As the role of data in our lives continues to advance around the world, we’re increasingly seeing tensions between protecting personal data and the idea that data needs to flow freely to realize the benefits of the digital economy. One response to this tension is data localization. Data localization refers to a requirement that any entity that processes the data of a given country’s citizens must store that data on servers within that country’s borders.
Why Some Say We Need Data Localization
A recent Brookings report on the importance of cross-border data flows discusses five reasons why governments want to localize data:
- Protection of personal data;
- Access to data by law enforcement;
- Ensuring national security;
- Advancing local economic competitiveness; and
- Leveling the regulatory playing field.
In assessing each of these objectives, the report contends on all five counts that data localization measures actually have a negative impact and suggests other options for achieving these goals.
Refusing to allow data to cross borders often means keeping data from reaching those best equipped to protect it.
For instance, it points out that the technical and financial capacity of global cloud providers is more important to data security than whether data is stored locally. Refusing to allow data to cross borders often means keeping data from reaching those best equipped to protect it. And in terms of local economic competitiveness, it notes that restricting data flows to try to protect domestic companies from digital competitors can trigger other countries to retaliate, harming other local companies that seek to use data to conduct business globally.
“Digital Trade Barriers”
One recent study by Boston Consulting Group noted challenges presented by data localization mandates, saying that they “are a particularly powerful example of the emerging crop of digital trade barriers: since 2000, these measures have increased by a factor of four, with 33% falling into the ‘most restrictive’ category, including an outright ban on the cross-border transfer of data.” As one example of the impact that data localization policies can have, it described how PayPal was forced to cease operations in Turkey after losing its license due to new IT system localization regulations put in place by the financial regulator.
Most countries still have not implemented data localization laws, but a growing number of countries are adopting data localization requirements. There are some countries, such as China, Russia, Indonesia, Nigeria and Vietnam, that have implemented tough rules around data localization. However, most other countries that have gone down the data localization path have taken a softer and/or more piecemeal approach (see page 49 of this study by the Centre for Internet & Society for an analysis of 18 countries’ approaches to data localization).
Established Tech vs. Emerging Market Tech
During interviews conducted as part of the Credit Suisse Global Citizens data protection project mentioned in this series’ introductory blog post, interviewees in India showed consistent support for the government’s data localization efforts. For example, Dr. Anand Shrivastav, who is Chair of the Business Correspondent Federation of India and is a Member of the Reserve Bank of India’s Financial Inclusion Advisory Committee, argued that “data is a sovereign right, and every country has a right to protect its citizens’ sensitive data.” He added that Indian fintechs support data localization because they view data as a vital asset that should be kept within Indian borders. Indeed, Paytm (which is also backed by Chinese tech giant, Alibaba) made a strong public stand in favor of data localization, in part to ensure “a level playing field for the Indian startup ecosystem with respect to global tech giants.”
But India is an enormous market. Restrictions in smaller countries could be problematic. For one thing, data centers require reliable infrastructure to keep the data physically in country that many developing countries may not yet be able to adequately ensure. And even where they could, the market context in smaller developing countries may not present sufficient incentives for leading cloud providers like Amazon Web Services, Microsoft Azure and Google Cloud to invest in building local data centers the way they have been willing to in India. For example, it was only last year that Microsoft and Amazon opened their first African data centers in South Africa. As a result, financial service providers in many developing countries need to look externally to find the most robust cloud computing solutions for managing and protecting their data.
Financial service providers in many developing countries need to look externally to find the most robust cloud computing.
In addition, as the geopolitics of data localization continue to play out, with large technology companies from the West pitted against large technology companies from India and China, countries such as Indonesia and Vietnam have yielded to pressure to loosen certain data localization provisions. Moreover, this past December the draft data protection bill in India that was first presented in 2018 was resubmitted to Parliament with a number of revisions, including a removal of restrictions on the transfer and storage of personal data outside of India. However, the restrictions on both “sensitive” and “critical” personal data from the initial draft of the bill remain. This suggests that despite the growth of data localization measures around the world, proponents of softer regulations are succeeding in persuading various countries to loosen their existing and/or proposed data localization policies.
Where’s the Meeting Point?
For these and other reasons, such countries generally do not have data localization requirements built into their data protection laws, to the extent that they have any. This is the case for Ghana and Peru, where the cross-border transfer of personal data is permitted, as long as the recipients of such data are able to meet the same data protection standards required under Ghanaian or Peruvian law.
It’s easy to see why data localization has emerged as such a contentious issue. While there may be many legitimate reasons for putting up guardrails around the flow of data, the right solutions will vary from one country to the next and evolve over time. But in order to reap the benefits of our increasingly digitized economy, these solutions will need to tend toward openness through international cooperation and harmonization of rules. This need is not unique to data and has been true across a wide array sectors and technologies before, and it can be done: just look at the thousands of standards that have been developed by the International Organization for Standardization. The previously mentioned Brookings report shared some good examples of frameworks that allow countries with different approaches to data protection to agree to sets of principles by which cross-border data transfers can occur. This kind of collaboration around data is in the early stages, but it is precisely what we need to see more of for the true potential of data to be seized.