Free flow of data across the globe has been a remarkable feature of the Internet. Innovations like cloud computing—spreading data across a host of servers in several locations—have been possible due to the free, open nature of the Internet, and have resulted in technical efficiencies and reduced costs. Cross-border data flows are estimated to have raised the world GDP by 10.1%. However, this lack of borders in the digital world has tested traditional notions of territoriality and sovereignty.
A growing number of countries have been placing restrictions on transfers and exchanges beyond territorial boundaries. Typically, data localization laws either require that data be hosted on local servers or restrict transfer of data outside national borders. For instance, Russia enacted a law in 2015 that requires operators to collect, store, and process citizens’ personal data using databases located in Russia. Other governments have imposed restrictions on particular kinds of data or entities. In China, banks and financial institutions are prohibited from storing or processing outside China “personal financial information” which has been collected in China. Also, “critical information service” providers are required to store “important data” within China unless they pass a security assessment. Australia prohibits the transfer of health records outside of its borders except in certain cases. Canada requires public bodies to store their data within national boundaries.
Goals of localization mandates
Localization measures are adopted for a host of reasons—a prominent reason being fear of surveillance by foreign governments. Post-Snowden, governments have been increasingly wary of NSA intelligence gathering. Localization may appeal to nations as a feasible solution for keeping data out of foreign governments’ hands. Governments may also wish to facilitate better access to residents’ data for their own law enforcement agencies. In investigations where data is stored on servers abroad, the only available recourse for law enforcement agencies is the Mutual Legal Assistance Treaty (MLAT) process—criticized widely as time consuming, cumbersome, and incapable of handling the demands of a digital age. Another goal of data localization measures is local economic development. Hosting data on local servers would require data centers to be set up, which could involve increased investment and creation of jobs in the area.
More harm than good?
There is however a growing pool of literature showing that localization will not serve the stated goals. While countries may seek localization to keep data out of foreign governments’ reach, critics argue that, in any case, the United States and most other countries concentrate their surveillance efforts abroad rather than within domestic territories. It is easier for U.S. intelligence agencies to collect data overseas—this could be done with minimal procedural safeguards under the Foreign Intelligence Surveillance Act if the data does not belong to a U.S. person. In contrast, surveillance within the United States is subject to more protections due to Fourth Amendment concerns. By requiring data to be processed or stored within their national boundaries, governments may not actually be able to keep U.S. intelligence agencies away. Also, while countries cite privacy and security concerns as a factor, localization may actually be undermining security protections. A centralized database could prove to be an easy target for cybercriminals. Distribution of information across servers may actually result in added layers of security—large cloud computing companies with transnational operations have greater incentive to invest in security measures in comparison to smaller service providers.
To add to that, there are economic costs associated with data transfer restrictions. An ITIF report puts together outcomes from studies that show that barriers to data flows reduce GDP and cause prices of cloud services to go up significantly. The costs of establishing local servers could also discourage companies from tapping into a particular market, thereby depriving users of the ability to access those services.
Strong localization laws may lead to a fragmented Internet with different national networks instead of the unified global network that exists today. While, previously, technical efficiencies guided the decision of where data would be processed and stored, these decisions would now be informed by each individual government’s motivations. Governments’ concerns in enacting localization laws may be legitimate. However, very broad localization mandates could change the Internet as we know it, discourage innovation, and at the same time, not even achieve the intended goals. Governments should instead focus on achieving the intended objectives through alternative means, such as stronger privacy and security protections and improved bilateral frameworks for cross-border data sharing by law enforcement.