a problem in the ownership and use of personal data (what and how) instead of in America’s own failure to adequately govern personal data. The United States has not adopted a strong national law for protecting personal data, although national security officials have repeatedly warned of the importance of doing so. Instead, the United States has banned certain apps and adopted investment reviews of foreign firms that want to acquire firms with large troves of personal data. Meanwhile, Canada and Germany see a different national security risk. They find the problem is where and how data is stored and processed. Canadian and German officials are determined to ensure that Canadian and German laws apply to Canadian and German personal and/or government data when it is stored on the cloud (often on US cloud service providers). The case studies illuminate a governance gap: personal data troves held by governments and firms can present a multitude of security risks. However, policy makers have put forward nationalistic solutions that do not reflect the global nature of the risk.