The dire need to keep pace with the collection, control and movement of data-flows has led governments to impose policies that are shaping the future of the Internet and its related aspects.
Whirlwind development in communications and networks, digital storage and computing, including the advent of the Internet have spurred an ineluctable march towards the ‘big data revolution’, generating and giving access to more and more data. Digital technologies have not only created new modes of trade in goods and services, but they are transforming economic activities in “old economy” sectors like finance, health, logistics, and goods manufacturing. These rapid advances have led to new global privacy regimes, in addition, data localisation is emerging as another area of regulatory focus with further layers of regulatory and legal requirements, causing vexation for business enterprises who are growingly engaging in cross border data sharing as part of their participation in an increasingly interconnected world.
Initially free flow of data was a default consequence of this largely unregulated space of the internet. With time this space has expanded the volume of information and categories of data that are collected and processed. The complexity of online data flows has also increased over time. Information is copied, cached, sliced into small portions and distributed across multiple jurisdictions, adding to the complexities of securing control over their flows thereby giving rise to conflicts with national laws and prompting concerns from regulators.
The dire need to keep pace with the collection, control and movement of data flows has led governments to enact and impose policies that are dramatically shaping the future of the Internet and its related aspects.
a. Data residency:
Data residency simply refers to when an organization specifies the geographical location it has chosen to store its data.
In most cases, organizations establish data residency for either regulatory or policy-related reasons. For example, a business ensures that a significant part of its core business activities remain within a nation’s borders to gain tax benefits.
b. Data Sovereignty:
Data sovereignty rules come with more responsibilities and requirements for companies. Instead of solely ensuring that a business’s data is stored at a specific location, data sovereignty refers to the principle that the information is subject to the country’s laws and regulations where it is stored, collected, and processed. As a result, organizations have to comply with the nation’s data protection rules and laws to avoid punishment.
c. Data Localization:
From all three, data localization is the strictest concept.
As you may already know, data localization laws require organizations to store – either the original records or their copies – all or certain types of data within a nation’s borders, restricting or limiting the international flow of data.
In other words: ‘Data localisation’ refers to a mandatory legal or administrative requirement directly or indirectly stipulating that data be stored or processed, exclusively or non-exclusively, within a specified jurisdiction.
Why Data Localisation?
Ensuring National Security.
Protection of personal data and enforcement of data protection laws.
Securing faster and better access to data for law enforcement.
Advancing local economic competitiveness, increasing economic growth and boosting employment.
Leveling the regulatory playing field.
Preventing foreign surveillance.
Data localization laws around the world
The data localisation regulation will predominantly play a crucial role in how the Internet and society develop in the future. The Internet in nutshell is an international network of networks open to general usage. There has been an explosion of globalised electronic communications. In fact, in the context of the COVID-19 pandemic, we have seen exponential increase in reliance on online at the expense of the offline. This may well affect behaviour patterns long-term, meaning that we will continue to live an even greater segment of our lives online in the future as the world overcomes the pandemic. As a result of the COVID-19 pandemic, we are exposed to the weaknesses in data sharing and integration across public and private sources at local, state, national and international levels.
Restrictions on data flows are justified arguing that the government needs access to data in order to perform regulatory duties or to uphold security standards.
Russia has data localization requirements for all personal data.
Kazakhstan requires all data for servers on the country’s specific (.kz) domain.
Australia requires health records to be stored locally.
Canada requires public service providers to follow data localization requirements.
China has data localization requirements that affect all personal, business, and financial data.
India’s data localization requirements apply to payment service providers and government procurement.
USA requires data related to the country’s citizens to be processed and/or retained in that country. The data covered by these laws can range from all personal data to only specific types of data such as health or financial information.
In 2017, Vietnam’s Ministry of Public Security (MoPS) passed a cyber security legislation requiring all foreign online service providers to store data of citizens exclusively in local data centers.
South Korea’s Land Survey Act, which prohibits exporting local mapping data to foreign companies that do not operate domestic data servers.
Admittedly it is difficult to imagine states/governments letting go of localization as a policy tool. In the absence of global rules or norms for the digital economy, competing national frameworks have become the dominant force shaping the cross-border flow of information online. In the effort of bringing some order to these arrangements and to counter disadvantageous national practices restricting data flows, some governments are exploring data regulation through trade agreements.
Data Flows and Trade Agreements
Policymakers should take note that a number of trade agreements have addressed data flows and the related regulatory aspects. These agreements have recognized the need for states to enact measures to protect privacy, but have determined that such measures should not justify protectionist approaches. At the multilateral level, the General Agreement on Trade in Services (GATS) has several provisions that establish legal obligations on governments to allow the processing and transmission of data within and across borders which includes :
(1) obligations on market access,
(2) national treatment and
(3) the use of public networks.
The exception provision allows such deviations as long as the measure in question is proven to be “necessary” for the pursuit of the policy objective. Such a measure would not be “necessary” if an alternative less trade-restrictive measure could achieve the same result.
National security and data localization
Little attention has been paid to the field of security studies, given the widespread use of the term big data, one would expect to find a sophisticated account of what it means, what it does, and how it works in the national security context. Given the usage of data, it is pertinent that free flow of data to a hostile country or anti-national organization can threaten national security. Best example can be South Korea as it does not want data on its citizens and corporations to be accessible by North Korea.
As evident from the recent ban of tiktok from India and the United States, its valid concerns about Chinese owned companies and the Chinese Communist Party having access to their citizens’ data.
The Justice Srikrishna Committee’s report states that data localization is essential to protect Indians from foreign surveillance. Similarly, the draft National E-Commerce Policy Report also anticipated the role of localization in preventing foreign surveillance. In 2013, Edward Snowden, a former U.S. contractor for the Central Intelligence Agency, disclosed that the United States’ National Security Agency was surveilling the communications of foreign governments and citizens. This highlights the extent to which digital surveillance could be conducted. Simultaneously, the internet has also facilitated a steady increase in the scale and scope of cyber attacks.
The existing reluctance to explore alternatives to grounding jurisdiction in territoriality is a significant incentive for data localisation. To the extent that jurisdiction over data is anchored in the location at which the data are located.
Since enforcement jurisdiction is essentially territorial, may the location of equipment or assets in the jurisdiction be justified as a way to make it easier to enforce local law? This is an key observation, but it may arguably be seen to combine two distinct (yet related) issues: (a) one being the issue of enforcement jurisdiction and (b) the other being the issue of effective enforcement. The former relates to a country’s rights. The latter is more of a practical consideration.
At any rate, one can very well identify three distinct situations where the prominence on territoriality works as an incentive for data localisation:
Where the location of data is used as a criterion in assessing jurisdiction over the holder of those data.
Where the location of data is utilised to enhance the effectiveness of enforcement actions.
Where the location of data is used to determine jurisdiction over those data.
It is true that enforcement jurisdiction has traditionally been anchored in territoriality. But the landscape is changing as can be seen in the data privacy context as is exemplified, for example, in the GDPR that makes clear that it “applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.”
Law Enforcement and localization:
As to the efficiency argument, it is undoubtedly true that data localisation may aid the enforcement of local law e.g. due to the resulting presence of physical assets that may be seized. This has obvious practical advantages but also an economic dimension in that the cost of enforcement may be minimised. This aspect supports the notion that data localisation brings economic benefits.
Impact of Data Localization Requirements on Commerce and Innovation
Data is the new oil and thus makes it the most valuable asset if analyzed accurately. This asset can be the backbone for any burgeoning business and thus one of the reasons for the states looking to implement data localization thereby seeking to give their local corporations a competitive edge.
The Data is the national resource
State can prevent the flow of data to external countries and thus, this data can be made available for the internal use by the domestic companies only. The informational asymmetry caused will prove to be beneficial for local companies. Data like any other commodity is a national resource, and thus each state holds a right on the revenue that is generated from the data. Similar to the inflow and outflow of goods and services, the movement of data can also undergo taxation.
The objective of spurring economic growth can be fulfilled/ promoted by the local storage requirements. Such needs could enhance the demand for goods and services in India, while also giving Indian enterprises competitive advantage over their foreign peers. This calculus depends on various contingent factors, such as whether the resultant demand for data centers would be met by indigenous firms or through imports, the adaptability of Indian firms to the costs of implementing localization, and the likelihood and severity of retaliatory measures by other countries on Indian service sector exporters.
Data Localisation as an aspect of Data Sovereignty
The topic of sovereignty is of significance as there is arguably a connection between the topic of data localisation and the increasing calls for ‘data sovereignty’ and related concepts. Attention to this topic seems to have intensified over the years, and this topic has sparked debates going to the very core of the meaning of sovereignty. A July 2020 publication by the European Parliament Think Tank states that, in the EU context, ‘digital sovereignty’ refers to: “Europe’s ability to act independently in the digital world and should be understood in terms of both protective mechanisms and offensive tools to foster digital innovation (including in cooperation with non-EU companies)”.
In a Canadian discussion of data sovereignty, data localisation may be an ineffective measure to ensure data sovereignty: ‘In the public cloud environment, government data is entrusted to a third party that may be subject to the laws of a foreign country, even if the data resides in Canada. As such, the key risk to the GC [Government of Canada] with respect to data sovereignty is that foreign agencies can leverage laws in their home country to compel CSPs [cloud service providers] to turn over the GC’s data (Treasury Board of Canada Secretariat, 2018).’
For better understanding of sovereignty, it is useful to note the extent to which some countries feel disempowered due to technological inequalities and push back with claims of sovereignty. The five factors by the Internet & Jurisdiction Global Status Report, 2019 which makes developing countries, smaller countries and smaller internet actors – feel disempowered are:
1. There is a perception that, compared to developed countries, developing countries have less of a say in the approaches taken by the major internet actors;
2. There is a perception that, compared to major internet actors, smaller internet actors have less of a say in the approaches taken by the regulators;
3. There is a perception that both smaller internet actors and developing countries lack a voice in the international dialogue;
4. Extraterritoriality allows dominant states to impose their laws on the world, while smaller states lack the standing and means to enforce their laws even domestically; and
5. Legal approaches from developed countries are being replicated to such a degree that it impacts the sovereignty and self-determination of developing countries.
These perceptions may add to an environment in which countries implement data localisation measures in the pursuit of regaining control, often articulated as ‘sovereignty’, in relation to other states and international bodies. Thus, ensuring that all relevant stakeholders feel that their voices have been heard in the international debates is an overarching concern, and an important component in alleviating the perceived need for data localisation.
As hinted at by several of the motivations for data localisation discussed above, data localisation requirements may be seen by some as an aspect of the pursuit of data, information and/or technological sovereignty. Data Sovereignty is a topic with which further engagement is needed. In fact, it may be appropriate to study the impact of the new calls for digital sovereignty and the like more broadly than just in the context of data localisation.
Rules governing Data localization are not motivated by a single national or private interest. Numerous factors simultaneously applied contributes to the localisation regime on restricting cross border data flows or establishing controls for transfer of information.
The economic benefit is often not the primary cause of why some states attempt restricting data flows. For developing and developed countries alike, leadership in the global digital economy is linked to establishing their claims of technological sovereignty. Technological sovereignty goes beyond the idea of economic competition and builds on the idea that advancements in the technological capacity of one nation threaten the national sovereignty of another. The rise of data localization worldwide suggests that localized data governance arrangements will remain a key feature of the shifting social, economic and political order for the foreseeable future.
Adequately addressing the challenges of the rise of data localization is definitely one of the defining issues in the current Internet governance landscape but it does require discussing and accounting for its economic, political and social dimensions in a more integrated fashion.
(Khushbu Jain is practicing advocate in Supreme Court and founding partner of law firm- Ark Legal. Can be contacted on twitter: @advocatekhushbu).