Data localization accelerates globally as privacy is linked with data transfer restrictions

The truism that “data is the oil of the 21st Century” is due for Version 2.0. Increasingly, data is more than a commodity: It’s a currency.

As the value of the big data analytics market zooms past an estimated $140 billion annually, countries around the world are tightening their grip to keep data on servers within their national borders. Data localization is increasingly impeding the flow of data across national borders as countries address concerns about privacy, security and the power of a few US-based Internet giants — and as countries assert their own parochial interests

A host of recent government and think tank studies and surveys document the accelerating global trend. The Office of the US Trade Representative recently released its 2021 report on digital trade barriers listing the European Union and 19 nations — large democracies such as Brazil and India as well as smaller states such as Ecuador and Kenya — as having data localization measures that could be barriers to digital trade.

Just five years ago, the same report listed only a single nation, Indonesia, as having data localization measures worrisome to the US. No longer is localization confined to authoritarian states, such as Russia and China, that want easy access to their people’s data and electronic communications.

A recent report by the Organization for Economic Cooperation and Development identified data localization measures in 40 jurisdictions, including the EU and countries in Africa, Asia, and the Americas. OECD said localization is being driven by countries’ “inward-looking policies,” a trend likely to be amplified by the Covid-19 pandemic. Concerned about the risk to international data flows, OECD is developing international principles to define appropriate government access to personal data stored by private companies.

Data localization measures raise the cost of hosting data because the Internet enables centralized data storage and processing; they may drive up costs by forcing companies to disperse their data by building data centers that otherwise wouldn’t make economic sense.

Data localization rules could also affect consumer choice and reduce competition. Big companies such as Facebook have warned that without the ability to easily transfer data, features such as its Newsfeed could become impossible to serve up to users. But Facebook’s smaller competitors could be hurt too. Snap warned in a securities filing in recent days that it might have to pull its Snapchat social network service out of some countries because of the regulatory burden of localization rules.

One of the few rivals to Facebook’s dominance in social networking, Snap warned that localization could lead to a “withdrawal by us from certain countries,” reducing the company’s audience and ”giving our competitors an opportunity to penetrate geographic markets that we cannot access.”

— Privacy linkage —

Even as data localization becomes a global phenomenon, it still has no precise and universal definition. However the concept is defined — some politicians have embraced the term “data sovereignty” — a government’s attempt to bind data to its soil is often a strikingly ineffective response to legitimate concerns.

Privacy advocates are also increasingly concerned that laws intended to protect the privacy and security of data are instead driving data localization, whether or not that was the intent. The International Association of Privacy Professionals noted a striking and rapid drop in the share of members from 2019 to 2020 that manage their data globally, and a corresponding increase in the share of members who segment their data geographically.

Those dates straddle the European Court of Justice's “Schrems II” decision, which nullified the EU-US Privacy Shield because of the data transfer framework’s non-compliance with Europe’s General Data Protection Regulation. Caitlin Fennessy,  the IAPP’s research director, said the localization effect is much broader than the EU, and the GDPR was not intended to promote data localization.

“Increasingly, localization rules are tied to data protection proposals that are modeled on the GDPR. There’s no question that countries have been emboldened by the EU’s approach to data transfer restrictions, and are using that as a kind of entry point into restrictions that get a lot closer to full-fledged data localization,” Fennessy told MLex.

The linkage between privacy laws and data localization is a growing concern for US officials. The Commerce Department’s International Trade Administration “continues to promote the interoperability of data protection systems to ensure that privacy regulation does not result in barriers to cross-border data flow,” a senior Commerce Department official told MLex in a background briefing.

— Global trend —

India, which is developing national data protection legislation, is one democracy that is building localization into its new privacy rules. Drafts of India’s Personal Data Protection Bill contain localization provisions for “sensitive” or “critical” personal data, and just today, its telecom regulator said that data arising from its tests of new 5G services would be stored only in India.

Other democracies are being pushed toward localization, almost against their will. In Japan, the public backlash in March against LINE Corp. forced the country’s leading social media company to bring its data back to Japan from servers in China and South Korea after revelations that LINE allowed a subcontractor in China to access the personal data of Japanese users.

Japan has long been a leading global partner to the US in advocating free data flows in the Pacific Rim through the APEC Cross-Border Privacy Rules, but the LINE scandal is expected to push Japan away from the US model, which emphasizes the unfettered international flow of data, and more toward the EU’s emphasis on data protection before data is allowed to be transferred abroad.

A Brookings Institution report found that data flow restrictions in the Asia-Pacific Rim region mushroomed from one regulation in 1988 to 73 in 2020. The USTR began warning that data localization was “a growing global trend” in 2018. That is not just a US view. In a report released in December, the UK’s International Regulatory Strategy Group (IRSG), concluded: “The financial services industry is currently witnessing and responding to increasingly protectionist behaviors across the world in the form of data localization.”

And 10 months after Schrems II, privacy experts believe that recent policy proposals and comments by Brussels officials have created what looks very much like a de facto EU data localization requirement, even though data localization is not the official stance of the EU.

Vivienne Artz, the chief privacy officer of the London Stock Exchange Group, a member of the IRSG, said data localization “is genuinely a global phenomenon.” The thrust of the IRSG report was to look at what is driving localization, and what policies might blunt the trend or buffer its negative impacts.

One key report finding: Data security is not enhanced by localization rules. In fact, it’s just the opposite, as data is “instead hosted in less sophisticated and often therefore more vulnerable local environments with security resources spread across multiple sites.”

“Data localization takes different forms, and this is why people find it very difficult to get their arms around it,” Artz told MLex. “Is it data protection law? Yes, but not only. Is it outsourcing law? Yes, but not only. Is it banking secrecy? Yes, but not only. Is it outsourcing restrictions? Yes, but not only.”

“It's so important to look at the drivers behind it in order to address those concerns,” she said. “And I don't think you could just sit there and say, 'Oh, you're wrong.' What you need to do is offer solutions and recommendations to the concerns that are driving those localization measures.”

A key recommendation in the ISRG report is that nations promise to adhere “to core principles of data protection standards and safeguards across different legal jurisdictions, which can be mutually recognized on a multi-lateral basis and would provide the assurance that data will be sufficiently protected.”

— US vulnerability —

The OECD said one good first step would be to agree on a universal definition for data localization. Its proposal: “ ‘Data localization’ refers to a mandatory legal or administrative requirement directly or indirectly stipulating that data be stored or processed, exclusively or non-exclusively, within a specified jurisdiction.”

The US, the home of so many global Internet giants, has raised the alarm about localization, but it is increasingly isolated as a large developed country that lacks a national privacy and data security law.

A US privacy law probably wouldn’t have changed the Schrems II decision, which was based on the lack of legal redress for US intelligence surveillance abuses. But it’s difficult to see how the US, without a national privacy law, will achieve a permanent “adequacy” designation with Europe that would allow truly seamless data transfers.

US politicians would be wise to grasp that one of the best ways to protect the global competitiveness of the American Internet industry would be to adopt national privacy rules that include the basic privacy principles in the GDPR and other laws: transparency, minimization of collection, a well-funded national enforcer, and strong financial penalties for violations.