Over the past twelve months, through a combination of regulatory intervention (think GDPR) and private company snafus (think Facebook), data protection has quite rightly become a subject of scrutiny and public discussion across the the globe. In North America and Europe the parameters of the debate have largely been defined by questions relating to permissions and the personal ownership of data. How and when do consumers give consent? For how long is that consent valid, and for what purposes? The core of the argument essentially revolves around informing consumers about the trade-offs they make with their privacy in exchange for access to "free" websites and services such as email.
GDPR: Striking A Balance?
In the case of the E.U. and the extension of consumer rights over their data brought by GDPR, the argument extended further, into areas such as the transnational movement of data. In a similar fashion to the manner in which some countries impose tariffs on products that fail to meet domestic labor, safety and other working condition standards, as part of GDPR the E.U. has imposed restrictions on where and how Europeans' data can be moved outside of the European Economic Area. Although this is not strictly data localization, the destination must have "adequate" protections for consumer data, broadly equivalent to those offered by the GDPR.
As at July 2018 the Commission has made a full finding of adequacy about the following countries and territories:
Andorra, Argentina, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay.
The Commission has made partial findings of adequacy about Canada and the USA.
The adequacy finding for Canada only covers data that is subject to Canada's Personal Information Protection and Electronic Documents Act (PIPEDA).
The adequacy finding for the USA is only for personal data transfers covered by the EU-US Privacy Shield framework. The Privacy Shield places requirements on US companies certified by the scheme to protect personal data and provides for redress mechanisms for individuals.
U.K. Information Commissioner's Office
Additionally, in a recent move, the EU's legislators have also agreed to limit data localization within its borders, by green-lighting the passage of a new law that will only allow the practice in relation to non-personal data when it pertains to national security. Otherwise data is to be allowed to move freely within the EU's Single Market in an attempt to boost the "Digital Single Market" and bolster competitiveness and the value add of data services within the Union.
However, it should be noted that the national security exception is an important one. Indeed, it was in the aftermath of the Edward Snowden revelations about the United States hoovering up the personal information of foreign citizens within their own countries' borders that prompted some countries, Germany in particular, to mandate the retention of such data on German soil where it would be subject to what was certainly already one of the world's strictest privacy and data protection.
"The Road To Hell Is Paved With Good Intentions"
And while all this is not to say that the EU has hit upon exactly the right answer in this area, it is nonetheless attempting to take a proportionate response to an issue that was largely unheard of just a few years ago. And in addressing data localization, the EU is trying to strike the right balance between protecting consumer rights and boosting the domestic digital economy.
As ever, though, good intentions can very often lead to bad outcomes, and bad intentions disguised as good lead to worse. And so it is with the growing number of countries (more than two dozen according to CGAP) that are mandating data localization. Earlier this year India joined a crew containing Russia, China, Indonesia, Vietnam, Kenya, Rwanda, Pakistan and Nigeria, among others, in mandating that data be stored on servers within their national boundaries.
India's opening move in this protectionist chapter was to mirror a 2014 circular from Bank Indonesia and mandate payment systems data to be housed in-country, ostensibly:
"In order to ensure better monitoring, it is important to have unfettered supervisory access to data stored with these system providers as also with their service providers / intermediaries / third party vendors and other entities in the payment ecosystem."
Reserve Bank of India, Notification RBI/2017-18/153
In doing so India echoed familiar themes when it comes to data localization. While each country puts a slightly different gloss on its actions, they all tend to have similar themes relating to data security, access and boosting domestic financial service providers (FSPs) by protecting them from competition, but with varying degrees of emphasis.
As CGAP has implied, even on its face the stated reasoning of the Reserve Bank of India makes little sense.
Storing data abroad or in the cloud does not mean it will be less accessible to financial sector supervisors. Whether data are stored on a local server or abroad, accessibility depends on system uptime and internet connectivity. Data that are held locally can be more difficult to access if the local infrastructure cannot supply the seamless internet connectivity and high amounts of electricity required by most data centers. Multinational firms, on the other hand, build their data centers in locations that have a guaranteed power supply, strong internet connectivity and disaster recovery management systems.
CGAP, '3 Myths About Data Localization'
Publicly stated concerns over security do not hold up to scrutiny either: the world's leading cloud and payment service providers have security standards that are unlikely to be surpassed by domestic efforts. Indeed, the eye-watering revelation this past week that India's Aadhaar database has been compromised is surely all the evidence that is needed to demonstrate that local does not equal more secure. Not only has the database been compromised, but fraudsters have been able to generate fake Aadhaar IDs, in a revelation that is bound to inflict severe damage on India's reputation as an I.T. powerhouse.
Costs Versus Benefits
Or consider Vietnam, where a 2013 state decree requires one server to be kept in-country to serve "the inspection, storage, and provision of information at the request of competent state management agencies." This brings it in line with Nigeria and Indonesia, which also require a server to be available for inspection within the jurisdiction. This conjures up images of a government regulator browsing through dusty old files in a cabinet, rather than the reality of data stored in the cloud that can be accessed remotely and (if implemented properly) securely. The cost implications for FSPs and other service providers are substantial, with little real benefit for regulators.
Depressingly, even if the foregoing reasons are mere figleaves designed to mask the protectionist intent behind data localization laws, not only are they ineffective as cover stories, they are unlikely to even work. In fact, a 2016 Global Commission on Internet Governance report concluded that,
The regression analysis reveals that regulatory restrictions of the free flow of data tend to reduce productivity and economic output in those industries that depend relatively intensively on data services.
Bauer, Ferracane & van der Marel, 'Tracing the Economic Impact of Regulations on the Free Flow of Data and Data Localization'
And although the authors did not examine the effects of data localization on its own, their analysis of the effects of data protection regimes, including GDPR (which as noted above, does not have data localization requirements), concluded that they cost both China and the E.U. about 0.5% in real GDP growth, and cost countries such as Vietnam and Indonesia around half that much.
While in the EU's case it seems that incurring such a cost was considered a reasonable price to pay for consumer protection and privacy, in China the reality is that the government has considered half a percent of GDP a price worth paying in order to ensure the country's citizens have no expectation of privacy. And as for countries such as Vietnam, Indonesia and India, it is not clear that the regulators have given much thought to the likely real-world effects, let alone unintended consequences, of their possibly well-intended moves.
If the 21st-century is digital, and data is the 21st-century's oil, then issues like data localization need to be viewed in the context of barriers to trade, rather than treated as purely abstruse tech security and data privacy affairs. Only that way can the public, and government, have a proper debate about the costs and the benefits, and where the balance is to be struck. And indeed, in the context of the current global mood for populist nationalism, the nationalist, sentimental and/or national security argument for keeping data domestically is one that is likely to have no shortage of supporters, and at least an honest debate will have been had.
"Make data localization great again?"