How Barriers to Cross-Border Data Flows Are Spreading Globally, What They Cost, and How to Address Them

Data-localization policies are spreading rapidly around the world. This measurably reduces trade, slows productivity, and increases prices for affected industries. Like-minded nations must work together to stem the tide and build an open, rules-based, and innovative digital economy.
How Barriers to Cross-Border Data Flows Are Spreading Globally, What They Cost, and How to Address Them
Twitter Image: 
How Barriers to Cross-Border Data Flows Are Spreading Globally, What They Cost, and How to Address Them

Introduction

The Evolution and Spread of Data Localization Continues to Degrade the Global Internet Economy

The Five Rationales for Data Localization

Estimating the Cost of Restrictions on Data Flows

Recommendations to Build Global Data Governance and Constructive Alternatives to Data Localization

Conclusion

Appendix A: List of Data Localization Measures

Africa

Europe

Middle East and North Africa

Central Asia

South Asia

Southeast and Northeast Asia

South and Central America

China

Oceania

North America

Appendix B: Model Methodology

Endnotes

Introduction

For centuries information has flowed around the world, steadily increasing with the rise of international mail, the first transatlantic cables in the 1850s, and the first transatlantic telephone cable in the 1950s. What is different now is that the Internet creates the potential to send large amounts of data quickly and at virtually no cost to almost any part of the world. Moreover, on this global network, sending data abroad costs no more than sending data domestically. COVID-19 has made clear that data flows are critical to the global economy, enabling both economic responses (e.g., data sharing for medical research, the monitoring and automated control of vaccine production facilities, and the adoption of digital services for business continuity) and societal responses (e.g., family video calls, contact tracing, streaming content for entertainment, and online shopping). Data flows will only continue to rise as more countries and sectors embrace digital transformation.

Data will flow across borders unless governments enact restrictions. While some countries allow data to flow easily around the world—recognizing that legal protections can accompany the data—many more have enacted new barriers to data transfers that make it more expensive and time-consuming, if not illegal, to transfer data overseas. Forced local data-residency requirements that confine data within a country’s borders, a concept known as “data localization,” have evolved and spread in the four years since the Information Technology and Innovation Foundation’s (ITIF) last major report on data flows and localization.[1] Data localization targets a growing range of specific data types and broad categories of data deemed “important” or “sensitive” or related to national security. The justifications policymakers use have also evolved. Misguided data privacy and cybersecurity concerns remain common, but cybersovereignty and censorship are newer, and in many ways, more-troubling motivations given they are broader and more ideologically driven. Some policymakers—especially those in Europe and India—openly call for data localization as part of digital protectionism, while others disguise localization and protectionism by burying them in technical regulations.

The spread of data localization to more countries and data types poses a growing threat to the potential for an open, rules-based, and innovative global digital economy. Data localization makes the Internet less accessible and secure, more costly and complicated, and less innovative. Businesses use data to create value, and many can only maximize that value when data can flow freely across borders. Hence, data localization undermines the impact data-intensive services can have on economic productivity and innovation.[2] For example, a 2018 Organization for Economic Cooperation and Development (OECD) report notes that digitalization is linked with greater trade openness, selling more products to more markets, and that a 10 percent increase in bilateral digital connectivity increased trade in services by over 3.1 percent.[3] The opposite is also true. ITIF’s econometric modeling estimates that a one-unit increase in a country’s data restrictiveness index (DRI) results (cumulatively, over a five-year period) in a 7 percent decrease in its volume of gross output traded, a 1.5 percent increase in its prices of goods and services among downstream industries, and a 2.9 percent decrease in its economy-wide productivity. The report finds that China, Indonesia, Russia, and South Africa are countries for which their increasing data restrictiveness is leading to their economies experiencing higher prices, lower trade, and reduced productivity.

Forced data localization also undermines the potential for shared governance. Countries can work together to address legitimate concerns about data transfers, such as to prevent espionage, to maintain financial oversight, and to conduct law enforcement investigations, while still allowing data to flow freely. Of course, countries should create robust data privacy frameworks that protect consumers and address national security concerns, but policymakers should do so in a transparent, targeted, and balanced way to avoid unnecessarily costly and restrictive policies given their economic and trade impacts. Many common data protection laws—such as those based on OECD’s guidelines on the protection of privacy and cross-border flows of personal data—do not constitute a restriction on digital trade.[4] It is entirely acceptable for ex post accountability for the data exporter if data sent abroad is misused. The cost of abiding by these data protection laws is a typical cost of doing business.[5] This is a crucial distinction to differentiate policymakers in those countries that try to misuse data localization as a legitimate data protection tool, when it is not.

The spread of data localization to more countries and data types poses a growing threat to the potential for an open, rules-based, and innovative global digital economy.

As the world emerges from COVID-19, policymakers need to do more to ensure that the global digital economy remains an engine of economic growth and recovery. Thankfully, some countries are bringing this concept to life via new mechanisms, agreements, and frameworks for data flows and governance and digital trade. The first section of this report provides an updated analysis of data localization’s use and application and the five main motivations used to justify it. The second section provides a quantitative assessment as to its growing impact. The final section combines analysis and recommendations relating to mechanisms to support data flows and global digital trade and data governance.

The report offers several general recommendations for policymakers:

  • Global data governance: Policymakers should provide multiple mechanisms to transfer personal data, encourage firms to improve consumer trust through greater transparency about how they manage data, support the development of global data-related standards, and provide more assistance to developing countries to help with digital economy policy.
  • Digital free trade: Policymakers should support rules that protect data flows, prohibit data localization, and only allow narrow exceptions to these provisions at e-commerce negotiations at the World Trade Organization (WTO). Policymakers should also create new tools to enact retaliatory measures against countries that enact data localization and other digital protectionist rules. Policymakers should encourage national and global bodies to conduct surveys about the firm-level impact of data localization. Trade negotiators should develop transparency and good regulatory practices provisions to ensure opaque regulatory rulemaking can’t be used to enact barriers to data flows and digital trade.

Specific recommendations make the case that policymakers should:

  • Focus on the overarching concept of building “interoperability” between different regulatory systems;
  • Pursue new digital economy agreements and mechanisms for cooperation, such as those negotiated by Australia, Chile, New Zealand, and Singapore;
  • Work with like-minded countries to create interoperable health data-sharing frameworks. This would support the responsible and ethical cross-border sharing of health and genomic data;
  • Make the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) a global model for data governance by opening it up to non-APEC members;
  • Support efforts by like-minded, value-sharing democratic countries working together to develop a “Geneva Convention for Data” to establish common principles, processes, and safeguards to govern government access data;
  • Develop a targeted strategy to support the adoption of financial oversight frameworks that focus on regulatory access to data rather than the location of data storage; and
  • Improve existing, and build new, mechanisms to improve cross-border requests for data related to law enforcement investigations, such as CLOUD (Clarifying Lawful Overseas Use of Data) Act agreements and updated mutual legal assistance treaties (MLATs) to provide timely assistance.

The Evolution and Spread of Data Localization Continues to Degrade the Global Internet Economy

Data localization has evolved to target a growing range of data in more countries. The number of countries that have enacted data localization requirements has nearly doubled from 35 in 2017 to 62 in 2021. The total number of data localization policies (both explicit and de facto) has more than doubled from 67 in 2017 to 144 in 2021. Another 38 data localization policies have been proposed or considered in countries around the world. China (29), India (12), Russia (9), and Turkey (7) are world leaders in requiring forced data localization. Appendix A is a comprehensive and detailed list of explicit, de facto, and proposed or draft data localization measures around the world.

There are three main kinds of data localization. First, some governments restrict the transfer of particular types of data outside their borders. These include personal data; health and genomic data; mapping and geospatial data; government data; banking, credit reporting, financial, payment, tax, insurance, and accounting data; the internal company data of publicly listed companies; data related to user-generated content on social media and Internet service platforms; subscriber data and communications content and metadata for traditional telecommunications and Internet-based communication services; and e-commerce operator data.

Second, countries are increasingly restricting data in broad and vague categories involving data deemed “sensitive,” “important,” “core,” or related to national security, which often impacts a wide range of commercial data.[6] Similarly, the EU and India are moving toward extending restrictions to a broad framework targeting nonpersonal data.[7]

Third, de facto localization is also growing. By making data transfers so complicated, costly, and uncertain, firms basically have no other option but to store the data locally, especially in the face of massive fines. For example, the European Union’s removal of data transfer mechanisms, failure to add new certifications and other new legal tools for data transfers, and ever-ratcheting up of restrictions and conditions for those remaining mechanisms (such as standard contractual clauses) have the potential to make the General Data Protection Regime (GDPR) the world’s largest de facto localization framework.[8] Other examples include explicit consent requirements for personal data transfers and the need to submit data transfers for opaque and ad hoc authorization.

Governments enforce these requirements with at least five different types of rules. All these rules are bad, but their impact varies by their design, moving along a sliding scale of restrictiveness (from bad to worst):

The Five Rationales for Data Localization

Justifications for data localization have evolved. Some policymakers still inadvertently support localization, as they do not understand how firms manage data on a global basis while complying with local laws. However, more policymakers openly support localization as a form of protectionism. More policymakers (such as in France, India, and South Korea) are being creative in using arbitrary and opaque licensing, certification, and other regulatory restrictions to indirectly require data localization (and exclude foreign firms and products). These policymakers seek to avoid scrutiny from trading partners by pushing restrictions deeper into technical and administrative regulations.

Nearly all data localization proposals involve mixed motivations. Policymakers often take a “dual-use” approach with an official and seemingly legitimate objective, such as data privacy or cybersecurity, when their primary (hidden) motivation is protectionism, national security, greater control over the Internet, or some combination of these. In some cases, such as India, they use all of them.[9] A telltale sign of hidden motivations is a lack of evidence, transparency, debate, and engagement around a data localization proposal.

This section analyzes the five key motivations policymakers use to justify data localization policies.

Misguided Data Privacy, Protection, and Cybersecurity

As more countries enact updated data protection frameworks, it is nearly inevitable that some policymakers will propose data localization as they reflexively and mistakenly believe that the best way to protect data is to store it within a country’s borders. This misunderstanding remains at the core of many data-localization policies. However, the security of data does not depend on where it is stored.[10]

First, organizations cannot escape from complying with a nation’s laws by transferring data abroad. As a result, data localization is not necessary to force an organization to comply with domestic data laws. For example, if a county requires businesses to disclose data breaches, they would have to make this report whether the data breach occurs domestically or abroad. Similarly, businesses cannot circumvent data protection laws by transferring data abroad—laws and contracts can still hold them accountable for how they use data. Most companies doing business in a nation, including all domestic companies and most foreign ones, have “legal nexus,” which puts them in that country’s jurisdiction. This is crystal clear for firms in financial, payment, and other heavily regulated sectors, given their need to apply for licenses to operate.

It is nearly inevitable that some policymakers will propose data localization as they reflexively and mistakenly believe that the best way to protect data is to store it within a country’s borders.

Second, the security of data depends primarily on the logical and physical controls used to protect it, such as strong encryption on devices and perimeter security for data centers. The nationality of who owns or controls servers or which country these devices are located in, has little to do with how secure they are. For example, one of the most notorious hacks occurred against domestic, on-premise servers of the U.S. government in the U.S. Office of Budget and Management data breach.[11]

Policymakers misunderstand that the confidentiality of data does not generally depend on which country the information is stored in, only on the measures used to store it securely. A secure server in Malaysia is no different from a secure server in the United Kingdom. Data security depends on the technical, physical, and administrative controls implemented by the service provider, which can be strong or weak, regardless of where the data is stored.

Policymakers focus on the location of data storage, in part, because they do not want to tackle the more challenging factors that actually contribute to good cybersecurity, such as building greater cybersecurity awareness by users and firms and encouraging firms and government agencies to adopt and remain committed to best-in-class cybersecurity practices and services. Good cybersecurity is just as much about the people involved in managing, protecting, and accessing the data as it is about the data itself, as they are central to most cybersecurity incidents, such as the failure to update vulnerable systems or credentials being lost via phishing attacks.

Data localization actually undermines cybersecurity. First, it prevents the sharing of data to identify IT system vulnerabilities and help firms detect and respond to cyberattacks. For example, in 2020, India’s Securities and Exchange Board released a cybersecurity circular that requires financial firms to localize a broad range of data that would do just this.[12] Firms need to share data to reconcile if cyberattacks (such as those in China, India, Russia, or elsewhere) are new or known. Sharing system vulnerability information also allows cybersecurity providers to identify vulnerabilities.

Second, data localization precludes cloud service providers from using cybersecurity best practices, such as through “sharding,” wherein data is spread over multiple data centers. This gets to the broader point: While cloud computing does not guarantee security, it will likely lead to better security because implementing a robust security program requires resources and expertise, which many organizations (especially small and medium-sized ones) lack. But large-scale cloud computing providers are better positioned to offer this protection. For example, certain cloud providers offer their users advanced encryption tools to allow them to retain and use encryption keys before data is uploaded, thereby preventing third parties, including the cloud companies themselves, from accessing their data.[13]

“Data Sovereignty” Subsumes Digital Protectionism as a Leading Motivator Digital

Protectionism remains a key motivation behind many countries enacting data localization practices, but it has been subsumed into a broader narrative around cybersovereignty (also called data sovereignty or digital sovereignty) and control.

Data localization’s use for protectionism has evolved in recent years. More and more policymakers look to use it to favor local firms as they realize that data-driven innovation is at the heart of modern competitiveness and they haven’t made the long-term investments in education, infrastructure, and other enabling factors that actually help firms and economies become more competitive.[14] For example, India’s Non-Personal Data Governance Framework initially included a proposal to force firms to share anonymized datasets (undoubtedly to help local firms). Europe, India, South Africa, and others use localization to target U.S. firms explicitly.[15] Proponents often call for “policy space” for developing countries to enact protectionist-based, state-directed digital industrial policy strategies.[16]

Policymakers commonly portray cybersovereignty as a strong yet nebulous concept, usually referring to the assertion of state control over data, data flows, and digital technologies.[17] That it helps countries “take back control” and “sovereignty” from foreign technology firms and trading partners (mainly the United States, but increasingly China as well) offers added appeal to them.[18] Misconceptions about data and cybersovereignty miss the point that a complex interplay of economic, governance, social, and political factors determines a country’s position on digital issues. Policymakers deliberately—and deceptively—use these concepts to condense complex phenomena into catchy phrases.

Proponents think that forcing firms to store data locally enhances the state’s agency and that of their own firms and people. At best, the agency gained by data localization is illusory. In many cases, it is counterproductive. And in the case of authoritarian countries, it is predatory given the agencies data localization supports are those involved in surveillance and social and political control. So it’s no surprise that authoritarian countries such as China and Russia are the most significant users of these concepts (and data localization) as they align with their main political interests—maintaining power through access and control over data. Both countries frequently cite sovereignty as part of advocacy to create a top-down, state-directed global Internet (as opposed to the open, multistakeholder-based approach favored by democratic countries). The push for cybersovereignty among countries that are not inherently authoritarian gives cover to countries like China and Russia.

Europe is a leading offender. European leaders such as German chancellor Merkel and French president Macron explicitly call for both digital protectionism and data sovereignty.[19] The fact that senior European policymakers think that data stored on a foreign cloud service represents lost sovereignty shows how little some understand how firms manage data, and how much they prioritize this misguided sense of control.[20] Europe tries to position itself as a moral leader of digital regulation, using concerns over data protection and artificial intelligence (AI) to cloak their discriminatory and restrictive policies. Europe’s protectionist intent appears in nearly every digital policy proposal. Europe’s GDPR is evolving into the world’s most significant de facto data localization framework. Europe’s draft data strategy pushes for data localization and asserts that the EU needs cloud providers owned and operated in Europe.[21] Likewise, Europe’s white paper on AI advocates data localization precepts.[22] It is also evident in the proposal for a European cloud via GAIA-X.

At best, the agency gained by data localization is illusory. In many cases, it is counterproductive. And in the case of authoritarian countries, it is predatory.

Policymakers, academics, civil society advocates, and business leaders in many developing countries have turned to the related concept of “digital colonialism” to use data localization as part of broader efforts to disadvantage or block foreign tech firms.[23] It’s most frequently used in the outdated and ideologically driven narrative about the “global north” and “global south.”[24] It’s popular in India, South Africa, and the United Nations Conference on Trade and Development (UNCTAD). Many proponents are ideologically driven, opposing capitalism, big businesses, the United States, and, in some cases, the use of data and digital technology itself.[25] Local tech firms often try to take advantage. India’s richest man told India’s prime minister to take steps to end “data colonization” by global firms, saying Indians (presumably meaning his e-commerce operations) should own and control data.[26]

Data Localization for Censorship and Surveillance

Countries use data localization as a cudgel to force foreign firms to provide easier access to data for surveillance and political purposes and force compliance with censorship requirements. Commonly mixed into this rationale is the specter—both real and imagined—of foreign surveillance as a rationale for data localization, when it actually enables their own surveillance.

Digital authoritarian governments—led by China and Russia—see physical access to data centers as a critical enabler of surveillance and political control. Data localization enables political oppression by bringing information under government control and allowing the government to identify and threaten individuals, thereby impacting privacy, data protection, and freedom of expression.[27] China retains broad and vague legal authority in its laws to potentially access data for national security, public interest, and political purposes.[28] The lack of an independent judiciary and the opaque nature of these laws make it hard to judge how China uses these broad powers.[29] Yet, this doesn’t stop these countries from referring to “data privacy” as a motivation for localization.[30]

Recent laws introduced in Pakistan and Vietnam highlight how data localization does not lead to greater data privacy—but rather the exact opposite in making it easier for governments to access a small number of servers. Related, but different from this authoritarian motivation, is when countries, such as India, enact short deadlines for firms to respond to content takedown requests that create a de facto localization requirement. Firms have to do this; otherwise, they would not be able to comply (and thus avoid fines and other legal consequences).[31]

Data localization is central to Vietnam’s evolving online censorship and surveillance regime. Vietnam’s Law on Cybersecurity requires online firms to store personal and other data types locally and establish a local office in Vietnam. Its motivation is broad and vague: to protect national security, social order and safety, social ethics, and the health of the community.[32] Firms must have a license and at least one server in Vietnam for inspection at any time, store detailed information about users and their activities, and remove illegal content within three hours of notice.[33] Concerns about how Vietnam could use this to facilitate government access to data are real given the country does not have a dedicated, independent data protection agency; the responsible agency is the Ministry of Public Security.[34]

Digital authoritarian governments—led by China and Russia—see physical access to data centers as a critical enabler of surveillance and political control.

Pakistan is also using data localization to support censorship and surveillance. Pakistan’s “Removal and Blocking of Unlawful Online Content” includes broad data localization requirements. It also allows the government to force companies to block content critical of the government and facilitate access to user data. It allows the Pakistan Telecommunication Authority to avoid existing data access and privacy safeguards, and to intervene on behalf of law enforcement agencies to ask social media companies to provide user data.[35] It also makes it mandatory for firms to retain information, including traffic data linked to blocked content, and decrypted information about subscribers and their activity.

Data Localization for Law Enforcement and Regulatory Oversight

Countries continue to use law enforcement and regulatory concerns about cross-border access to data, both to justify data localization and as an excuse for digital protectionism. Some policymakers say data localization is the only way to get local and foreign firms to respond to requests for data from law enforcement and financial regulators. This reflects the mistaken belief that firms can avoid oversight and requests for data by simply transferring data out of a country, and that firms can pursue some form of regulatory or legal arbitrage in terms of picking and choosing which country’s laws they follow and which they don’t.[36] Data localization requirements do not change who is responsible for the data, regardless of where it is stored.

Some countries support data localization due to the lack of effective cross-border law enforcement legal tools and treaties. If data is stored locally, the thinking goes, foreign governments will not be able to halt investigations by stopping providers from fulfilling government requests. This mistaken belief was central to proposed localization elements in India’s draft data protection law.[37] However, policymakers in India fail to acknowledge all the contributing factors. For example, Indian law enforcement often files MLAT requests that are incomplete, poorly drafted, or inappropriate (or requests that aren’t related to criminal activity).[38] For example, after the Department of Justice (DOJ) advised an Indian prosecutor to fill out an MLAT in 2012 to obtain U.S.-stored information, the court instead issued a summons for several U.S. tech firms for not cooperating.[39] Other policymakers use this law enforcement motivation to support localization as a disguise for different goals, such as surveillance and protectionism.

Law enforcement-motivated data localization often stems from the fact that policymakers do not want to address the underlying issues with existing legal mechanisms to improve the process of making cross-border requests for data. The transnational nature of crime and digital services means that countries will inevitably need other countries’ help—even if they have localization policies in place. For example, a European Union report states that electronic evidence in some form is relevant in around 85 percent of total criminal investigations and that 55 percent of investigations require cross-border access to electronic evidence.[40] Current legal tools definitely need upgrading. For example, conflicting laws can put firms in a “catch 22” scenario wherein they face lawful requests for access to data from one country the release of which may be legally prohibited in another.[41] Governments also have mismatched legal-assistance treaties and laws.

Data localization requirements do not change who is responsible for the data, regardless of where it
is stored.

Financial regulatory oversight agencies use localization to target publicly listed companies, payment services, banks, and other financial firms, as they think it’s the only way to access data they need for their oversight responsibilities. U.S. financial regulators initially sought the option for data localization (before, thankfully, backtracking) for financial oversight.[42] The Reserve Bank of India cited the need for “unfettered” access to data for monitoring purposes in trying to justify its payments data localization requirement. Yet, policymakers in China, India, Turkey, and elsewhere that use this motivation for localization routinely fail to provide evidence that they face genuine cross-border issues related to financial oversight.[43] The false promise of “unfettered” access is made clear by the fact that even with local storage, regulators will still have to request firms to decrypt the data, in line with relevant legal checks and balances, before the data can be viewed.

Whether it is law enforcement or regulatory related, data localization is not the silver bullet policymakers think it is for improving access to data. The self-defeating nature of localization becomes clear given the scenario in which every country requires localization, thus preventing the cooperation that will still inevitably be needed given the interconnected nature of the Internet, such as emails between two people and providers in different jurisdictions. But the potential for regulatory-motivated digital fragmentation is much broader. For example, medical labs must disclose confidential data about infectious diseases, firms must share clinical trial data with medical authorities, banks must disclose data on suspicious transactions, and accountants and their clients must share data for tax audits. It’s up to rule-of-law and rights-respecting countries to set up appropriate mechanisms to improve these processes.

Data Localization Motivated by Geopolitical Risks and Financial Sanctions

Some countries use data localization, alongside other policies, in preparation for largely hypothetical (and unlikely) international financial sanctions. Some see the national payments system as part of the country’s critical infrastructure and that the use of global payment networks represents a systemic, geopolitical, and sovereign risk, as these payment services are not locally owned.

Russia is the lead example. Russia required payments data localization as part of an initiative to create a Russian payment system (called MIR) after international sanctions in 2014 targeted Crimea-based services (forcing Visa and Mastercard to end services there). These sanctions raised the hypothetical risk of it being cut off from the global financial system.[44] Russia also forced its banks to accept and issue MIR credit cards and use MIR for government-related payments.[45] This motivation is thus closely tied to Internet sovereignty, but again showing the overlap, also relates to protectionism, given it represents (digital services) import substitution. However, Russia is unique, as its disregard for international law and norms makes it a frequent target of sanctions. The vast majority of countries will never face international financial sanctions.

Despite the extraordinarily low probability of sanctions, Indonesia, Mexico, South Africa, and Vietnam have all misused national security and sovereign risk to justify payment services-related restrictions, including data localization. For example, in 2018, the South African Reserve Bank imposed a moratorium prohibiting the migration of domestic transaction volumes from BankservAfrica (South Africa’s bank-owned domestic payment switch) to international payment schemes. It stated that “there are potential sovereign/geopolitical and financial stability risks to SA from sole reliance on offshore processing of domestic transactions.”[46] Mexico’s financial regulators released draft rules requiring payments services to use local computing services as part of their license application.[47]

Estimating the Cost of Restrictions on Data Flows

Maximizing the value of data means enabling it to move. Innovation and economic growth are increasingly supported by how firms collect, transfer, analyze, and act on data. This section provides a quantitative analysis of the effects of restrictions given the relationship between data flows and economic performance. While econometric analysis provides an indicative estimate of the economic impact (given challenges with measurement and specificity), it is still important to do to reinforce to policymakers the negative effects of restrictions on data flows.

Estimating the Impact That Data Restrictiveness Has on Prices, Trade, and Productivity

ITIF’s model calculates a composite index—the data restrictiveness linkage (DRL)—to estimate the linkage of downstream industries with national data restrictiveness (based on the data intensity of those industries). We further examine the impacts that changes in data restrictions have on total factor productivity (TFP), value-added price indices (PVA), and gross output volumes (GOVs) at the industry level in each country (through the EU-KLEMS database). The model runs separate log-linear regression models between DRL and these three economic indicators to approximate the percentage changes in productivity, prices, and trade volumes incited by changes in a country’s restrictions on data transfers (table 1). It is based on econometric best practices as demonstrated by OECD and European Center for International Political Economy (ECIPE).[48] However, it differs in that it benefits from updated data from the U.S. Census ICT Survey, the OECD Product Market Regulation (PMR) database, it covers countries not covered in past models, and compares trade volumes.[49] Appendix B details the data and methodology.

Data Restrictiveness Index

ITIF uses sub-indicators from the OECD PMR Indicators database to develop a proxy measurement of how restrictive a nation’s rules are for cross-border data transfers. By taking the unweighted averages of select PMR sub-indicators, ITIF computes the data restrictiveness index (DRI) of 46 countries that OECD has PMR data available for in between 1998 and 2018. Since PMR data updates are published every 5 years, DRI of these 46 available countries is only calculated every five years (2018, 2013, 2008, 2003, and 1998). DRI is resultantly measured on a scale between 0 and 6, with 6 indicating the most data restrictive. As countries impose additional data regulations such as localization, and other government barriers and administrative requirements that limit the movement of data, their DRI increases.

PMR data is central to our model as it captures several regulations that countries use to restrict the use and transfer of data, such as explicit localization measures and restrictions related to administrative costs like requiring data protection impact assessments or data protection officers. Our selection of sub-indicators used to calculate DRI between countries over time is informed by best-practice modeling data restrictiveness via PMR proxy data as performed by a 2016 study by CIGI & Chatham House.[50]

While the PMR Indicators database reports on a wide range of regulatory activity beyond just those that determine data restrictiveness within countries, the database also provides several PMR sub-indicators that more narrowly capture restrictions on data flows. PMR “medium-level” sub-indicators distinguish more specific types of regulation. “Low-level” indicators refer to the narrowest ranges of regulatory activity observed, further breaking down OECD’s medium level indicators of PMR into more specific subjects. Pre-2018, DRI is calculated using the two medium-level indicators “Administrative Barriers to Startups” and “Administrative and Regulatory Opacity.” For 2018, DRI is calculated using five low-level PMR sub-indicators: “Assessment of Impact on Competition,” “Interaction with Interest Groups,” “Complexity of Regulatory Procedures,” “Barriers in Service Sectors,” and “Barriers in Network Sectors.” These five fully comprise the two medium-level indicators, “Simplifications and Evaluations of Regulations,” and “Barriers in Service and Network Sectors,” which are preferred due to their correlations with pre-2018 data and overlap of regulatory activity.

ITIF’s method of calculating DRI for 2018 had to adjust for a change in how the OECD reported the PMR index and sub-indicators. This was necessary to ensure the model’s use of PMR data was consistent with pre-2018 data and measurements. To do this, our model selected several PMR sub-indicators based on correlation trends between the pre-2018 years of DRI and between DRI and overall PMR of the same year, as well as by the content of sub-indicators that most specifically relate to regulations that restriction data flows. (Appendix B, equation 1 provides the details of the calculation to form DRI measurements pre-2018, whereas equation 2 provides the calculation used for 2018 DRI. Table 1 presents correlation trends that further justify the selection of sub-indicators).

Data-Intensity Modifier

ITIF’s model assumes that data restrictions have greater effects on economic industries that are more reliant on data and data-related tools and services. 2018 studies by ECIPE provide best practices for calculating the data intensity of industries and using those scores to estimate industry-level.[51] A data-intensity modifier (DIM) following this methodology is calculated by selecting a country exogenous to the model, the United States, for a given reference year. For each industry noted in the KLEMS categorization, we calculate a DIM using 2013 U.S. Census ICT Survey data on noncapitalized software expenditure and 2013 Bureau of Labor Statistics (BLS) employment data by industry to calculate the ratios of data-related service expenditures per worker in each industry (figure 1).

DIM ratios (computed in equation 3, Appendix B) measure data intensity between industries and enable us to weigh national DRI measurements in countries over time at the industry level. This allows the model to assess the straightforward point: that more data-intensive industries are more economically impacted by data restrictions than are non-data-intensive ones. And while calculating DIM exogenously helps control for issues of endogeneity within countries’ downstream industries, the model further assumes equal technologies between countries. However, that assumption is commonly made among the literature of econometric modeling on this subject and is of less concern when the set of countries within a regression model are all economically developed ones.

Figure 1: Data intensity by KLEMS industry (as log of noncapitalized software expenditure
per worker)

Data Restrictiveness Linkage and Regression Modeling

Lastly, the model develops a composite index—the data restrictiveness linkage (DRL)—linking the measurement of national data restrictiveness in a given year to the data-intensity of a given industry to produce observations in terms of country-year-industry. The DRL is the independent variable tested in regression modeling against economic performance observed at the level of country-year-industry. Equation 4 of Appendix B (also below) provides the calculation for a given country-year-industry’s DRL, which is simply the product of DRI and DIM.[52]

The model is used to test three separate regressions modeling trade outputs, prices, and productivity to examine the economic impact national data restrictions have on downstream industries. Dependent variable data at the level of country-year-industry is most widely provided by the EU-KLEMS database, from which we select three measurements to be regressed against DRL: gross output volume (GOV) to indicate trade activity (equation 5), TFP to indicate economic productivity (equation 6), and price index based on value added to indicate prices of goods and services (equation 7).

While OECD PMR data allows 46 countries to be sampled, the constrained availability of data in the EU-KLEMS database means that industry-level trade data is limited to 28 developed OECD member nations. These 28 countries include in both OECD and EU-KLEMS data comprise the set of countries included in regression analysis. The downside is this omits many developing and non-OECD countries. However, the model’s core components (DRI and DIM, and the impact they have on trade volumes, prices, and productivity) can be applied to any country, as they are representative estimates of data usage and the effect of restrictions (such as in Russia, China, and Indonesia). Equations 5, 6, and 7 provide the full regression models used to produce results shown in table 2.

GOVxyt, PVAxyt, TFPxyt are the economic measurements for a given country-industry-year. Ï• is the equation intercept (β0 estimate in log-linear regressions). θ is the coefficient of DRL (β1 estimate in log-linear regressions). DRLx y t-1 is the DRL for a given country-industry-previous year. εxyt represents the equation error term. The model further controls for issues of endogeneity by implementing a time lag, wherein economic indicators in a given year are regressed against the DRL of the previous year. Change in economic performance is also not often immediately observable in the year new policy is enacted, further supporting a time lag. Lastly, this model provides controls so that regression results of DRL’s impact on GOV, PVA, and TFP are accurately estimated by providing fixed effects for country-year and industry-year level. Fixed effects are added based on best econometric practice and control for the many country-, time-, and industry-specific factors not able to be accounted for that assuredly affect GOV, PVA, and TFP. These dependent variables are taken as natural logs to be regressed because log-linear regression coefficients best estimate the percentage changes associated with unit changes in the independent variable of interest.

General Model Results: Data Restrictiveness Has a Significant Impact on Prices, Trade, and Productivity

The model shows that restricting data flows has a statistically significant negative impact on an economy. Table 2 provides greater statistical detail on regression results. All coefficient estimates are statistically significant above the 90 percent confidence level, with PVA having an estimate p-value just above 0.05 (95 percent confidence level). TFP and GOV, however, are both highly statistically significant above the level of 99 percent confidence. Interpreting the coefficient estimates of DRL by the log-linear regression interaction provides the percentage changes in GOV, TFP, and PVA associated with a one unit increase in a country’s DRI.

Table 2: Regression results

Note: Robust standard errors in parentheses, *** p<0.001, ** p<0.05, * p<0.1
Source: Authors

Restrictions on data flows are most strongly associated with a decrease in GOVs. Gross output measures the total amount of goods and services traded, including both final and intermediate output. By interpreting the regression coefficient -0.073, the model finds that on average, a 1.0 unit increase in a country’s DRI (from the sample of 28 OECD member countries) is associated with a 7.05 percent decrease in its gross output traded. This naturally gives a relationship between data restrictions and gross output that is higher than a more traditional measurement of economic growth such as gross domestic product (GDP), which accounts for only final outputs produced. Loss in gross output surely still indicates a loss in GDP, but by a notably smaller proportion given that GDP excludes measurement of intermediate outputs. While the highest data-intensive industries identified in the model would be most affected, such as Telecommunications or Other Business and ICT, nearly every single sector of economic activity requires some usage of data to facilitate trade, from mining to retail to construction.

More significant data restrictions also artificially increase the prices (and reduce the supply) of goods and services that rely on data, such as data analytics, targeted advertising, and software used to manage global workforces, product networks, and supply chains. The model estimates that countries that restrict data transfers experience lower trade volumes, leading to increased prices of goods due to reduced supply. Data localization may also force a more-innovative and price-competitive service provider from the market, thus allowing a more expensive or inferior product to seize market share.

Over five years, a one-unit increase in a country’s DRI is associated with a 7 percent decrease in its gross output traded, a 2.9 percent decrease in productivity in downstream industries, and a 1.5 percent increase in prices among the goods and services those industries provide.

The regression model’s results support this intuitive analysis of the trade and economic impact resulting from countries’ data localization policies. The model finds that a one-unit increase in a country’s DRI is associated with a 1.5 percent increase in the prices of goods and services that downstream industries produce (in aggregate, over five years). This result means that as data becomes more heavily restricted, the remaining output among industries becomes more expensive to consumers than would otherwise be expected in a scenario wherein there exists free flows of data and data-driven goods and services.

Data and data-driven tools are increasingly important determinants of productivity, which is essential to long-run economic growth. Estimating TFP helps policymakers understand how efficient industries are at using their production inputs and how innovative those industries are at utilizing new technologies. Our regression modeling on TFP finds that a one-unit increase in a country’s DRI is associated with a 2.9 percent decrease in productivity in downstream industries. This negative productivity shock can cause GDP to decrease, with a 2.9 percent decrease in a country’s productivity translating to notable losses in living standards and economic growth. Without access to the most competitive and innovative data-related inputs, firms must use available labor and capital less efficiently, which reduces productivity and, of course, translates into decreased economic growth at the national-economy level.

Specific Model Results: China, Indonesia, Russia, and South Africa All Suffer From Data Restrictiveness

Applying the model’s statistically significant relationships on data restrictiveness, lower productivity, less trade, and higher prices allows one to estimate the economic costs in countries of interest beyond the OECD sample set. While the model’s findings on the relationships between increased data restrictions and changes in TFP, PVA, and GOV are identified in the context of developed OECD countries, the model’s findings still have value in being applied to countries beyond this context, given the degree of statistical significance identified in variable relationships and the lengths of controls placed in the model via multiple fixed effects. Since econometric modeling using a proxy variable (DRI, and in turn, the compositive index DRL) is not an exact measurement of national data restrictions per country, some countries may naturally be underestimated or overestimated. Proxies are further constrained in their extended application by the availability of data for observations outside a studied sample. However, analysis of a proxy variable still identifies significant trends in data on average.

ITIF selected four nations—China, Indonesia, Russia, and South Africa—whose DRI and changes in DRI (between 2013 and 2018) strongly support qualitative findings of expanded data restrictions in this report and are therefore known to be well fitted by the proxy variable used. The countries listed in table 3 all have data in the OECD’s PMR database for both 2013 and 2018 (the most recent years available), allowing us to calculate their changes in DRI over that time (unfortunately, there isn’t data for India for both years, otherwise it would also be added). The ranking includes all 46 countries with DRI able to be calculated between 2013 and 2018 (where a rank of first indicates the most data restrictiveness). Figures 2 and 3 of Appendix B details 2013 and 2018 rankings for these 46 countries. By multiplying the changes in DRI observed between 2013 and 2018 by the percentage changes in GOV, TFP, and PVA associated with a unit increase in DRI, the model can estimate the economic costs borne by countries that imposed additional restrictions on data (model produces an aggregate total for 2013 to 2018).

Changes in the DRI ranking align with the report’s analysis and listing of data localization measures. China was the most restrictive country in both 2013 and 2018. Over those six years, China’s DRI increased by 0.25 points. Our econometric analysis estimates that over five years, these restrictions decrease output by 1.7 percent and productivity by 0.7 percent and leads to a 0.4 percent rise in prices among downstream industries.

Indonesia, Russia, and South Africa are all notable cases that reflect their growing interest in enacting barriers to data flows in recent years. Both Indonesia’s and South Africa’s DRI rankings increased by 1.0 point between 2013 and 2018. These two countries face the most significant marginal losses by changes in data restrictiveness policy over this time span. The model estimates that over five years from 2013 to 2018 (cumulatively), South Africa’s volume of gross output fell by 9.1 percent, productivity fell by 3.7 percent, and prices rose by 1.9 percent due to increased restrictions imposed on data flows.

For Indonesia, the model estimates that over the five years, its more-significant data restrictions reduced GOVs by 7.8 percent, lowered productivity by 3.2 percent, and raised prices by 1.6 percent. In the case of Russia, its heightened data restrictions between 2013 and 2018 cost an estimated 4.9 percent reduction in trade volume, a 2.0 percent reduction in productivity, and a 1.0 percent increase in prices of goods and services on average nationally.

These losses in trade and productivity due to increased data restrictiveness held back these countries’ potential economic growth. Had South Africa and other countries not enacted more restrictions on data, their economies would not have suffered the expensive marginal costs of data localization estimated by the model.

Table 3: Economic costs of case studies due to changes in DRI

Note: DRI rankings are based out of 46 countries maintained in both 2013 and 2018 within the OECD “Indicators of PMR” database. As a result, this ranking excludes notable countries such as India and Argentina.

Source: Authors.

Recommendations to Build Global Data Governance and Constructive Alternatives to Data Localization

Building an open, rules-based, and innovative global digital economy will depend on a small group of proactive and ambitious countries working together. This path ahead reflects the fact that there is no global forum for cooperation and progress on data issues—and nor should there be at this stage. Former Japanese prime minister Abe deserves a lot of credit for putting data governance and localization on the global agenda with his concept for “data free flow with trust,” which is a vision wherein openness and trust exist in symbiosis, not as contradictions.[53] However, it is still conceptual and has not been defined.

Countries that support this goal will need to work together to develop new norms, rules, cooperation mechanisms, and agreements to address legitimate concerns raised by cross-border data flows while supporting the free flow of data. These initiatives can then form the foundation for broader debate, adaptation, and adoption to expand to more issues and countries. It will be challenging to develop a common agenda, even among core countries such as Australia, Canada, Chile, Japan, New Zealand, Singapore, the United Kingdom, and the United States. It will be difficult, if not impossible, to make meaningful progress in any forum that involves China, Russia, and others that support digital protectionism and control. It’s hard to include Europe given its inability to genuinely engage and collaborate with counterparts unless its privacy preferences prevail over everyone else’s.

This section outlines key recommendations to build global data governance. It starts by providing high-level recommendations.

Recommendations on data governance best practices:

  • Governments should provide multiple mechanisms for the cross‑border transfer of personal data. These mechanisms should be accessible to firms of all sizes. Countries should explicitly mention acceptable frameworks and standards for transfers.
  • Governments should encourage businesses to improve transparency on how they manage data, including on a global basis, such as by regularly disclosing information about government requests for data.
  • Governments should support global, market‑led, voluntary, and consensus‑based efforts to develop and use data and digital technology standards, such as via multistakeholder forums and intergovernmental forums (e.g., OECD).
  • Governments should protect cloud-based government data and services by ensuring that cloud providers are audited and certified against national and international standards, sector-specific regulations (such as health care and financial), national certifications (e.g., U.S. FedRAMP, Germany C5, Australia IRAP), and global accreditations (e.g., ISO 27001 and ISO 27018).[54]
  • Developed economies should provide technical assistance and capacity‑building assistance to developing economies to help them build their data governance framework.

Recommendations to support digital free trade and counter digital protectionism:

  • Support an ambitious outcome on data flows at the e-commerce negotiations at the WTO, including an explicit prohibition on data localization and narrow and detailed exceptions. The United States and others should exclude China and Russia and others that do not support ambitious outcomes. A weak result may be worse than no deal at all.
  • To create reciprocity, policymakers from digital free-trade countries should develop new countermeasures against countries that enact data localization and other digital protectionist measures. Firms from digital protectionist countries shouldn’t benefit from open digital markets.
  • Policymakers should encourage national, regional, and global organizations to conduct detailed surveys about the impact of data localization and other barriers to cross-border data transfers.[55]
  • Digital free-trade countries should advocate for transparency and good regulatory practices as part of trade agreements, such as allowing parties to request the publication of impact assessments to ensure that digital regulations are appropriate, proportionate, and effective.

Build Interoperability Into Global Data and Digital Economy Governance

Policymakers should put the concept of “digital interoperability” at the center of their strategy for developing rules for the global digital economy. Interoperability means that countries enact laws to address data privacy, cybersecurity, and other issues in broadly similar ways so that they each provides a similar level of protection or similarly addresses a shared objective, even if their specific legal and regulatory frameworks differ. At its most fundamental level, interoperability is the ability for firms to transfer and use data and other information across applications, systems, services, and jurisdictions.[56] Interoperability is the most realistic goal for global data governance. It accounts for the fact that countries have differing legal, political, and social values and systems, and there is no one law for any specific data-related issue.

Interoperability is central, yet often invisible, to the integration of the global digital economy.[57] Interoperability depends on governments, businesses, and other stakeholders developing common ways to mitigate risks and address shared concerns. Interoperability has many benefits. It supports innovation, competition, and consumer choice as it facilitates access and development of more data and data-driven services, which reduces barriers to market entry.[58] It improves regulatory outcomes and trust as jurisdictions with similar legal concepts and approaches address issues that arise from cross-border data flows similarly (thus avoiding regulatory conflict, arbitrage, and avoidance). In this way, interoperability supports reciprocity given regulatory compatibility.[59] Interoperability can also build trust between trading partners, as they have some assurance that counterparts won’t use data localization to target their firms, and their firms’ digital products, unfairly.

Policymakers should put the concept of “digital interoperability” at the center of their strategy for developing rules for the global digital economy.

While data privacy is a critical focal point for the concept of interoperability, it extends much further to cybersecurity, payment services, financial oversight, and any number of digital processes and services that relate to trade.[60] What interoperability looks like in practice depends on the specific sector and policy concern. Stakeholders working to build interoperability in the global digital economy should look to develop and use different tools at different technological layers and levels of integration (figure 1).

Figure 1: The different layers of global digital interoperability

At the first stage, stakeholders can build policy interoperability by supporting early research and discussions about potential best practices (such as to address bias, violent content online, certain uses of AI, e-identity, e-invoicing, or other issues) and joint pilot projects and regulatory sandboxes to test potential regulations. All stakeholders (government, private sector, academia, and others) should have the opportunity to participate, given these early discussions represent brainstorming and the testing of regulatory ideas.

At the second stage, stakeholders can build technical interoperability so that data and digital services can move across jurisdictions, and between different applications and infrastructure, with straight-through processing—that is, processing data and digital services without additional human intervention. Otherwise, differential and restrictive regulations can prevent technical systems from working across borders. Application Programming Interfaces (APIs) and international standards are two key tools that create common protocols and specifications that allow different services and applications to connect and work across jurisdictions.[61] For example, the International Organization for Standardization and the International Electrotechnical Commission joint committees are developing standards to facilitate technology interoperability, including of AI, big data, and Internet of Things systems.[62] Digital economy agreements cite specific international standards to ensure interoperability between payment systems.[63] There are also initiatives such as the U.S. National Institute of Standards and Technology’s Cybersecurity Framework and APEC’s Cybersecurity Workstream that seek to build a risk- and standards-based approach to cybersecurity.

At the third stage, stakeholders can build network interoperability so multiple parties can connect their individual systems to a broader network to ensure seamless processing. Much like the Internet, networks need common rules and regulations to support reliability and access. For example, payment network interoperability involves bilateral agreements and connections (e.g., between a payment network and a central bank or a remittance provider) to provide processing across multiple networks for complex cross-border transactions.

At the fourth and final stage, governments build regulatory interoperability through mutual recognition agreements between countries, recognizing other countries’ respective regulatory approvals or certifications as valid in their own country, and explicitly referencing specific standards and legal frameworks (such as APEC CBPR).

Pursue New Digital Economy Agreements and Mechanisms for Cooperation

The global digital economy is in dire need of new rules to protect digital trade and data flows. However, these rules are not sufficient given how fast technology and regulatory requirements change. Technology and associated business models outpace traditional trade agreements and domestic regulations related to data and digital trade. This mismatch in speed will continue.[64] Digital trade needs early and ongoing engagement to ensure regulatory interoperability, both now and in the future. It is the reverse approach in Europe—rush to regulate and restrict and then consider international implications (when reforms to address barriers to trade are hard to do). Digital trade cannot be just one and done as in traditional trade negotiations. Digital economy agreements should be living agreements.[65] Countries such as Canada, Japan, the United States, and others that support an open, innovative, and integrated global digital economy should join or emulate the digital economy agreements Australia, Chile, New Zealand, and Singapore have negotiated.[66]

Digital economy agreements combine legally binding and enforceable commitments on well-known digital trade issues (such as data localization) and soft commitments to cooperate on emerging regulatory issues (via memorandums of understanding (MOUs)). They can adjust to the changing nature of digital trade, technology, and regulation. This involves proactively bringing domestic regulatory agencies into trade discussions when they are only just starting to think about new rules for digital issues. The nonbinding nature of the cooperation enables experimentation and allows partners to address new problems quickly without getting distracted by the horse trading involved in traditional trade negotiations.

Digital economy agreements represent a flexible and accessible approach to building interoperability between digital economies at varying levels of development. In particular, the Chile-New Zealand-Singapore Digital Economy Partnership Agreement (DEPA) and its modular structure for its various issue (AI, e-identities, data flows, open data, fintech, e-invoicing, etc.) areas are open to all who can meet its ambitions.[67] Canada and Korea have expressed interest in joining. Just as APEC’s early and ongoing digital economy discussions built the foundation for the ambitious digital rules in the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP), so too can these digital economy modules provide the basis for new norms and rules.[68]

Digital economy agreements raise different challenges to traditional trade negotiations. Mainly, they require genuine buy-in from regulatory agencies to work with their trade colleagues and their foreign counterparts. MOUs and soft commitments to cooperate in trade agreements are a dime a dozen. The benefits of digital economy agreements depend on parties bringing the commitment to cooperate to life. For example, Australia and Singapore have already done a joint study to identify ways to cooperate on new digital standards. They are also developing pilot projects for shared e-identify and e-invoicing policies.[69]

The benefits of digital economy agreements are harder to quantify than are the econometric modeling of tariff cuts in traditional trade agreements. Firms benefit from the certainty of knowing they can transfer data as part of cross-border digital trade and innovation. In the long term, firms also benefit from early regulatory interoperability by avoiding barriers to digital trade related to new laws. Regulatory engagement also builds trust and confidence among regulators (and consumers) that trade commitments on data do not impede regulatory responsibilities (for privacy, etc.) and can improve oversight as it allows information sharing and joint investigations.

Support Data-Driven Health Research via Interoperability Frameworks

Countries that recognize the value in supporting data-driven health research should work together to create domestic and international frameworks to facilitate the reasonable, responsible, and ethical cross-border sharing of health and genomic data. Data-driven health services and research holds enormous societal and economic benefits. From screening chemical compounds to optimizing clinical trials to improving post-market surveillance of drugs, the increased use of data and better analytical tools such as AI hold the potential to transform drug development, leading to new treatments, improved patient outcomes, and lower costs.[70]

Yet, health and genomic data are among the most common targets of data localization.[71] Health data requires specific attention, as it often involves sensitive personal data. However, enacting overly severe restrictions on its use does nothing to help improve health outcomes. For example, multiple joint EU-U.S. health research initiatives have ended or been severely restricted due to the EU’s GDPR.[72] A growing number of health firms and researchers have called for governments to step in as restrictive data privacy rules prevent cross-border health research. For example, in February 2020, leading health researchers called for an international code of conduct for genomic data following the end of their first-of-its-kind international data-driven research project that ran into significant issues when using data centers across various regions.[73]

Policymakers should create clear rules and frameworks to allow people, firms, universities, and public agencies to share health data. For example, the Global Alliance for Genomics and Health brings together hundreds of health care, university, and biopharmaceutical and technology companies to create ways to enable the responsible, voluntary, and secure sharing of genomic and health-related data.[74] The World Economic Forum’s Breaking Barriers to Health Data is also working to build a pilot project that uses federated data systems to share genomic data.

Use APEC’s Cross-Border Privacy Rules to Build a Global Data Privacy Framework

Australia, Canada, Japan, Singapore, the United States, and others interested in developing a high-standard framework for data protection and digital trade should use APEC’s Cross Border Privacy Regime to create a global interoperable model for data governance.

Countries that recognize the value in supporting data-driven health research should work together to create domestic and international frameworks to facilitate the reasonable, responsible, and ethical cross-border sharing of health and genomic data.

Europe’s push for harmonization—that every country adopt its ever-shifting and restrictive approach to data privacy—is misguided and untenable in the long term. There is no single data privacy law. Countries should ignore European privacy officials' critical view of interoperability, which threatens their strict adherence to privacy fundamentalism.[75] There is no way every country will harmonize rules on government surveillance, government access to data, and data privacy. As U.S. Deputy Assistant Secretary for Services Christopher Hoff tweeted, “A lot of awesome things about the GDPR but there have been 13 adequacy decisions in the past 26 years and one keeps getting knocked down. So interoperable frameworks ... have to be the future.”[76]

APEC’s CBPR is an accountability-based mechanism that facilitates privacy-respecting data flows.[77] Firms must implement a set of data privacy policies consistent with the APEC Privacy Framework, such as those on accountability, notice, choice, collection limitation, integrity of personal information, uses of personal information, and preventing harm. An APEC-approved accountability agent audits and certifies companies meet these commitments. Each CBPR member country’s data privacy agency is responsible for enforcement. Despite being in place for some years, CBPR is still in its early stages, with only around 40 certified companies, such as Apple, Cisco, IBM, Tencent (their Singapore entity), and Mastercard. Thus far, Australia, Canada, Chinese Taipei, Japan, Mexico, Singapore, South Korea, and the United States have joined CBPR.

Existing CBPR members should open CBPR to non-APEC members so it can become a global (rather than regional) model for data governance. The United States has proposed this.[78] CBPR would be attractive to a diverse range of countries. Other APEC and non-APEC countries could join the system, the benefits of which would grow with each new member. The Philippines is already in the process of joining CBPR. Adding Brazil, Chile, Colombia, New Zealand, Peru, the United Kingdom, and others would make it a global framework. A global CBPR would be attractive to governments as it would focus on core principles and accountability (rather than strict legal harmonization), recognizing that there is no one-size-fits-all approach to privacy. CBPR certification would also be attractive to firms as it would mean that they would essentially be subject to one privacy regime for data transfers between all CBPR members. It would provide enormously valuable economies of scale in terms of incentivizing firms to undergo certification.

The United States and others would need to create a new CBPR outside of APEC, as China and Russia would likely oppose efforts to make reforms within APEC (even though they are not members of CBPR). CBPR would essentially become a global data privacy certification mechanism that countries could recognize as a valid legal transfer mechanism in domestic laws (as Bermuda has done, even though it is not in APEC).[79] Ultimately, a new global CBPR also presents an opportunity for Australia, Japan, the United States, and others to bring to life a clear alternative data governance model to the EU’s restrictive GDPR and China’s model of digital control and protectionism.

Build a Framework for Government Access to Data

Like-minded, value-sharing democratic countries should work together to develop a “Geneva Convention for Data” to establish common principles, processes, and safeguards to government access to data. Such an agreement could also settle questions of jurisdiction, establish rules of transparency, create better cooperation for legitimate law enforcement requests, and limit unnecessary access to data by governments. Like-minded countries need to find a way to develop a common approach that balances privacy, trade, law enforcement, and national security interests, as concerns about mass government access to data underpin many data localization proposals worldwide.

The Snowden revelations about U.S. government surveillance created the first major wave of data localization proposals. Since then, concerns—real and imagined—about foreign government access to data have led to greater data localization worldwide, even if these concerns are often selectively and hypocritically applied (such as in Europe). Concerns about Chinese government access to data is motivating a second wave of restrictions.

A new global CBPR also presents an opportunity for Australia, Japan, the United States, and others to bring to life a clear alternative data governance model to the EU’s restrictive GDPR and China’s model of digital control and protectionism.

Government access to data, especially for national security-related surveillance, is an extraordinarily sensitive issue. Despite its sensitivity, a tightrope to progress has appeared. In 2021, the G7 put the issue on its agenda and tasked OECD to provide research and advice, including a comparative assessment of frameworks that will hopefully identify commonalities, conflicts, and gaps. This is enormously useful and will hopefully provide the basis for constructive discussions.[80]

The best chance of developing a common approach would be via a small group of democratic, rule-of-law countries—brought together due to shared values and interests and a commitment to digital innovation—to discuss pragmatic ways to balance competing equities, including privacy expectations, national security concerns, economic interests, and democratic values. The goal would be to move away from creating nation-based clouds and instead move toward value-based clouds. It would be pragmatic by creating common oversight and accountability measures to reduce costs and improve trust. Ideally, any such Geneva Convention for Data would settle questions of jurisdiction; set common terminology, safeguards, and remedies; improve accountability and transparency; provide some independent oversight; and increase cooperation and understanding between national security, data protection agencies, and the broader public.

Focus on Access, Not Location: Support Financial Regulatory Oversight and Data Flows

Australia, Japan, Singapore, the United Kingdom, and the United States should develop a financial data governance strategy to advocate that financial, banking, securities exchange, and payment regulators focus on access to data rather than where it’s stored.

Like-minded, value-sharing democratic countries should work together to develop a “Geneva Convention for Data” to establish common principles, processes, and safeguards to government access to data.

Financial data is among the most targeted categories for localization. Yet, in the logical end state where many countries enact localization, all will be hampered because today’s global digital economy means there will inevitably be cross-jurisdictional data. Several enlightened financial regulators—usually reticent to give up any semblance of control—have worked with their trade officials and foreign counterparts on new legal frameworks and mechanisms for cooperation. The goal is to support cross-border data flows while ensuring they still have access to data for oversight purposes.[81]

Recommendations:

  • Leading countries and their regulators need to develop a global financial data strategy to create “trust” mechanisms between financial regulators to ensure financial oversight does not impede financial data flows and innovation. Financial regulators from Australia, Singapore, the United Kingdom, and the United States demonstrate how this can be done via new MOUs that provide certainty about regulatory responsibilities, improve cooperation between regulators, and give assurances to firms that financial data can move freely.[82]
  • Leading countries should advocate for clear and detailed financial data governance and transfer rules in trade agreements, such as in the U.S.-Mexico-Canada Trade Agreement and the Australia Hong Kong Free Trade Agreement.[83]
  • Build out the G7’s role as a central forum for leading countries and institutions to manage shared concerns about financial data flows and governance. It already involves leading governments and institutions, such as the Financial Stability Board, the Bank for International Settlements, and the International Monetary Fund.
  • Leading countries should pursue greater bilateral engagement to help encourage as many countries as possible (and not in the G7/G20) that the same principles and processes are relevant. Building understanding among financial regulators through engagement, workshops, and conferences will be a slow process. Still, it is essential to get them onboard with enacting the proper framework for managing financial data across jurisdictions.

Improve Mechanisms to Help Law Enforcement Make Cross-Border Requests for Data

The globalization of criminal evidence should drive reforms regarding how law enforcement can access communications and other records in other countries as part of legitimate investigations while abiding by privacy and human rights protections. Criminals should not escape the law simply because police cannot access the data they need efficiently. Unfortunately, in the absence of updated legal mechanisms, there is the potential for a legal arms race calling for mandatory data localization requirements, which will ultimately hurt all law enforcement efforts to deal with what is a global problem. The following recommendations proceed along a sliding scale from least to most advanced, depending on the country and its situation.

Countries such as India and Indonesia should review and reform domestic legal frameworks to enable more efficient cross-border access. For example, the EU’s “e-evidence” proposal streamlines cooperation between service providers and law enforcement in the bloc.[84] Central to this effort would be a working group with diverse stakeholders, including representatives from different government departments, the private sector, civil society organizations, researchers, and experts in international law to formulate reforms and model data transfer agreements.[85] There are various issues involved in improving legal cooperation and compatibility: the standard of proof, authorized authorities and the judicial or independent validation of requests, necessity and proportionality, the ability for service providers to challenge requests, the types of crimes covered, and others.[86]

Countries should pay attention and provide the necessary resources to improve existing legal processes and treaties, as existing legal processes and treaties are out of date, needlessly complex, and often delayed due to poorly resourced local agencies.[87] At the moment, MLATs remain the dominant international framework for enabling cross-border data access. The MLAT process is not working well. For example, the U.S. government can take up to 10 months to complete MLAT requests (leading to a massive backlog), while requests from the United States to Ireland take only 15 to 18 months.[88] Meanwhile, some countries take years to respond to requests, while others, such as Russia, often do not respond at all.[89]

Countries should sign on to the Budapest Convention on Cybercrime—the world’s first cybercrime treaty, negotiated 20 years ago—and support ongoing efforts to improve it via a new (second) protocol. This new protocol would help law enforcement agencies secure evidence from service providers in foreign jurisdictions.[90] The proposed language of the second protocol focuses on five major provisions: language of requests, videoconferencing, emergency mutual legal assistance, direct disclosure of subscriber information, and giving effect to foreign orders for the expedited production of data.[91]

At the most advanced stage, countries should consider new legal mechanisms that make the exchange of data for law enforcement purposes more efficient while still providing privacy and other safeguards. For example, the EU-U.S. Umbrella Agreement, the EU-U.S. Terrorist Finance Tracking Program Agreement, and the U.K.-U.S. CLOUD Act executive agreement represent useful models. They incorporate commonly recognized global privacy principles while accounting for local interpretation and different legal structures. And overall, they work without impeding data flows.[92]

The United States should pursue more CLOUD Act agreements, just as other countries should consider reforms to allow them to enter negotiations. The United States’ first CLOUD Act agreement with the United Kingdom established a baseline for talks with Australia and the European Union.[93] They provide a lawful mechanism for law enforcement in either the United States or the other signatory to request data directly from a service provider in the other country without going through the mutual legal assistance process.[94] CLOUD Act agreements do not give law enforcement agencies any new legal authority to acquire data. They simply help like-minded, rights-respecting countries improve the exchange of data for legitimate law enforcement investigations.[95] Furthermore, the United States has made clear that it wouldn’t pursue CLOUD Act agreements with countries that do not respect the rule of law and fundamental human rights.[96]

Criminals should not escape the law simply because police cannot access the data they need efficiently. Unfortunately, in the absence of updated legal mechanisms, there is the potential for a legal arms race calling for mandatory data localization requirements

CLOUD Act agreements are in everyone’s best interest. They minimize potential conflicts of law between countries, thus providing legal certainty for both firms and law enforcement agencies. If anything, non-U.S. law enforcement agencies benefit more from CLOUD Act agreements, as many of the world’s leading service providers are American. It helps firms because it is a clear, efficient framework. The CLOUD ACT is also a direct tool to counter data localization. It requires DOJ to provide a written certification that a country "demonstrates a commitment to promote and protect the global free flow of information and the open, distributed, and interconnected nature of the Internet."[97]

Conclusion

Data-driven innovation and digital trade are only going to become more central to the global economy. Governments need to update laws to address legitimate data-related concerns that arise, but this should be done in a considered way so that people, firms, and governments can maximize the enormous societal and economic benefits of data and digital technologies. Restricting the movement of data does nothing to help improve societal or economic outcomes. The recommendations show how like-minded countries can develop shared governance arrangements that can work across legal systems, create reciprocity and nondiscrimination, and build-in independent redress and oversight, all the while allowing data flows.

Meanwhile, digital protectionists and scofflaws such as China and Russia refuse to support digital free trade or join global efforts to improve law enforcement cooperation on cybercrime.[98] What is particularly crucial is that countries that support shared digital governance need to dedicate far more resources to help the many “swing states” that have not enacted localization and have not yet decided to follow the EU or China’s model of restrictions and control. The success or failure of this engagement and these new agreements and legal mechanisms will go a long way toward shaping the Internet of the future and whether it remains open, integrated, and innovative or closed, fragmented, and based on state control.

Appendix A: List of Data Localization Measures

This a comprehensive list of explicit, de facto, and proposed data localization policies around the world, organized by specific region, and in some cases, country.

Africa

Country

Type of Data

Data-Localization Policy

Cote-d’Ivoire

C:\Users\akey.D-C54GP22\Dropbox (ITIF)\Home\@datalocalization graphic\personal.png

Indirect and De Facto Localization

2013: Cote-d’Ivoire enacted privacy laws which required firms to get pre-approval from the regulator before processing personal data outside of the Economic Community of West African States (ECOWAS, which includes 15 member countries, ranging from Benin, Ghana, Liberia, Mali, Niger, Nigeria, and Senegal).[99]

Ghana

Direct and Explicit Localization

2019: Ghana enacted the Ghana Payment Systems Bill & Guidelines, which among many other things, set out the requirements to obtain a payment systems operator license.[100] In particular, it calls for: firms to establish a local entity, at least 30 percent local ownership, and for a board of directors that includes at least three Ghanaians, one of which must be the CEO. In July 2018, Ghana issued draft regulation that required all domestic transactions to be processed by the Ghana Interbank Payment and Settlement Systems Limited (GhiPPS, which is wholly owned by the Central Bank of Ghana). However, there was significant industry concerns, so the final implementing directive has not yet been issued.

Kenya

C:\Users\akey.D-C54GP22\Dropbox (ITIF)\Home\@datalocalization graphic\personal.png

C:\Users\akey.D-C54GP22\Dropbox (ITIF)\Home\@datalocalization graphic\Public.png

Indirect and De Facto Localization

2019: Kenya’s Data Protection Act excluded explicit data localization provisions from in earlier drafts, but still included unclear and potentially restrictive provisions governing the cross-border transfer of personal information, such as explicit consent for transfers of “sensitive personal data” (a broad category) and that data controllers provide unspecified proof that personal data transferred abroad receives the same protection as if stored at home. Furthermore, it empowers a political official to prohibit the cross-border transfer of certain categories of data, creating uncertainty for businesses. Regulations implementing these provisions are being developed.

Proposed Measures

2021: Kenya’s released draft data protection regulations (to implement the Data Protection Bill) requires firms to store data (a copy) and process data locally if the data processing is done “for the purpose of actualizing a public good.” This apparently includes managing an electronic payment systems licensed under the National Payment Systems Act; processing health data for any other purpose other than providing health care directly to a data subject; managing personal data to facilitate access of primary and secondary education: and management of a system designated as a protected computer system under the Computer Misuse and Cybercrime Act, 2018.[101]

2018: Kenya released a draft Data Protection Bill for comment that included a number of provisions that either directly or indirectly lead to data localization.[102] Kenya’s Data Protection Bill (part VI, section 44) states: Every data controller or data processor shall ensure the storage, on a server or data center located in Kenya, of at least one serving copy of personal data to which this bill applies; The cabinet secretary shall prescribe, based on strategic interests of the state or on protection of revenue, categories of personal data as critical personal data that shall only be processed in a server or data center located in Kenya; and Cross-border processing of sensitive personal data is prohibited.[103]

2016: Kenya’s Communications Authority considered including data localization provisions within Kenya Information Communications (Cyber-Security) Regulations (2016). Article 10(1) required the hosting and storage of “public information” within Kenya.[104]

Nigeria

C:\Users\akey.D-C54GP22\Dropbox (ITIF)\Home\@datalocalization graphic\Telecom.png

Direct and Explicit Localization

2015: Nigeria enacted broad data localization requirements as part of the Guidelines for Nigerian Content Development in ICT. Nigeria wants ICT companies to “host all subscriber and consumer data” and all government data inside the country.[105]

2011: The Central Bank of Nigeria enacted local storage and processing requirement for entities engaging in point of sale (POS) card services. Domestic transactions cannot be routed outside Nigeria for switching between Nigerian issuers and acquirers.[106]

Rwanda

C:\Users\akey.D-C54GP22\Dropbox (ITIF)\Home\@datalocalization graphic\Public.png

C:\Users\akey.D-C54GP22\Dropbox (ITIF)\Home\@datalocalization graphic\Telecom.png

Direct and Explicit Localization

2012: Rwanda enacted a regulation that all critical information data within government (website hosting, email hosting, shared applications such as Document management and e-archiving, and enterprise applications) should be hosted in their national data center.[107]

Indirect and De Facto Localization

2017: Rwanda’s telecommunications regulator fined MTN (a telecommunications company that is a subsidiary of South Africa’s MTN Group) US$8.5 million (10 percent of its annual turnover) for maintaining Rwandan customer data in Uganda and for running its IT services outside the country in breach of its license.[108]

Senegal

C:\Users\akey.D-C54GP22\Dropbox (ITIF)\Home\@datalocalization graphic\Public.png

Direct and Explicit Localization

2021: Senegal announced that it will move all government data and digital platforms from foreign servers to a new national data centre in hopes of strengthening its digital sovereignty.[109]

South Africa

C:\Users\akey.D-C54GP22\Dropbox (ITIF)\Home\@datalocalization graphic\personal.png

C:\Users\akey.D-C54GP22\Dropbox (ITIF)\Home\@datalocalization graphic\other.png

Direct and Explicit Localization

2018: The South African Reserve Bank imposed a moratorium prohibiting the migration of domestic transaction volumes from Bankserv (South Africa’s bank-owned domestic payment switch) to international payment schemes. The South African Reserve Bank enacted the moratorium after it found out that domestic South African banks planned to move more of their transactions to global payment service networks. The moratorium was to be in place until a new policy was developed and enacted.[110]

Indirect and De Facto Localization

2013: South Africa’s Protection of Personal Information Act (the POPI Act), which makes the transfer of personal information outside of South Africa subject to certain exceptions, which raise potential concerns about how these rules will be interpreted and enforced, as they could become de facto data localization tools, especially given its requirement for explicit consent for transfers.[111]

Proposed Measures

2021: South Africa’s “Draft National Policy on Data and Cloud” recommends data localization and local data processing for all data related to “critical information infrastructure” and data mirroring for personal data (for the purposes of law enforcement). It also states that all data generated in South Africa shall be the property of South Africa, regardless of the nationality of the firm involved in collecting it.[112]

Europe

Country

Type of Data

Description

Andorra

C:\Users\akey.D-C54GP22\Dropbox (ITIF)\Home\@datalocalization graphic\personal.png

Indirect and De Facto Localization

2004: According to the Protection of Personal Data Law, personal data can only be transferred freely to states deemed sufficiently secure in their cyber capabilities. Personal consent must be obtained to transfer data to an insecure state.[113]

Armenia

C:\Users\akey.D-C54GP22\Dropbox (ITIF)\Home\@datalocalization graphic\personal.png

Indirect and De Facto Localization

2015: According to the Law on Personal Data, personal data may only be transferred cross-border when there is personal consent, or it is necessary to finish processing previously consented to by the individual. A transfer permit is required to transfer personal data to states deemed insufficiently secure.[114]

Azerbaijan

C:\Users\akey.D-C54GP22\Dropbox (ITIF)\Home\@datalocalization graphic\personal.png

Indirect and De Facto Localization

2010: According to the Law on Personal Data, cross-border personal data transfers are prohibited if the transfer creates a threat to the national security of the Azerbaijan Republic, or if the transfer is going to a country not deemed sufficiently secure. Personal data can still be transferred to an insecure country if the individual consents to it, however.[115]

Belgium

C:\Users\akey.D-C54GP22\Dropbox (ITIF)\Home\@datalocalization graphic\accounting.png

Direct and Explicit Localization

2005: According to Companies Code – Article 463, the company register of shareholder and register of bonds must be kept at the office, or since 2005 can be stored electronically as long as they are readily accessible at said office.[116]

1992: According to the Income Tax Code – Article 315, income tax documents must be kept at the disposal of the office where they have been kept, prepared, or sent.[117]

1992: According to VAT Code – Article 60, VAT invoices must be stored in Belgium or another EU member state.[118]

Bosnia and Herzegovina

C:\Users\akey.D-C54GP22\Dropbox (ITIF)\Home\@datalocalization graphic\personal.png

Indirect and De Facto Localization

2006: According to the Law on Protection of Personal Data, personal consent, contractual necessity, or vital interest are needed to transfer personal data cross-border to a state deemed insufficiently secure. However, there is no specific list of which states Bosnia and Herzegovina views as secure, so the individual data controller is responsible for making this decision.[119]

Bulgaria

C:\Users\akey.D-C54GP22\Dropbox (ITIF)\Home\@datalocalization graphic\other.png

Direct and Explicit Localization

2012: According to the Gambling Act, when applying for a gaming license all relevant data must be stored on a server in Bulgaria. Communications equipment and the central computer must be located in the EEA or Switzerland.[120]

Cyprus

Direct and Explicit Localization

2007: Cyprus has failed to replace several restrictive provisions under the Directive on Data Retention, which was declared invalid by the Court of Justice of the European Union (ECJ). This directive required data operators to retain certain categories of traffic and location data (excluding the content of those communications) for a period between six months and two years and to make them available, on request, to law-enforcement authorities for the purposes of investigating, detecting, and prosecuting serious crime and terrorism.[121]

Denmark

C:\Users\akey.D-C54GP22\Dropbox (ITIF)\Home\@datalocalization graphic\accounting.png

C:\Users\akey.D-C54GP22\Dropbox (ITIF)\Home\@datalocalization graphic\Public.png

Direct and Explicit Localization

2007: According to the Audit Act (section 45), financial records for government institutions must be stored domestically. This data can be stored abroad as long as a copy is made monthly and stored in Denmark.[122]

2006: According to the Bookkeeping Act (section 12), financial records must be stored either in Denmark or one of the Nordic countries.[123]

Indirect and De Facto Localization

2011: According to the Danish Data Protection local authorities’ data cannot be processed outside Denmark without a standard contractual clause. Software commonly used in offices such as Dropbox, Microsoft Office 365, and Google Apps therefore cannot be used until a standard contractual clause is agreed upon.[124]

European Union

C:\Users\akey.D-C54GP22\Dropbox (ITIF)\Home\@datalocalization graphic\personal.png

C:\Users\akey.D-C54GP22\Dropbox (ITIF)\Home\@datalocalization graphic\Public.png

Indirect and De Facto Localization

2020: The July 2020 decision by the European Court of Justice (ECJ) to invalidate the EU-U.S. Privacy Shield will have an immediate and potentially long-term impact on the thousands of organizations that relied on it to legally transfer data abroad. By making transfers of European personal data so costly and complicated, if not illegal, the European Union’s General Data Protection Regulation (GDPR) is becoming a de facto data localization requirement.[125]

2019: Originally announced in 2019, France and Germany have been spearheading a project titled “GAIA-X" that would create a European cloud system in an effort to claim “digital sovereignty” and end reliance on U.S. cloud companies.[126] It is also portrayed as a “trusted cloud” for EU member states’ public data.[127]

2018: According to the General Data Protection Regulation, personal data may flow freely between European Economic Area (EEA) states as well as select states deemed sufficiently secure in their data protection. In order to transfer data to any other state, there must be binding contractual agreements, the consent of the data subject, or the data transfer is necessary to carry out a contract for the data subject.[128] Through the US-EU Privacy Shield Framework, the United States was one of the countries allowed free data transfers with the EU. However, since a 2020 CJEU decision, Privacy Shield’s adequacy decision has been invalidated[129]

Proposed Measures

2021: Portugal (as president of the EU) proposed for a European Data Governance regulation that would restrict foreign governments’ access to European industrial data, impose more obligations to transfer data held by a European public body, to ask for explicit consent if the public data relates to a person, and to create a European Data Innovation Board to “advise and assist” the European Commission when deciding to restrict “highly sensitive” industrial data flows.[130]

Finland

C:\Users\akey.D-C54GP22\Dropbox (ITIF)\Home\@datalocalization graphic\accounting.png

Direct and Explicit Localization

1997: According to the Accounting Act, a copy of accounting records must be stored in Finland. The data can be stored in another EU member state if immediate access is guaranteed.[131]

France

C:\Users\akey.D-C54GP22\Dropbox (ITIF)\Home\@datalocalization graphic\Public.png

Direct and Explicit Localization

2016: A ministerial circular announced that data produced by public administrations cannot be stored in a non “sovereign” (i.e., foreign) cloud, as this data is to be considered archives and stored domestically.[132]

Proposed Measures

2021: Two French tech giants have announced plans to create a trusted cloud (“Cloud de Confiance”) called “Bleu.” Bleu will meet the sovereignty requirements to be used by French public bodies. This is part of the wider GAIA-X project to make an EU-wide sovereign cloud.[133]

Georgia

C:\Users\akey.D-C54GP22\Dropbox (ITIF)\Home\@datalocalization graphic\personal.png

Indirect and De Facto Localization

2014: According to the Law on Protection of Personal Data, cross-border transfers of personal data are only permitted to select countries deemed sufficiently secure in their data protection. Transfers to any other state must be approved by the Georgian Data Protection Authorities.[134]

Germany

C:\Users\akey.D-C54GP22\Dropbox (ITIF)\Home\@datalocalization graphic\accounting.png

C:\Users\akey.D-C54GP22\Dropbox (ITIF)\Home\@datalocalization graphic\Telecom.png

Direct and Explicit Localization

2017: According to the German Telecommunications Act, telecommunications providers must store data on phone numbers, the time and place of communications (except for emails), and involved IP addresses for four to 10 weeks on servers within Germany.[135]

2013: According to the Tax Code, persons and firms that are required to keep books and records must keep them within Germany. There are some exceptions for multinational companies.[136]

2013, According to the Act on Value Added Tax, all VAT invoices must be stored within Germany. When these invoices are stored electronically, they can be stored within another EU member state; however, the tax authority must be notified of the location of the data servers, and have the ability to access and download the data.[137]

2008: According to the German Commercial Code, accounting documents and business letters must be stored on servers within Germany.[138]

Greece

C:\Users\akey.D-C54GP22\Dropbox (ITIF)\Home\@datalocalization graphic\Telecom.png

Direct and Explicit Localization

2011: According to Law No. 3971/2011, retained data on traffic and localization must remain within Greece.[139]

Italy

C:\Users\akey.D-C54GP22\Dropbox (ITIF)\Home\@datalocalization graphic\accounting.png

Indirect and De Facto Localization

1972: According to Presidential Decree no. 633, accounting data for VAT declarations can only be kept in a third country if that country has signed a convention with Italy regarding the exchange of information for direct taxation. Therefore, all EU member states qualify.[140]

Kosovo

C:\Users\akey.D-C54GP22\Dropbox (ITIF)\Home\@datalocalization graphic\personal.png

Indirect and De Facto Localization

2010: According to the Law on the Protection of Personal Data, to transfer data to a country that has not been deemed sufficiently secure in its data protection, the Kosovar data protection authorities must be notified and give authorization, and these transferred will only be approved if there is individual consent, contractual necessity, or vital interest.[141]

Luxembourg

C:\Users\akey.D-C54GP22\Dropbox (ITIF)\Home\@datalocalization graphic\accounting.png

Direct and Explicit Localization

2012: According to the Circular CSFF 12/552, financial institutions must process data within Luxembourg, except with explicit consent or for an entity of the group to which the institution belongs.[142]

Malta

C:\Users\akey.D-C54GP22\Dropbox (ITIF)\Home\@datalocalization graphic\personal.png

Indirect and De Facto Localization

2003: According to the Data Protection Act, a cross-border transfer of personal data must be notified to the Commissioner's Office.[143]

Moldova

C:\Users\akey.D-C54GP22\Dropbox (ITIF)\Home\@datalocalization graphic\personal.png

Indirect and De Facto Localization

2012: According to the Law on Personal Data Protection, to transfer data to a country that has not been deemed sufficiently secure in its data protection, the Moldovan data protection authorities must be notified and give authorization, and these transferred will only be approved if there is individual consent, contractual necessity, or vital interest.[144]

Monaco

C:\Users\akey.D-C54GP22\Dropbox (ITIF)\Home\@datalocalization graphic\personal.png

Indirect and De Facto Localization

1993: According to the Protection of Personal Data Act, personal data can only be transferred to states deemed insufficiently secure in their data protection with consent, vital interests, contractual necessity, or the authorization of the Monégasque data protection authorities on the basis of appropriate contractual clauses.[145]

Montenegro

C:\Users\akey.D-C54GP22\Dropbox (ITIF)\Home\@datalocalization graphic\personal.png

Indirect and De Facto Localization

2012: According to the Personal Data Protection Law, personal data can only be transferred to states deemed insufficiently secure in their data protection with consent, contractual necessity, vital interest, or authorization from the data protection authorities.[146]

Netherlands

C:\Users\akey.D-C54GP22\Dropbox (ITIF)\Home\@datalocalization graphic\Public.png

Direct and Explicit Localization

1995: According to the Public Records Act, records that have been stored in archives in certain locations in the Netherlands must be stored within the country, this applies to paper and electronic records.[147]

North Macedonia

C:\Users\akey.D-C54GP22\Dropbox (ITIF)\Home\@datalocalization graphic\personal.png

Indirect and De Facto Localization

2005: According to the Law on Personal Data Protection, personal data can only be transferred to states deemed insufficiently secure in their data protection with consent, contractual necessity, vital interest, or authorization from the data protection authorities. Authorization from the data protection authorities can be obtained with a written data transfer agreement, preferably modelled off EU standard contract clauses.[148]

Poland

C:\Users\akey.D-C54GP22\Dropbox (ITIF)\Home\@datalocalization graphic\other.png

Direct and Explicit Localization

2009: According to the Polish Gambling Act, data on legal gambling activity must be archived in real time on a server in Poland.[149]

Romania

C:\Users\akey.D-C54GP22\Dropbox (ITIF)\Home\@datalocalization graphic\personal.png

C:\Users\akey.D-C54GP22\Dropbox (ITIF)\Home\@datalocalization graphic\other.png

Direct and Explicit Localization

2015: According to Law No. 124, all data related to the provision of remote gambling services, including records and identification of the players, the stakes placed and the winnings paid out, must be stored within Romania.[150]

Indirect and De Facto Localization

2001: According to the Data Protection Law, any cross-border transfer of personal data requires notification to the National Supervisory Authority for Personal Data Processing (NSAPDP), and requires NSAPDP approval if to a country deemed insufficiently secure in its data protection.[151]

Russia

C:\Users\akey.D-C54GP22\Dropbox (ITIF)\Home\@datalocalization graphic\personal.png

C:\Users\akey.D-C54GP22\Dropbox (ITIF)\Home\@datalocalization graphic\accounting.png

C:\Users\akey.D-C54GP22\Dropbox (ITIF)\Home\@datalocalization graphic\Public.png

C:\Users\akey.D-C54GP22\Dropbox (ITIF)\Home\@datalocalization graphic\Telecom.png

Direct and Explicit Localization

2021: Russia released a draft (although it seems to already be enforced) law that included a range of conditions and restrictions on foreign firms using the Internet and telecommunication services (especially Facebook, Twitter, Google, and others) to provide services to more than 500,000 Russian users within a 24-hour period, including storing all personal data locally and that such foreigners setup a branch or representative office.[152]

2019: Russia enacted a two-year ban on the public procurement of data storage from foreign firms. Policymakers justified the ban on the need to protect Russia’s “critical informational infrastructure.”[153]

2018: Russia enacted another set of Yarovaya amendments that required companies to retain a broader range of communications content for six months, to store this data on Russian servers, and make them available to the authorities on demand without judicial oversight.[154] In 2019, Russia enacted additional amendments that internet service providers store data, as prescribed by the Yarovaya amendments, using only Russian-manufactured technical means.[155]

2016: Russia enacted new laws (the first of the so called “Yarovaya” Amendments) that require telecommunications and certain internet companies to retain copies of all contents of communications for six months (including text messages, voice, data, and images) in Russia for up to three years and to this data to authorities on request and without a court order.[156]

2014: Russia’s Federal Law No. 242-FZ “On Amending Certain Legislative Acts of the Russian Federation Regarding Clarifying the Personal Data Processing Procedure in Information and Telecommunication Networks’’ require personal data localization. After initial collection and storage, it can be transferred overseas (subject to conditions). It does not prohibit remote access to personal data stored in Russia. Any subsequent modification to the personal data should also be performed first in Russia.[157] In 2019, Russia’s Federal Security Service required companies to install special equipment giving the FSB automatic access to their information systems and encryption keys to decrypt user communications without authorization through any judicial process.[158] Russian policymakers have justified these rules by citing a need to protect state security, the Russian internet, and the privacy of Russian users.

2014: According to Federal Law No. 161-FZ “On the National Payment System,” international payment cards must be processed locally. International payment systems must transfer their processing capabilities for Russian users to the local state-owned operator.[159]

2013: Russia enacted a regulation that requires all “credit institutions” (presumably banks and other financial institutions, although it’s unclear) should store all data locally.[160] It does not detail whether this is a strict localization requirement or mirroring requirement.[161]

Indirect and De Facto Localization

2009/2016: The Bank of Russia has issued recommendations, such as Recommendations RS BR IBBS-2.22009 and Recommendations RS BR IBBS-2.9-2016, which imply that financial institutions should store certain sensitive (confidential) data (the scope of which is defined very broadly and would include personal data) in Russia. While these are not normative acts and thus not binding, they are authoritative and financial institutions follow them in practice.[162]

2012: Russia has licensing and certification requirements (relating to protection of confidential information, as well encryption licenses, and certification of the information systems used for the storing and processing the data) for credit and financial institutions and the data they manage that, in practice, can only be satisfied by Russian cloud storage providers.[163]

San Marino

C:\Users\akey.D-C54GP22\Dropbox (ITIF)\Home\@datalocalization graphic\personal.png

Indirect and De Facto Localization

1995: According to The Law Regulating the Collection of Personal Data, in order to transfer personal data on any citizen or company to any third country, authorization is required from the data protection authorities, though there are no specific conditions that need to be met to obtain this authorization.[164]

Serbia

C:\Users\akey.D-C54GP22\Dropbox (ITIF)\Home\@datalocalization graphic\personal.png

Indirect and De Facto Localization

2009: According to The Law on Personal Data Protection, in order to transfer personal data to a country not deemed sufficiently secure in its data protection, authorization from the Serbian data protection authorities is required.[165]

Sweden

C:\Users\akey.D-C54GP22\Dropbox (ITIF)\Home\@datalocalization graphic\accounting.png

Direct and Explicit Localization

1999: According to the Swedish Accounting Act, firms’ annual financial reports and balance sheets must be physically stored in Sweden for seven years.[166]

Indirect and De Facto Localization

2019: Financial services are de facto required to physically store data within Sweden as The Financial Services Authority requires physical access to data servers.[167]

Switzerland

C:\Users\akey.D-C54GP22\Dropbox (ITIF)\Home\@datalocalization graphic\personal.png

Indirect and De Facto Localization

2020: Cross-border data transfers of personal data to countries deemed insufficiently secure in their data protection requires the use of standard contract clauses or binding corporate rules.[168] The list of insufficiently secure countries includes the United States after a 2020 decision that the Swiss–U.S. Privacy Shield Framework does not provide an adequate level of protection.[169]

Turkey

C:\Users\akey.D-C54GP22\Dropbox (ITIF)\Home\@datalocalization graphic\personal.png

C:\Users\akey.D-C54GP22\Dropbox (ITIF)\Home\@datalocalization graphic\accounting.png

C:\Users\akey.D-C54GP22\Dropbox (ITIF)\Home\@datalocalization graphic\Telecom.png

Direct and Explicit Localization

2020: Turkey’s Banking Regulatory and Supervisory Authority released the Regulation on Information Systems of Banks, which reinforces that banks and financial services keep their primary (live/production data) and secondary (back-ups) information systems within the country.[170]

2020: Turkey passed legislation (“Law on Amendment of the Law on the Regulation of Publications on the Internet and Suppression of Crimes Committed by Means of such Publications”) that includes data localization and grants the government sweeping new powers to regulate content on social media. The law requires social network providers with more than 1 million users to: establish a representative office in Turkey; respond to individual complaints in 48 hours or comply with official take-down requests of the courts in 24 hours; and keep personal data of Turkish citizens in country.[171]

2019: Turkey released a Presidential Circular on Information and Communication Security Measures No. 2019/12, which includes data localization and other digital restrictions. Article 3 prohibits public institutions and organizations’ data from being stored in cloud storage services that are not under the control of public institutions. The Circular also requires that critical information and sensitive data be stored domestically. Draft regulation is expected that will also mandate localization of data produced by banks and financial services.[172]

2018: Turkey’s Capital Markets Board (CMB) enacted new rules (the Communiqué on the Management of the Information Systems (VII-128.9)) for how publicly traded firms should manage their IT systems—which included data localization—in requiring primary and secondary IT systems only be in Turkey. The regulations cover a broad range of firms and organizations, including all publicly traded companies; the Istanbul Stock Exchange; organized markets; pension funds; the Istanbul Clearing, Settlement and Custody Bank; the Central Securities Depository of Turkey; custodians; the Capital Markets Licensing Agency; capital markets institutions; the Turkish Capital Markets Association; and the Turkish Appraisers Association.[173]

2013: Turkey enacted a law—the Law on Payments and Security Settlement Systems, Payment Services and Electronic Money Institutions—that forces Internet-based payment services, such as PayPal, to store all data in Turkey for 10 years.[174]

Indirect and De Facto Localization

In 2016: Turkey enacted the Law on the Protection of Personal Data, which requires all cross-border transfers of sensitive and non-sensitive personal information require the explicit consent of data subjects, or have to meet other legal grounds.[175] Data may only be transferred without consent to a country with sufficient protections in place. The Personal Data Protection Board determines which countries have adequate standards of protection and approves cross-border transfers to countries that lack such a standard.[176] U.S. industry reports that conditions make it hard to transfer data. Turkey has not yet announced a list of countries that meet the standard of adequate level of protection. Further, the Data Protection Board has yet to grant approval to companies that have sought the ad-hoc approval.[177]

2008: According to the Electronic Communications Act, the data subject’s explicit consent is required to transfer traffic and location abroad anywhere.[178]

Ukraine

C:\Users\akey.D-C54GP22\Dropbox (ITIF)\Home\@datalocalization graphic\personal.png

Indirect and De Facto Localization

2011: According to the Law on the Protection of Personal Data, cross-border personal data transfers to a country deemed insufficiently secure requires consent, contractual necessity, or vital interest.[179]

United Kingdom

C:\Users\akey.D-C54GP22\Dropbox (ITIF)\Home\@datalocalization graphic\accounting.png

Indirect and De Facto Localization

2014: According to the National Health Service information governance rules, it is not illegal to store NHS data abroad; however, it is viewed as a risk factor to do so and is therefore discouraged.[180]

2006: According to the Companies Act, if accounting records are stored outside the U.K., a copy of the accounts and returns must be stored domestically and available for inspection at all times.[181]

Middle East and North Africa

Country

Type of Data

Description

Algeria

C:\Users\akey.D-C54GP22\Dropbox (ITIF)\Home\@datalocalization graphic\accounting.png

Direct and Explicit Localization

2018: Algeria signed into law legislation requiring electronic commerce platforms conducting business in Algeria to register with the government and to host their websites from a data center located in Algeria.[182]

Egypt

C:\Users\akey.D-C54GP22\Dropbox (ITIF)\Home\@datalocalization graphic\personal.png

Indirect and de Facto Measures

2020: Egypt enacted the Personal Data Protection Act (Law No. 151/2020), which requires licenses for cross-border data transfers.[183]

Jordan

C:\Users\akey.D-C54GP22\Dropbox (ITIF)\Home\@datalocalization graphic\personal.png