With Low-Earth Orbit Data Centers, Privacy Risks Go Beyond Space

Space is no longer a frontier reserved for governments and their aerospace programs. Many companies have extraterrestrial operations and store enormous amounts of data to be transferred at high speed, making earth-based data centers inefficient.

Space-based technological infrastructure is necessary to maximize the benefits of many private space operations.

Companies are developing low-earth orbit data centers to consolidate data efficiently from various sources on an interconnected space network. LEO data centers will allow companies to process large amounts of data in space without the delay of sending it to Earth for analysis. They also will provide significantly more storage capacity than current satellites.

However, space databases come with legal risks that companies should consider.

Given that personal data in space isn’t governed by the laws of any one nation, and international space law is still in its infancy, space corporations must determine which privacy systems apply to their operations.

International Laws

No international treaty or agreement directly governs personal data privacy in space, but various countries have adopted privacy laws that may require compliance by space companies.

Take Europe’s General Data Privacy Regulation. US corporations that collect or process the data of EU citizens are subject to the GDPR. Regardless of where the data is stored, the GDPR requires data controllers to comply by, for example, allowing the individuals to request that their data be modified or deleted and requiring controllers to implement certain technological safeguards.

Space corporations should be prepared to comply with international laws concerning information stored in LEO databases depending on whose data they control.

The US has accepted several transnational guidelines. For instance, the US is a member of both the Organization for Economic Cooperation and Development and the Asia Pacific Economic Cooperation, which both adopted nonbinding privacy protection guidelines for cross-border transfers and storage of data.

Although these agreements are nonbinding and require member states to enforce their provisions, companies transferring and storing data in space should understand the extent they comply with international treaties and agreements to which the US is a party.

Federal Laws

The US has yet to adopt a comprehensive data privacy law related to personal data. Instead, several US laws protect specific categories of personal data. For example, the Health Information Portability and Accessibility Act governs health information, and the Gramm-Leach-Bliley Act protects financial information.

As private space exploration, tourism, and other forms of commercialization become more common, more individuals will be traveling to space, and their data (particularly at first, health data) sometimes will have to travel with them.

Federal privacy laws often require strict adherence to certain safeguards to protect the confidentiality and integrity of individuals’ data. Companies that store covered data types in LEO databases should determine on the front end which federal laws apply and design their data centers in a way to allow compliance.

LEO data centers may be subject to domestic and international laws governing satellites, including communications laws, orbital debris mitigation rules, and others, which may implicate data privacy. Companies launching LEO databases should pay close attention to the laws and regulations of the jurisdiction from which they launch their data centers.

State and Local Laws

Many state privacy laws will apply in some form to personal data stored in space. Whether a business controlling the data of a state’s resident is subject to its privacy law depends on one or both of the following: the nature of the data being stored and the amount of revenue the company generates from the sale of personal data.

For instance, the California Consumer Privacy Act—the most stringent state privacy law—applies to businesses that have a gross annual revenue of over $25 million; buy, sell, or share the personal information of 100,000 or more California residents or households; or derive 50% or more of their annual revenue from selling California residents’ personal information.

Utah, meanwhile, requires a company to either control or process personal data of 100,000 or more consumers during a calendar year, or derive over 50% of their gross revenue from the sale of personal data and control or process personal data of 25,000 or more consumers. In either case, the location of the data doesn’t affect its applicability.

Other variables that affect the application of state privacy laws include the definition of personal information. While California considers employment data such as job history, performance evaluations, and benefits information to be personal information, other states don’t.

Companies storing data in space must keep these variables in mind and establish a framework to assess their real-time responsibility for compliance.

Industry Standards

Only a few companies have begun filling the need for data infrastructure in space, but more entrants will join as costs decrease. These companies may coalesce to create industry standards for personal information stored in space. This has occurred in other industries.

For instance, the payment card industry data security standard—which sets guidelines within the credit card industry related to security of sensitive customer data—was created by the heads of major credit card brands. The standard is enforced through contractual obligations and the high expectations of other market participants such as banks.

A similar set of rules may develop for LEO and other space databases over time. Anticipating the need and development of these rules can save space companies time and resources.

Whether launching an LEO data center or contracting to store personal data in one, domestic corporations should prepare themselves to meet the requirements of privacy systems at all levels.

Companies are hurrying to take advantage of this new frontier, but they should remember that they aren’t starting from scratch when it comes to data privacy.

This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law and Bloomberg Tax, or its owners.

Author Information

Jared Wilkerson is partner at Morgan Lewis and represents energy and technology clients in class actions, commercial litigation, and trade secrets and employment disputes.

Collin Hopkins is an associate at Morgan Lewis and represents clients in complex commercial litigation and energy litigation.

Write for Us: Author Guidelines