Forced local data storage requirements are at the heart of both digital protectionism and digital authoritarianism. Rob and Jackie sat down with Nigel Cory, associate director covering trade policy at ITIF, to discuss how data localization reduces trade, slows productivity, and increases prices.

Related

• Nigel Cory, “How the G7 Can Use ‘Data Free Flow With Trust’ to Build Global Data Governance,” (ITIF, July 2023).
• Nigel Cory, “USTR Tai’s Justification to Take a Time-out on Digital Trade Does Not Hold Up,” (ITIF, Dec 2023).

Auto-Transcript

Rob Atkinson: Welcome to Innovation Files. I'm Rob Atkinson, Founder and President of the Information Technology and Innovation Foundation.

Jackie Whisman: And I'm Jackie Whisman, head development at ITIF, which I'm proud to say is the world's top ranked think tank for science and technology policy.

Rob Atkinson: This podcast is about the kinds of issues we cover at ITIF from the broad economics of innovation to specific policy and regulatory questions about new technologies. If you're into this stuff, please be sure to subscribe and rate us. It really does help.

Today we're going to talk about something that sounds not all that exciting, but it is actually exciting and it is actually important, and that's cross-border data flows. You all remember the internet? After the internet, there was a thing called the World Wide Web, and it was named that for a reason because it was worldwide. And we have to try to get back to that because today a lot of countries are putting in place what are called data localization policies that reduce trade, slow productivity, increase prices, whole set of terrible things, and we're going to hear about it today.

Jackie Whisman: Our guest is Nigel Cory, who's an associate director covering trade policy at ITIF. He focuses on cross-border data flows, data governance, intellectual property, and how they each relate to digital trade and the broader digital economy. So this is his jam. Welcome, Nigel.

Nigel Cory: It's great to be here. It is most definitely my jam. Look forward to doing a dive on all things data flows.

Jackie Whisman: So a lot of people talk about data flows. What does this mean? Why is it important?

Nigel Cory: Basically it's just the electronic transfer of information over the internet and between devices. And as Rob mentioned, this is not technically a new thing with subseas of telegram cables and such, but with the internet it obviously got much easier and low or no cost. And so the growth of data flows has exploded.

And as Rob mentioned, the default setting for today's internet is the free-flow of data across borders. It doesn't matter where you are, you could even bleed domestically, but your request actually initiates a cross-border data flow.

But what we've increasingly seen over the last 10 or 15 years is more and more countries enacting artificial restrictions that block or impede the flow of certain types of data across borders. And that leads to all the negative implications that Rob mentioned.

Rob Atkinson: This sounds like a cross-border data flow issue because it sounds like you're in Australia.

Nigel Cory: Well, Covid brought to the fore the central importance of data flows with the digital transformation of our lives. And in a way, that made it more real for more people. Yet at exactly the same time, certain countries continue to try and basically restrict data. And so most people don't even realize it, don't even know these flows are taking place because it just happens in the background which is great, but basically these countries, certain countries are trying to mess this up for all of the rest of us.

Jackie Whisman: Who's the worst offender?

Nigel Cory: Clearly China. China is a world leader in using forced local data storage requirements in a perverted pursuit of both digital protectionism, but also authoritarian control. Because obviously restricting the transfer of personal, financial, social media and other data makes it much easier for authoritarian governments to access data about their people, their population, and to control them.

And so it provides a clear model of both digital protectionism and digital authoritarianism, and forced local data storage requirements are at the heart of its strategy.

Jackie Whisman: You've spent a lot of time working and writing about European policies and policymakers. Where do they stand here?

Nigel Cory: I mean, unfortunately not too far behind China. And in many regards, copying and pasting China's approach to some issues including the use of data localization.

And so the most clear example of this trend in Europe is global affecting general data protection regulation, so the EU's data privacy law, which creates a country by country barrier to data flows. It also increases the risk of non-compliance for firms transferring data. They make it incredibly risky and complicated for firms to try and manage data privacy as well as data flows.

But it goes much beyond data in Europe. And they're also basically probably a second leading power in terms of trying to pursue a misguided approach of cyber or digital sovereignty, which is similar to China. But essentially they're trying to use localization for protectionism in many ways, but then also localization for other regulatory purposes like privacy and cyber security and such.

Jackie Whisman: We've talked a lot about techlash in general, anti-tech sentiment both at ITIF and on this podcast. We talk a lot about it. Where do things stand with us policymakers on the issue of data flows and data governance?

Nigel Cory: Unfortunately, on unsteady ground. Because traditionally the US, as obviously a world leading country with its IT sector, was a leading supporter of new rules and agreements around data flows and digital trade. But over the last 5, 6, 7 years, the US has largely ceded that leadership. And under the Biden administration, it's more and more uncertain because the Biden administration's, the US trade representative clearly doesn't prioritize new rules around data flows and digital trade. In fact, they probably in more likelihood, sort of oppose them because they're so inherently reluctant and opposed to doing anything that they think would help big tech, and thus would be counter to their broader ideological goals of restraining big tech.

And so it's been really discouraging in that way. But there has been the odd major accomplishment by the Biden administration on data flows, namely the new US-EU deal on data flows and data privacy, which was much needed because European courts were essentially threatening to cut off data flows. That is a major accomplishment that should hopefully come into effect this year and provide legal certainty and business certainty for US and EU firms to be able to transfer data across the Atlantic.

The second is the forthcoming Global Cross-Border Privacy Rules Initiative, which has existed before in the Asia Pacific, but the US is bringing it out of the Asia Pacific and taking it global. And there's a workshop in London in a few weeks where they'll have 25, 30 country representatives to talk about this new initiative, which, if it goes well, could truly become a model for data privacy that compares to the European Union's very restrictive and discriminatory general data protection regulation.

Rob Atkinson: So Nigel, who's going to be the most important speaker at that event?

Nigel Cory: I dare say, I would give due deference to the UK minister and some senior department of Commerce officials, but I'll thankfully also have the opportunity to speak on a few different panels through the three-day workshop they're holding for officials from around the world. So it'll be actually really interesting to get a sense from all these countries who quite understandably are trying to figure out how do they want to deal with data flows as compared to the more clearly established approach that Europe has.

Jackie Whisman: If you think that the primary motivation for restricting data flows is to hurt big tech, can you speak a little bit more... Or so-called big tech. Can you speak a little bit more about what else it hurts? It's also hurting little tech, presumably, and little consumers.

Nigel Cory: That's the big misguided misconception about the whole issue that data flows are actually even more important for SMEs and individuals and consumers because they simply don't have the resources and the expertise to set up complex and expensive IT systems, to hire the lawyers and administrators and such to set up all of these systems in different countries that have these data localization requirements. And so it's an even bigger barrier to SMEs trying to find customers and markets through the use of the internet, which otherwise is basically free or low cost.

So that's one big misconception about the issue is that this is a big tech thing when it's really not. It's actually, from a trade perspective, gets at the heart of what the internet provides, which is the internet removes the impact that geography has on trade. Because it doesn't matter whether someone's in Montana or Malawi, if they have a decent internet connection, they can use awesome global platforms and services to advertise and find customers and fulfill services and such. But if Malawi enacts a localization requirement, it's highly unlikely that major tech companies will set up data centers and services there, and thus cutting off consumers and firms in those countries with those types of rules.

The other clearly major negative impacts of localizations relate to cyber security with regulatory access to data, to law enforcement cooperation across borders. There are all these unintended consequences from this really misguided approach to laws and regulations in and around data.

For example, with cyber security, I mean, it's just basic common practice that firms need to be able to share data about what they're facing in different countries to ensure that they're covering all their bases with the rise of cyber attacks and cyber threats and ransomware and such. But if there are data localizations requirements restricting their ability to share that information, then that creates vulnerabilities in their system.

And so it just gets to the heart of the issue in that whether it's privacy or cyber security or trade or such, that localization is often just a knee-jerk reaction by policymakers when confronted with trying to regulate in today's digital world and society, and they just don't think about the implications. And they just don't think about, well, what are we actually trying to get at, what's a targeted approach, what are the implications both positive and negative to try and get at what they're concerned about?

What we see is just this reversion to this misguided notion that data stored here is better protected, more private, secure, accessible and such when it's just not the case.

Rob Atkinson: I was, as you know, back in your home country recently giving a couple of talks, and I think the home minister, Minister O'Neil, I believe, she gave some talk and she alluded to the need for data localization. And then she alluded to the problem that they'd had a number of major cybersecurity breaches. And I thought it was an interesting juxtaposition because the cybersecurity breaches were for Australian firms who had Australian data in Australia. So explain to me why that has anything to do with localization.

But one of the things that I find is that policymakers have this view that the only way they can have their laws apply is if you keep the data. There was a case a number of years ago where a US senator from California was complaining that there was a hospital system in California that had offshored their data to India, and there was a data breach there by these rogue employees.

And her response was that you needed to have data localization policies as if there are no rogue employees in Montana or Oklahoma or wherever else that data might be. It was sort of like the issue in that case is the hospital system can and should be sued. They were the ones that were at fault. And the idea is somehow that you would fix that problem if you kept the data in a country. Can you talk a little bit about the myth of cybersecurity?

Nigel Cory: Yeah. Again, that's probably another foundational myth that leads to this as if governments haven't had to deal with entities like firms that operate across multiple countries and holding them legally accountable in their home country before, as if the internet suddenly just scrambles how they've managed law and order before the age of the internet, in such that it's the basic principle that a firm operating in a country's jurisdiction is subject to those laws regardless of where the data is transferred and where the breach takes place.

I mean, you mentioned the hospital case. The other probably even more famous case is the Chinese hack of the Office of Personnel and Management here at the US government, was partly affected databases stored on-premise. Whereas if that data was stored in the cloud, it probably would've been at a higher level of cybersecurity because major cloud firms are just better at this than some government agency.

And so we see this sort of like scrambled logic again, even in countries like Australia with highly sophisticated legal systems, sophisticated policymaking systems, this reversion to localization even in the face of past practice and legal precedent that firms in Australia should be held accountable for how that happens.

And as you mentioned, a number of prominent data breaches have recently taken place in Australia, which has prompted a fair review of the Privacy Act, but it shouldn't. Where the data was stored is redundant. If that system is connected to the internet, it faces a similar risk.

And so all a Australian policymakers risk doing in pushing for localization is heightening the cybersecurity risks that their firms face because inevitably, these providers in Australia or smaller providers in Australia just aren't equipped to face the ever-changing threat environment that we face online.

And so again, what manages is how firms manage data, which can be weak or strong. What matters are the administrative, physical and legal controls they put in place. Where that data is stored is redundant, but yet we still see this reversion to geography sort of scramble policymaker's brains.

Rob Atkinson: The other factor that we haven't talked about, it was pretty clear when I was in Australia, the big supporters of this new policy are domestic Australian firms who are competing with international firms. That is definitely true in some parts of Europe, particularly in Germany, where they want to have their own cloud firms. It's true in China. And it's just straight-up protectionism. And it's really frustrating from Europe, which has this narrative all the time of we're the ones that are defending free trade against you barbarian American, protectionist Americans, and yet they're engaging in straight-up blatant digital protectionism. How come that doesn't get more attention?

Nigel Cory: It's a good point in that Europe is a master in cloaking its laws and regulations in higher values and lofty goals like privacy and security online and such. But quite often what they're disguising is discriminatory restrictive policies and intent.

And so a lot of policymakers are reluctant to truly call them out on it in the same way they would if Europe was enacting higher tariffs on cars or steel or whatever and such, because they don't want to be caught out criticizing privacy or such, when it's really a separate redundant issue in that it doesn't matter in terms of the location of the data.

And so a lot of policymakers are reluctant to truly go as hard at them as they are. It's also a sad reflection of the ever-declining relevance of the World Trade Organization, which through its sort of foundational treaty agreements sort of set the rules of the road for global trade. These were largely negotiated in the eighties and nineties for the modern internet, and so just poorly tailored to get at these types of digital trade issues.

And so there's less sure legal footing for policymakers to use when trying to push back on digital protectionism in Europe and China and elsewhere. And so this is why it puts the onus on new agreements and initiatives and mechanisms to try and get at these issues by those countries that actually want to try and support data flows and digital trade.

Rob Atkinson: If you look at the two big issues that are facing the global trading system, and by definition the WTO, China's extra legal trade protectionism and economic predation, and there's digital. And it's striking that the WTO is so far incapable of dealing with either of those points, either of those key issues. I'm sure it's really good at dealing with steel trade or widget trade, shoe trade. Any hope there? And if not, that's why you're supporting more of these multilateral efforts?

Nigel Cory: I am. I try and remain optimistic and pragmatic and looking at what other new things that countries that support digital free trade can do. The lack of attention that clear, blatant systemic digital protectionism gets in China and in other countries, the lack of attention it gets at the WTO is an indictment on the nature of the organization and the rules. And the fact that China is still a part of ongoing e-commerce negotiations that are taking place among a group of countries at the WTO, does not look good, especially if they're still included in the end deal, if they're not kicked out before they get to the final thing. Because China's approach is just fundamentally at odds with how the vast majority of the rest of the world deals with data flows and digital trade.

And so that points towards that it's incumbent upon leading countries like, despite its missed background, its missed performance review, Australia, Singapore, Japan, Canada, sometimes the United States, the UK and others sort of getting together to figure out, well, how do we want to set the bar for how countries should deal with these digital issues henceforth, because the WTO is just not up to the task at the moment.

And so that's why proactive, creative, global digital policymaking is so important now. And we've only seen the US do that in fits and spurts. The EU is intent on trying to export its model, which is highly problematic. And so it's up to the rest of the others to try and push the ball down the field in developing the types of rules that unfortunately we didn't need for the longest time with the global internet, but we sorely need now.

Jackie Whisman: Well, how optimistic are you about success here? And I'd add you to the list of global leaders who are pushing this issue, for sure.

Nigel Cory: I have to be optimistic to maintain my sanity and productivity at ITIF. I hold on to a few key initiatives, firstly to Japan who has consistently put this issue on the agenda for many years now at the G20 and the G7. Without them doing that, we may not have had the focus on it that it has had, even if it hasn't delivered the type of tangible agreements and outcomes that we want. But hopefully in the subsequent years it can do that.

Hopefully the WTO negotiations and e-commerce kick out China and actually try and build an ambitious agreement amongst a small group of countries. I'm more so hopeful that the Global Cross-Border Privacy Rules Initiative is a success because it truly represents a model that I think is more realistic and tenable for a large and diverse group of countries around the world, which will never meet the high and ever-changing standards of the EU GDPR's approach.

And then there are other side smaller initiatives like between the US, the UK and Australia on law enforcement data that represents a good model for addressing that issue henceforth. And then the use of digital economy agreements in Southeast Asia between Singapore, Australia, New Zealand, Chile, and then potentially other countries that are joining there.

So there is some hope, but on the other side, there is just an ever-present rising tide of bad digital policies that look to restrict the movement of data, including in India, Indonesia and elsewhere in Asia especially. But then nearly without fail, every major piece of legislation in the EU includes some sort of restriction on the movement and use of data that impacts foreign trade and/or foreign firms operating in Europe.

Jackie Whisman: And thankfully, sanity isn't a requirement for retaining employment at ITIF.

Rob Atkinson: It's actually a negative when it comes to one's annual review.

Jackie Whisman: We'd have a very small team if that were the case.

Nigel Cory: We have to, I don't know, be a little insane to push for the type of global policies we support on this in the face of it's sort of an ever-present stream of bad ideas. I mean, is that the definition of insanity? I don't know, Rob.

Rob Atkinson: Didn't Einstein say insanity is doing the same thing over and over again expecting a different result?

Nigel Cory: Yeah.

Rob Atkinson: My insanity is keep telling people that AI is not going to kill us and expecting that people will believe that. And yours is keep telling people that we shouldn't have data restrictions. But I think in your case, probably a little bit more likely to see success there than on the AI terminator nonsense that we see over and over again.

Nigel Cory: Yeah, it is funny, and it just gets to the point, I think inevitably at some point we'll just have different versions of the internet in part defined by data localization restrictions. But how big and broad that is will depend on how proactive countries are in actually trying to build new rules and agreements and cooperation in and around data. But that's a hard ask when, as we saw off the TikTok hearing and anything else, when policymakers struggle to even just address domestic concerns in a clear and coherent and targeted way.

Jackie Whisman: Well, that's a story for another podcast episode.

Rob Atkinson: So here's my bet.

Nigel Cory: You're bet, okay.

Rob Atkinson: Everybody's listed this, mark it down. Within two years, somebody will claim that we need data localization so that the AI algorithms don't take over the world and kill us. Because we have smaller data sets and the AI will be stupider, guarantee.

Nigel Cory: That would be an amazing bet, but I don't know whether I'd bet against you because there is no limit on bad digital policies these days. So the sky's the limit.

Rob Atkinson: The sky is the limit. I've just now given our adversaries a new hook. Oh my God, why did I do that? Well, actually they're pretty creative.

Jackie Whisman: Time to land this plane, y'all.

Rob Atkinson: They don't need my help. All right, we're going to land this plane. Nigel, this was great. Thank you so much.

Nigel Cory: Thanks for having me. It was great to be here.

Jackie Whisman: And that’s it for this week. If you liked it, please be sure to rate us and subscribe. Feel free to email show ideas or questions to [email protected]. You can find the show notes and sign up for our weekly email newsletter on our website itif.org. And follow us on Twitter, Facebook, and LinkedIn @ITIFdc.

Rob Atkinson: We have more episodes and great guests lined up and we hope you'll continue to tune in.

Jackie Whisman: Talk to you soon.