Storage Wars: The Pros and Cons of Data Localization/Nationalization

Countries are pushing towards data localization to protect their citizens’ data in the connected world. Also known as data nationalization, the interest stems from countries wanting to ensure the cybersecurity and privacy of their citizens’ personal information from global companies and foreign governments, especially adversaries. Nations seek to establish virtual borders and retain legal control over data that moves freely over the web. Localization to protect national security has its tradeoffs, creating barriers to international trade and emerging markets, and it may not necessarily protect individual privacy.

  • What is Data Localization?

Data localization laws require data storage within the country it originated in, keeping it subject to access and local regulation.[i] The increase in economic data globalization, the rise of the internet, and now cloud computing has led to countries establishing laws to control the use and storage of data; thus, attempting to maintain sovereignty over something that operates without borders.

  • Why do Countries Want Localization?

Edward Snowden’s exposure of United States (US) intelligence practices sparked countries into considering data localization laws, seeking to limit the storage, movement, or processing of digital data to specific geographies, jurisdictions, and companies.[ii] Countries have various objectives for wanting localized data including protecting their citizens’ privacy, intellectual property, economic disadvantages, election security, and national security.[iii]

  1. Why do Countries Care?

“The ability to store and process certain types of data may well give one country a political and technological advantage over other countries. [data globalization], in turn, may lead to a loss of national sovereignty through supranational data flows.”[iv] Data localization will benefit public laws, law enforcement, and taxation.[v] Countries need to protect their citizens’ data from other countries or bad actors. For example, adversaries can use US citizens’ data to manipulate, target, or exploit Americans during elections by sending misinformation, scaring them, and so forth. Additionally, age restrictions for minors are different in different countries. The ability to protect minors and enforce child protection laws make it reasonable to require localization.

  • Examples Around the World

The national security risks of having a hostile nation accessing citizen and corporate data is concerning. For instance, South Korea, in part due to it still being at war with North Korea,[vi] requires strict data localization to protect its citizens and corporations. Turkey recently passed a law requiring the storage of Turkish citizens’ social media data within the country. The vague law creates confusion if companies can store copies of the data elsewhere or if storage must be in Turkey. In Russia, personal data localization regulations first became effective in 2015.[vii] The European Union (EU) and the US have repeatedly renegotiated data transfer agreements because of privacy concerns. A new deal is currently in the works. Social Media app TikTok is a notable target of the US and banned in India because of the Chinese Government’s potential to access personal information on foreign citizens.

  • Impact on Commerce

Data localization impacts cloud computing, the internet of things, and big data. Companies might reassess doing business in countries where localization compliance is costly, complicated, and unprofitable. Companies need to know their data and where it is useful. Amazon Web Services, for example, provides the option to choose where to store their data.

  • Economic Development

localization theoretically provides countries more control over domestic data, and localization will weaken the US stronghold on data transfers because of its economic power. Global corporations are less tied to one country and have to maintain international interests. Also, substantial limitations on the free flow of data are detrimental to smaller or developing countries without the leverage to control data transfers.

  • The Structure of the Internet

The internet is designed to be efficient and free, not to restrict data transfer through particular places. Data sharing should be done on a need-to-know basis in association with data minimization. However, data localization could hinder internet freedom in several indirect ways.[ix] For example, restricting data routing is not feasible as the internet exists today.[x] The Internet uses the “best-effort delivery” model, delivering data to its destination in the most efficient manner possible, without predetermined routes, attempting to travel along the shortest and most direct way possible.[xi] Network congestion on the shortest route is bypassed by finding a longer but faster route.[xii]

For governments to restrict data routing to specific geographies, all Internet routers that follow the “best-effort” routing model must be reconfigured to prohibit data from one country from moving through “prohibited” countries.[xiii] The Internet’s current addressing system would require significant alterations because Internet addresses are not always assigned according to a specific geography.[xiv] These changes would require a fundamental overhaul of the Internet’s operating structures and the governance structures by which those structures are implemented and standardized.[xv] Additionally, even if data is stored locally in Europe, a person could use a Virtual Private Network (VPN) in the US to appear as if they are operating from Europe.

  • Does Localization Benefit Individual Privacy?

Localization’s primary goal is to establish control and legal boundaries over personal information, not to ensure individual privacy, resulting in data protectionism rather than data protection. Localization will act similar to tariffs, making international commerce more expensive and potentially unviable in certain situations.

Regulators argue moving data overseas puts consumer privacy at risk. Regulations seek to protect intellectual property as well as regulate and protect data transfer and storage. The idea is to shield a country’s citizens’ personal information from global corporations and other governments. Technology and trade agreements have not solved these problems, as the recent Schrems II decision striking down the EU-US privacy agreement has shown. Thus, localization is an option to retain sovereignty.

Countries that figure out less restrictive data regulations that ensure privacy will have the upper hand over countries with strict data localization requirements. Greater transparency into data collection and usage by companies and governments and a right to private action will create better economic opportunities. Admittedly, accomplishing such changes is no challenging as countries and intelligence agencies value collecting information in secret.

  • Conclusion:

Localization can create obstacles to international commerce but serves a purpose in protecting national security and individual privacy. Countries that are more open to cross-border data transfers will become more attractive for global business. Properly encrypting necessary sensitive information, international data transfer agreements that comply with data privacy laws, and strict enforcement by data protection agencies are a better way forward than trying to build virtual walls around the internet. Greater transparency on data collection and usage will create a better environment for privacy and commerce. Additionally, requiring data minimization can offset data collection concerns. Hopefully, the idea of data localization pushes forward new privacy and data regulations, and the internet continues to bring the world together.

About Ardent Privacy

Ardent Privacy is an "Enterprise Data Privacy Technology" solutions provider based in the Maryland/DC region of the United States and Pune, India. Ardent harnesses the power of AI to enable companies with data discovery and automated compliance with DPB (India), RBI Security Guidelines, GDPR (EU), CCPA/CPRA (California), and other global regulations by taking a data-driven approach. Ardent Privacy's solution utilizes machine learning and artificial intelligence to identify, inventory, map, minimize, and securely delete data in enterprises to reduce legal and financial liability.

For more information visit https://ardentprivacy.ai/and for more resources here.

Ardent Privacy articles should not be considered legal advice on data privacy regulations or any other specific facts or circumstances.

References:

[i] Richard D. Taylor, “Data localization”: The internet in the balance, Telecommunications Policy, Volume 44, Issue 8, 2020, 102003, ISSN 0308-5961, https://doi.org/10.1016/j.telpol.2020.102003. (http://www.sciencedirect.com/science/article/pii/S0308596120300951)

[ii] Hill, Jonah, The Growth of Data Localization Post-Snowden: Analysis and Recommendations for U.S. Policymakers and Business Leaders (May 1, 2014). The Hague Institute for Global Justice, Conference on the Future of Cyber Governance, 2014, Available at SSRN: https://ssrn.com/abstract=2430275 or http://dx.doi.org/10.2139/ssrn.2430275

[iii] Mishra, Neha, Data Localization Laws in a Digital World: Data Protection or Data Protectionism? (December 4, 2015). The Public Sphere (2016), NUS Centre for International Law Research Paper No. 19/05, Available at SSRN: https://ssrn.com/abstract=2848022

[iv] K. Irion, Government cloud computing and national data sovereignty, Policy & Internet, 4 (Issue 3–4) (2013), pp. 40-71. Accessible at https://onlinelibrary.wiley.com/doi/abs/10.1002/poi3.10

[v] Alexander Savelyev, Russia’s new personal data localization regulations: A step forward or a self-imposed sanction?, Computer Law & Security Review, Volume 32, Issue 1, 2016, Pages 128-145, ISSN 0267-3649, https://doi.org/10.1016/j.clsr.2015.12.003. (http://www.sciencedirect.com/science/article/pii/S0267364915001685)

[vi] Julia Yoon, South Korea Data Localization: Shaped by Conflict (Feb. 28, 2018). https://jsis.washington.edu/news/south-korean-data-localization-shaped-conflict/

[vii] Alexander Savelyev, Russia’s new personal data localization regulations: A step forward or a self-imposed sanction?, Computer Law & Security Review, Volume 32, Issue 1, 2016, Pages 128-145, ISSN 0267-3649, https://doi.org/10.1016/j.clsr.2015.12.003. (http://www.sciencedirect.com/science/article/pii/S0267364915001685)

[viii] (Taylor, 2020)

[ix] (Hill, 2014)

[x] Id.

[xi] Id.

[xii] Id.

[xiii] Id.

[xiv] Id.

[xv] Id.