Content uploaded by Nigel Cory
Author content
All content in this area was uploaded by Nigel Cory on Jul 21, 2021
Content may be subject to copyright.
INFORMATION TECHNOLOGY & INNOVATION FOUNDATION | JULY 2021
How Barriers to Cross-Border Data Flows
Are Spreading Globally, What They Cost,
and How to Address Them
NIGEL CORY AND LUKE DASCOLI | JULY 2021
Data-localization policies are spreading rapidly around the world. This measurably reduces trade,
slows productivity, and increases prices for affected industries. Like-minded nations must work
together to stem the tide and build an open, rules-based, and innovative digital economy.
KEY TAKEAWAYS
▪The number of data-localization measures in force around the world has more than
doubled in four years. In 2017, 35 countries had implemented 67 such barriers. Now,
62 countries have imposed 144 restrictions—and dozens more are under consideration.
▪Restricting data flows has a statistically significant impact on a nation’s economy—
sharply reducing its total volume of trade, lowering its productivity, and increasing prices
for downstream industries that increasingly rely on data.
▪Using a scale based on OECD market-regulation data, ITIF finds that a 1-point increase
in a nation’s data restrictiveness cuts its gross trade output 7 percent, slows its
productivity 2.9 percent, and hikes downstream prices 1.5 percent over five years.
▪China is the most data-restrictive country in the world, followed by Indonesia, Russia, and
South Africa. Their economies will all suffer for it.
▪Policymakers should update laws to address legitimate data-related concerns, but they
should ensure people, firms, and governments can maximize the enormous societal and
economic benefits of data and digital technologies.
▪To build an open, rules-based, and innovative digital economy, countries like Australia,
Canada, Chile, Japan, Singapore, New Zealand, the United States, and the United
Kingdom must collaborate on constructive alternatives to data localization.
INFORMATION TECHNOLOGY & INNOVATION FOUNDATION | JULY 2021
PAGE 1
INTRODUCTION
For centuries information has flowed around the world, steadily increasing with the rise of
international mail, the first transatlantic cables in the 1850s, and the first transatlantic
telephone cable in the 1950s. What is different now is that the Internet creates the potential to
send large amounts of data quickly and at virtually no cost to almost any part of the world.
Moreover, on this global network, sending data abroad costs no more than sending data
domestically. COVID-19 has made clear that data flows are critical to the global economy,
enabling both economic responses (e.g., data sharing for medical research, the monitoring and
automated control of vaccine production facilities, and the adoption of digital services for
business continuity) and societal responses (e.g., family video calls, contact tracing, streaming
content for entertainment, and online shopping). Data flows will only continue to rise as more
countries and sectors embrace digital transformation.
Data will flow across borders unless governments enact restrictions. While some countries allow
data to flow easily around the world—recognizing that legal protections can accompany the
data—many more have enacted new barriers to data transfers that make it more expensive and
time-consuming, if not illegal, to transfer data overseas. Forced local data-residency
requirements that confine data within a country’s borders, a concept known as “data
localization,” have evolved and spread in the four years since the Information Technology and
Innovation Foundation’s (ITIF) last major report on data flows and localization.1 Data localization
targets a growing range of specific data types and broad categories of data deemed “important”
or “sensitive” or related to national security. The justifications policymakers use have also
evolved. Misguided data privacy and cybersecurity concerns remain common, but
cybersovereignty and censorship are newer, and in many ways, more-troubling motivations given
they are broader and more ideologically driven. Some policymakers—especially those in Europe
and India—openly call for data localization as part of digital protectionism, while others disguise
localization and protectionism by burying them in technical regulations.
The spread of data localization to more countries and data types poses a growing threat to the
potential for an open, rules-based, and innovative global digital economy. Data localization
makes the Internet less accessible and secure, more costly and complicated, and less innovative.
Businesses use data to create value, and many can only maximize that value when data can flow
freely across borders. Hence, data localization undermines the impact data-intensive services can
have on economic productivity and innovation.2 For example, a 2018 Organization for Economic
Cooperation and Development (OECD) report notes that digitalization is linked with greater trade
openness, selling more products to more markets, and that a 10 percent increase in bilateral
digital connectivity increased trade in services by over 3.1 percent.3 The opposite is also true.
ITIF’s econometric modeling estimates that a one-unit increase in a country’s data restrictiveness
index (DRI) results (cumulatively, over a five-year period) in a 7 percent decrease in its volume of
gross output traded, a 1.5 percent increase in its prices of goods and services among
downstream industries, and a 2.9 percent decrease in its economy-wide productivity. The report
finds that China, Indonesia, Russia, and South Africa are countries for which their increasing
data restrictiveness is leading to their economies experiencing higher prices, lower trade, and
reduced productivity.
INFORMATION TECHNOLOGY & INNOVATION FOUNDATION | JULY 2021
PAGE 2
Forced data localization also undermines the potential for shared governance. Countries can work
together to address legitimate concerns about data transfers, such as to prevent espionage, to
maintain financial oversight, and to conduct law enforcement investigations, while still allowing
data to flow freely. Of course, countries should create robust data privacy frameworks that protect
consumers and address national security concerns, but policymakers should do so in a
transparent, targeted, and balanced way to avoid unnecessarily costly and restrictive policies
given their economic and trade impacts. Many common data protection laws—such as those
based on OECD’s guidelines on the protection of privacy and cross-border flows of personal
data—do not constitute a restriction on digital trade.4 It is entirely acceptable for ex post
accountability for the data exporter if data sent abroad is misused. The cost of abiding by these
data protection laws is a typical cost of doing business.5 This is a crucial distinction to
differentiate policymakers in those countries that try to misuse data localization as a legitimate
data protection tool when it is not.
The spread of data localization to more countries and data types poses a growing threat to the
potential for an open, rules-based, and innovative global digital economy.
As the world emerges from COVID-19, policymakers need to do more to ensure that the global
digital economy remains an engine of economic growth and recovery. Thankfully, some countries
are bringing this concept to life via new mechanisms, agreements, and frameworks for data flows
and governance and digital trade. The first section of this report provides an updated analysis of
data localization’s use and application and the five main motivations used to justify it. The
second section provides a quantitative assessment as to its growing impact. The final section
combines analysis and recommendations relating to mechanisms to support data flows and
global digital trade and data governance.
The report offers several general recommendations for policymakers:
▪ Global data governance: Policymakers should provide multiple mechanisms to transfer
personal data, encourage firms to improve consumer trust through greater transparency
about how they manage data, support the development of global data-related standards,
and provide more assistance to developing countries to help with digital economy policy.
▪ Digital free trade: Policymakers should support rules that protect data flows, prohibit data
localization, and only allow narrow exceptions to these provisions at e-commerce
negotiations at the World Trade Organization (WTO). Policymakers should also create new
tools to enact retaliatory measures against countries that enact data localization and other
digital protectionist rules. Policymakers should encourage national and global bodies to
conduct surveys about the firm-level impact of data localization. Trade negotiators should
develop transparency and good regulatory practices provisions to ensure opaque
regulatory rulemaking can’t be used to enact barriers to data flows and digital trade.
Specific recommendations make the case that policymakers should:
▪ Focus on the overarching concept of building “interoperability” between different
regulatory systems;
INFORMATION TECHNOLOGY & INNOVATION FOUNDATION | JULY 2021
PAGE 3
▪Pursue new digital economy agreements and mechanisms for cooperation, such as those
negotiated by Australia, Chile, New Zealand, and Singapore;
▪Work with like-minded countries to create interoperable health data-sharing frameworks.
This would support the responsible and ethical cross-border sharing of health and
genomic data;
▪Make the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR)
a global model for data governance by opening it up to non-APEC members;
▪Support efforts by like-minded, value-sharing democratic countries working together to
develop a “Geneva Convention for Data” to establish common principles, processes, and
safeguards to govern government access data;
▪Develop a targeted strategy to support the adoption of financial oversight frameworks that
focus on regulatory access to data rather than the location of data storage; and
▪Improve existing, and build new, mechanisms to improve cross-border requests for data
related to law enforcement investigations, such as CLOUD (Clarifying Lawful Overseas
Use of Data) Act agreements and updated mutual legal assistance treaties (MLATs) to
provide timely assistance.
THE EVOLUTION AND SPREAD OF DATA LOCALIZATION CONTINUES TO DEGRADE
THE GLOBAL INTERNET ECONOMY
Data localization has evolved to target a growing range of data in more countries. The number of
countries that have enacted data localization requirements has nearly doubled from 35 in 2017
to 62 in 2021. The total number of data localization policies (both explicit and de facto) has
more than doubled from 67 in 2017 to 144 in 2021. Another 38 data localization policies have
been proposed or considered in countries around the world. China (29), India (12), Russia (9),
and Turkey (7) are world leaders in requiring forced data localization. Appendix A is a
comprehensive and detailed list of explicit, de facto, and proposed or draft data localization
measures around the world.
There are three main kinds of data localization. First, some governments restrict the transfer of
particular types of data outside their borders. These include personal data; health and genomic
data; mapping and geospatial data; government data; banking, credit reporting, financial,
payment, tax, insurance, and accounting data; the internal company data of publicly listed
companies; data related to user-generated content on social media and Internet service
platforms; subscriber data and communications content and metadata for traditional
telecommunications and Internet-based communication services; and e-commerce operator data.
Second, countries are increasingly restricting data in broad and vague categories involving data
deemed “sensitive,” “important,” “core,” or related to national security, which often impacts a
wide range of commercial data.6 Similarly, the EU and India are moving toward extending
restrictions to a broad framework targeting nonpersonal data.7
Third, de facto localization is also growing. By making data transfers so complicated, costly, and
uncertain, firms basically have no other option but to store the data locally, especially in the face
of massive fines. For example, the European Union’s removal of data transfer mechanisms,
INFORMATION TECHNOLOGY & INNOVATION FOUNDATION | JULY 2021
PAGE 4
failure to add new certifications and other new legal tools for data transfers, and ever-ratcheting
up of restrictions and conditions for those remaining mechanisms (such as standard contractual
clauses) have the potential to make the General Data Protection Regime (GDPR) the world’s
largest de facto localization framework.8 Other examples include explicit consent requirements
for personal data transfers and the need to submit data transfers for opaque and ad hoc
authorization.
Governments enforce these requirements with at least five different types of rules. All these rules
are bad, but their impact varies by their design, moving along a sliding scale of restrictiveness
(from bad to worst):
▪ Local data mirroring. Firms must first store a copy of data locally before transferring a copy
out of the country. This may also involve keeping the most updated version of the data
locally.
▪ Explicit local data storage. Firms must physically locate data in the country where it
originates. Some cases allow foreign processing of data (after which data must be stored
locally).
▪ De facto local storage and processing. Firms store data locally as stringent data transfer
requirements (such as getting pre-approval for transfers and explicit consent) and legal
uncertainty about data transfers, which, when combined with hefty fines and arbitrary
enforcement, create unacceptable risk for firms.
▪ Explicit local data storage and processing. Countries prohibit transfer to other countries.
▪ Explicit local—and discriminatory—data processing, routing, and storage. Some countries
use discriminatory licensing, certification, and other regulatory restrictions to require
local data storage and exclude foreign firms entirely from managing and processing local
data.
THE FIVE RATIONALES FOR DATA LOCALIZATION
Justifications for data localization have evolved. Some policymakers still inadvertently support
localization, as they do not understand how firms manage data on a global basis while complying
with local laws. However, more policymakers openly support localization as a form of
protectionism. More policymakers (such as in France, India, and South Korea) are being creative
in using arbitrary and opaque licensing, certification, and other regulatory restrictions to
indirectly require data localization (and exclude foreign firms and products). These policymakers
seek to avoid scrutiny from trading partners by pushing restrictions deeper into technical and
administrative regulations.
Nearly all data localization proposals involve mixed motivations. Policymakers often take a “dual-
use” approach with an official and seemingly legitimate objective, such as data privacy or
cybersecurity, when their primary (hidden) motivation is protectionism, national security, greater
control over the Internet, or some combination of these. In some cases, such as India, they use
all of them.9 A telltale sign of hidden motivations is a lack of evidence, transparency, debate,
and engagement around a data localization proposal.
INFORMATION TECHNOLOGY & INNOVATION FOUNDATION | JULY 2021
PAGE 5
This section analyzes the five key motivations policymakers use to justify data localization
policies.
Misguided Data Privacy, Protection, and Cybersecurity
As more countries enact updated data protection frameworks, it is nearly inevitable that some
policymakers will propose data localization as they reflexively and mistakenly believe that the
best way to protect data is to store it within a country’s borders. This misunderstanding remains
at the core of many data-localization policies. However, the security of data does not depend on
where it is stored.10
First, organizations cannot escape from complying with a nation’s laws by transferring data
abroad. As a result, data localization is not necessary to force an organization to comply with
domestic data laws. For example, if a county requires businesses to disclose data breaches, they
would have to make this report whether the data breach occurs domestically or abroad. Similarly,
businesses cannot circumvent data protection laws by transferring data abroad—laws and
contracts can still hold them accountable for how they use data. Most companies doing business
in a nation, including all domestic companies and most foreign ones, have “legal nexus,” which
puts them in that country’s jurisdiction. This is crystal clear for firms in financial, payment, and
other heavily regulated sectors, given their need to apply for licenses to operate.
It is nearly inevitable that some policymakers will propose data localization as they reflexively and
mistakenly believe that the best way to protect data is to store it within a country’s borders.
Second, the security of data depends primarily on the logical and physical controls used to
protect it, such as strong encryption on devices and perimeter security for data centers. The
nationality of who owns or controls servers or which country these devices are located in, has
little to do with how secure they are. For example, one of the most notorious hacks occurred
against domestic, on-premise servers of the U.S. government in the U.S. Office of Budget and
Management data breach.11
Policymakers misunderstand that the confidentiality of data does not generally depend on which
country the information is stored in, only on the measures used to store it securely. A secure
server in Malaysia is no different from a secure server in the United Kingdom. Data security
depends on the technical, physical, and administrative controls implemented by the service
provider, which can be strong or weak, regardless of where the data is stored.
Policymakers focus on the location of data storage, in part, because they do not want to tackle
the more challenging factors that actually contribute to good cybersecurity, such as building
greater cybersecurity awareness by users and firms and encouraging firms and government
agencies to adopt and remain committed to best-in-class cybersecurity practices and services.
Good cybersecurity is just as much about the people involved in managing, protecting, and
accessing the data as it is about the data itself, as they are central to most cybersecurity
incidents, such as the failure to update vulnerable systems or credentials being lost via phishing
attacks.
Data localization actually undermines cybersecurity. First, it prevents the sharing of data to
identify IT system vulnerabilities and help firms detect and respond to cyberattacks. For
INFORMATION TECHNOLOGY & INNOVATION FOUNDATION | JULY 2021
PAGE 6
example, in 2020, India’s Securities and Exchange Board released a cybersecurity circular that
requires financial firms to localize a broad range of data that would do just this.12 Firms need to
share data to reconcile if cyberattacks (such as those in China, India, Russia, or elsewhere) are
new or known. Sharing system vulnerability information also allows cybersecurity providers to
identify vulnerabilities.
Second, data localization precludes cloud service providers from using cybersecurity best
practices, such as through “sharding,” wherein data is spread over multiple data centers. This
gets to the broader point: While cloud computing does not guarantee security, it will likely lead
to better security because implementing a robust security program requires resources and
expertise, which many organizations (especially small and medium-sized ones) lack. But large-
scale cloud computing providers are better positioned to offer this protection. For example,
certain cloud providers offer their users advanced encryption tools to allow them to retain and
use encryption keys before data is uploaded, thereby preventing third parties, including the cloud
companies themselves, from accessing their data.13
“Data Sovereignty” Subsumes Digital Protectionism as a Leading Motivator
Digital protectionism remains a key motivation behind many countries enacting data localization
practices, but it has been subsumed into a broader narrative around cybersovereignty (also called
data sovereignty or digital sovereignty) and control.
Data localization’s use for protectionism has evolved in recent years. More and more
policymakers look to use it to favor local firms as they realize that data-driven innovation is at the
heart of modern competitiveness and they haven’t made the long-term investments in education,
infrastructure, and other enabling factors that actually help firms and economies become more
competitive.14 For example, India’s Non-Personal Data Governance Framework initially included a
proposal to force firms to share anonymized datasets (undoubtedly to help local firms). Europe,
India, South Africa, and others use localization to target U.S. firms explicitly.15 Proponents often
call for “policy space” for developing countries to enact protectionist-based, state-directed
digital industrial policy strategies.16
Policymakers commonly portray cybersovereignty as a strong yet nebulous concept, usually
referring to the assertion of state control over data, data flows, and digital technologies.17 That it
helps countries “take back control” and “sovereignty” from foreign technology firms and trading
partners (mainly the United States, but increasingly China as well) offers added appeal to
them.18 Misconceptions about data and cybersovereignty miss the point that a complex interplay
of economic, governance, social, and political factors determines a country’s position on digital
issues. Policymakers deliberately—and deceptively—use these concepts to condense complex
phenomena into catchy phrases.
Proponents think that forcing firms to store data locally enhances the state’s agency and that of
their own firms and people. At best, the agency gained by data localization is illusory. In many
cases, it is counterproductive. And in the case of authoritarian countries, it is predatory given the
agencies data localization supports are those involved in surveillance and social and political
control. So it’s no surprise that authoritarian countries such as China and Russia are the most
significant users of these concepts (and data localization) as they align with their main political
interests—maintaining power through access and control over data. Both countries frequently
cite sovereignty as part of advocacy to create a top-down, state-directed global Internet (as
INFORMATION TECHNOLOGY & INNOVATION FOUNDATION | JULY 2021
PAGE 7
opposed to the open, multistakeholder-based approach favored by democratic countries). The
push for cybersovereignty among countries that are not inherently authoritarian gives cover to
countries like China and Russia.
Europe is a leading offender. European leaders such as German chancellor Merkel and French
president Macron explicitly call for both digital protectionism and data sovereignty.19 The fact
that senior European policymakers think that data stored on a foreign cloud service represents
lost sovereignty shows how little some understand how firms manage data, and how much they
prioritize this misguided sense of control.20 Europe tries to position itself as a moral leader of
digital regulation, using concerns over data protection and artificial intelligence (AI) to cloak
their discriminatory and restrictive policies. Europe’s protectionist intent appears in nearly every
digital policy proposal. Europe’s GDPR is evolving into the world’s most significant de facto data
localization framework. Europe’s draft data strategy pushes for data localization and asserts that
the EU needs cloud providers owned and operated in Europe.21 Likewise, Europe’s white paper
on AI advocates data localization precepts.22 It is also evident in the proposal for a European
cloud via GAIA-X.
At best, the agency gained by data localization is illusory. In many cases, it is counterproductive. And
in the case of authoritarian countries, it is predatory.
Policymakers, academics, civil society advocates, and business leaders in many developing
countries have turned to the related concept of “digital colonialism” to use data localization as
part of broader efforts to disadvantage or block foreign tech firms.23 It’s most frequently used in
the outdated and ideologically driven narrative about the “global north” and “global south.”24 It’s
popular in India, South Africa, and the United Nations Conference on Trade and Development
(UNCTAD). Many proponents are ideologically driven, opposing capitalism, big businesses, the
United States, and, in some cases, the use of data and digital technology itself.25 Local tech
firms often try to take advantage. India’s richest man told India’s prime minister to take steps to
end “data colonization” by global firms, saying Indians (presumably meaning his e-commerce
operations) should own and control data.26
Data Localization for Censorship and Surveillance
Countries use data localization as a cudgel to force foreign firms to provide easier access to data
for surveillance and political purposes and force compliance with censorship requirements.
Commonly mixed into this rationale is the specter—both real and imagined—of foreign
surveillance as a rationale for data localization, when it actually enables their own surveillance.
Digital authoritarian governments—led by China and Russia—see physical access to data centers
as a critical enabler of surveillance and political control. Data localization enables political
oppression by bringing information under government control and allowing the government to
identify and threaten individuals, thereby impacting privacy, data protection, and freedom of
expression.27 China retains broad and vague legal authority in its laws to potentially access data
for national security, public interest, and political purposes.28 The lack of an independent
judiciary and the opaque nature of these laws make it hard to judge how China uses these broad
powers.29 Yet, this doesn’t stop these countries from referring to “data privacy” as a motivation
for localization.30
INFORMATION TECHNOLOGY & INNOVATION FOUNDATION | JULY 2021
PAGE 8
Recent laws introduced in Pakistan and Vietnam highlight how data localization does not lead to
greater data privacy—but rather the exact opposite in making it easier for governments to access
a small number of servers. Related, but different from this authoritarian motivation, is when
countries, such as India, enact short deadlines for firms to respond to content takedown requests
that create a de facto localization requirement. Firms have to do this; otherwise, they would not
be able to comply (and thus avoid fines and other legal consequences).31
Data localization is central to Vietnam’s evolving online censorship and surveillance regime.
Vietnam’s Law on Cybersecurity requires online firms to store personal and other data types
locally and establish a local office in Vietnam. Its motivation is broad and vague: to protect
national security, social order and safety, social ethics, and the health of the community.32 Firms
must have a license and at least one server in Vietnam for inspection at any time, store detailed
information about users and their activities, and remove illegal content within three hours of
notice.33 Concerns about how Vietnam could use this to facilitate government access to data are
real given the country does not have a dedicated, independent data protection agency; the
responsible agency is the Ministry of Public Security.34
Digital authoritarian governments—led by China and Russia—see physical access to data centers as a
critical enabler of surveillance and political control.
Pakistan is also using data localization to support censorship and surveillance. Pakistan’s
“Removal and Blocking of Unlawful Online Content” includes broad data localization
requirements. It also allows the government to force companies to block content critical of the
government and facilitate access to user data. It allows the Pakistan Telecommunication
Authority to avoid existing data access and privacy safeguards, and to intervene on behalf of law
enforcement agencies to ask social media companies to provide user data.35 It also makes it
mandatory for firms to retain information, including traffic data linked to blocked content, and
decrypted information about subscribers and their activity.
Data Localization for Law Enforcement and Regulatory Oversight
Countries continue to use law enforcement and regulatory concerns about cross-border access to
data, both to justify data localization and as an excuse for digital protectionism. Some
policymakers say data localization is the only way to get local and foreign firms to respond to
requests for data from law enforcement and financial regulators. This reflects the mistaken belief
that firms can avoid oversight and requests for data by simply transferring data out of a country,
and that firms can pursue some form of regulatory or legal arbitrage in terms of picking and
choosing which country’s laws they follow and which they don’t.36 Data localization requirements
do not change who is responsible for the data, regardless of where it is stored.
Some countries support data localization due to the lack of effective cross-border law
enforcement legal tools and treaties. If data is stored locally, the thinking goes, foreign
governments will not be able to halt investigations by stopping providers from fulfilling
government requests. This mistaken belief was central to proposed localization elements in
India’s draft data protection law.37 However, policymakers in India fail to acknowledge all the
contributing factors. For example, Indian law enforcement often files MLAT requests that are
incomplete, poorly drafted, or inappropriate (or requests that aren’t related to criminal activity).38
INFORMATION TECHNOLOGY & INNOVATION FOUNDATION | JULY 2021
PAGE 9
For example, after the Department of Justice (DOJ) advised an Indian prosecutor to fill out an
MLAT in 2012 to obtain U.S.-stored information, the court instead issued a summons for several
U.S. tech firms for not cooperating.39 Other policymakers use this law enforcement motivation to
support localization as a disguise for different goals, such as surveillance and protectionism.
Law enforcement-motivated data localization often stems from the fact that policymakers do not
want to address the underlying issues with existing legal mechanisms to improve the process of
making cross-border requests for data. The transnational nature of crime and digital services
means that countries will inevitably need other countries’ help—even if they have localization
policies in place. For example, a European Union report states that electronic evidence in some
form is relevant in around 85 percent of total criminal investigations and that 55 percent of
investigations require cross-border access to electronic evidence.40 Current legal tools definitely
need upgrading. For example, conflicting laws can put firms in a “catch 22” scenario wherein
they face lawful requests for access to data from one country the release of which may be legally
prohibited in another.41 Governments also have mismatched legal-assistance treaties and laws.
Data localization requirements do not change who is responsible for the data, regardless of where it
is stored.
Financial regulatory oversight agencies use localization to target publicly listed companies,
payment services, banks, and other financial firms, as they think it’s the only way to access data
they need for their oversight responsibilities. U.S. financial regulators initially sought the option
for data localization (before, thankfully, backtracking) for financial oversight.42 The Reserve Bank
of India cited the need for “unfettered” access to data for monitoring purposes in trying to justify
its payments data localization requirement. Yet, policymakers in China, India, Turkey, and
elsewhere that use this motivation for localization routinely fail to provide evidence that they face
genuine cross-border issues related to financial oversight.43 The false promise of “unfettered”
access is made clear by the fact that even with local storage, regulators will still have to request
firms to decrypt the data, in line with relevant legal checks and balances, before the data can be
viewed.
Whether it is law enforcement or regulatory related, data localization is not the silver bullet
policymakers think it is for improving access to data. The self-defeating nature of localization
becomes clear given the scenario in which every country requires localization, thus preventing
the cooperation that will still inevitably be needed given the interconnected nature of the
Internet, such as emails between two people and providers in different jurisdictions. But the
potential for regulatory-motivated digital fragmentation is much broader. For example, medical
labs must disclose confidential data about infectious diseases, firms must share clinical trial
data with medical authorities, banks must disclose data on suspicious transactions, and
accountants and their clients must share data for tax audits. It’s up to rule-of-law and rights-
respecting countries to set up appropriate mechanisms to improve these processes.
Data Localization Motivated by Geopolitical Risks and Financial Sanctions
Some countries use data localization, alongside other policies, in preparation for largely
hypothetical (and unlikely) international financial sanctions. Some see the national payments
system as part of the country’s critical infrastructure and that the use of global payment networks
INFORMATION TECHNOLOGY & INNOVATION FOUNDATION | JULY 2021
PAGE 10
represents a systemic, geopolitical, and sovereign risk, as these payment services are not locally
owned.
Russia is the lead example. Russia required payments data localization as part of an initiative to
create a Russian payment system (called MIR) after international sanctions in 2014 targeted
Crimea-based services (forcing Visa and Mastercard to end services there). These sanctions
raised the hypothetical risk of it being cut off from the global financial system.44 Russia also
forced its banks to accept and issue MIR credit cards and use MIR for government-related
payments.45 This motivation is thus closely tied to Internet sovereignty, but again showing the
overlap, also relates to protectionism, given it represents (digital services) import substitution.
However, Russia is unique, as its disregard for international law and norms makes it a frequent
target of sanctions. The vast majority of countries will never face international financial
sanctions.
Despite the extraordinarily low probability of sanctions, Indonesia, Mexico, South Africa, and
Vietnam have all misused national security and sovereign risk to justify payment services-related
restrictions, including data localization. For example, in 2018, the South African Reserve Bank
imposed a moratorium prohibiting the migration of domestic transaction volumes from
BankservAfrica (South Africa’s bank-owned domestic payment switch) to international payment
schemes. It stated that “there are potential sovereign/geopolitical and financial stability risks to
SA from sole reliance on offshore processing of domestic transactions.”46 Mexico’s financial
regulators released draft rules requiring payments services to use local computing services as
part of their license application.47
ESTIMATING THE COST OF RESTRICTIONS ON DATA FLOWS
Maximizing the value of data means enabling it to move. Innovation and economic growth are
increasingly supported by how firms collect, transfer, analyze, and act on data. This section
provides a quantitative analysis of the effects of restrictions given the relationship between data
flows and economic performance. While econometric analysis provides an indicative estimate of
the economic impact (given challenges with measurement and specificity), it is still important to
do to reinforce to policymakers the negative effects of restrictions on data flows.
Estimating the Impact That Data Restrictiveness Has on Prices, Trade, and Productivity
ITIF’s model calculates a composite index—the data restrictiveness linkage (DRL)—to estimate
the linkage of downstream industries with national data restrictiveness (based on the data
intensity of those industries). We further examine the impacts that changes in data restrictions
have on total factor productivity (TFP), value-added price indices (PVA), and gross output
volumes (GOVs) at the industry level in each country (through the EU-KLEMS database). The
model runs separate log-linear regression models between DRL and these three economic
indicators to approximate the percentage changes in productivity, prices, and trade volumes
incited by changes in a country’s restrictions on data transfers (table 1). It is based on
econometric best practices as demonstrated by OECD and European Center for International
Political Economy (ECIPE).48 However, it differs in that it benefits from updated data from the
U.S. Census ICT Survey, the OECD Product Market Regulation (PMR) database, it covers
countries not covered in past models, and compares trade volumes.49 Appendix B details the
data and methodology.
INFORMATION TECHNOLOGY & INNOVATION FOUNDATION | JULY 2021
PAGE 11
Data Restrictiveness Index
ITIF uses sub-indicators from the OECD PMR Indicators database to develop a proxy
measurement of how restrictive a nation’s rules are for cross-border data transfers. By taking the
unweighted averages of select PMR sub-indicators, ITIF computes the data restrictiveness index
(DRI) of 46 countries that OECD has PMR data available for in between 1998 and 2018. Since
PMR data updates are published every 5 years, DRI of these 46 available countries is only
calculated every five years (2018, 2013, 2008, 2003, and 1998). DRI is resultantly measured
on a scale between 0 and 6, with 6 indicating the most data restrictive. As countries impose
additional data regulations such as localization, and other government barriers and
administrative requirements that limit the movement of data, their DRI increases.
PMR data is central to our model as it captures several regulations that countries use to restrict
the use and transfer of data, such as explicit localization measures and restrictions related to
administrative costs like requiring data protection impact assessments or data protection officers.
Our selection of sub-indicators used to calculate DRI between countries over time is informed by
best-practice modeling data restrictiveness via PMR proxy data as performed by a 2016 study by
CIGI & Chatham House.50
While the PMR Indicators database reports on a wide range of regulatory activity beyond just
those that determine data restrictiveness within countries, the database also provides several
PMR sub-indicators that more narrowly capture restrictions on data flows. PMR “medium-level”
sub-indicators distinguish more specific types of regulation. “Low-level” indicators refer to the
narrowest ranges of regulatory activity observed, further breaking down OECD’s medium level
indicators of PMR into more specific subjects. Pre-2018, DRI is calculated using the two
medium-level indicators “Administrative Barriers to Startups” and “Administrative and
Regulatory Opacity.” For 2018, DRI is calculated using five low-level PMR sub-indicators:
“Assessment of Impact on Competition,” “Interaction with Interest Groups,” “Complexity of
Regulatory Procedures,” “Barriers in Service Sectors,” and “Barriers in Network Sectors.” These
five fully comprise the two medium-level indicators, “Simplifications and Evaluations of
Regulations,” and “Barriers in Service and Network Sectors,” which are preferred due to their
correlations with pre-2018 data and overlap of regulatory activity.
ITIF’s method of calculating DRI for 2018 had to adjust for a change in how the OECD reported
the PMR index and sub-indicators. This was necessary to ensure the model’s use of PMR data
was consistent with pre-2018 data and measurements. To do this, our model selected several
PMR sub-indicators based on correlation trends between the pre-2018 years of DRI and between
DRI and overall PMR of the same year, as well as by the content of sub-indicators that most
specifically relate to regulations that restriction data flows. (Appendix B, equation 1 provides the
details of the calculation to form DRI measurements pre-2018, whereas equation 2 provides the
calculation used for 2018 DRI. Table 1 presents correlation trends that further justify the
selection of sub-indicators).
Data-Intensity Modifier
ITIF’s model assumes that data restrictions have greater effects on economic industries that are
more reliant on data and data-related tools and services. 2018 studies by ECIPE provide best
practices for calculating the data intensity of industries and using those scores to estimate
industry-level.51 A data-intensity modifier (DIM) following this methodology is calculated by
INFORMATION TECHNOLOGY & INNOVATION FOUNDATION | JULY 2021
PAGE 12
selecting a country exogenous to the model, the United States, for a given reference year. For
each industry noted in the KLEMS categorization, we calculate a DIM using 2013 U.S. Census
ICT Survey data on noncapitalized software expenditure and 2013 Bureau of Labor Statistics
(BLS) employment data by industry to calculate the ratios of data-related service expenditures
per worker in each industry (figure 1).
DIM ratios (computed in equation 3, Appendix B) measure data intensity between industries and
enable us to weigh national DRI measurements in countries over time at the industry level. This
allows the model to assess the straightforward point: that more data-intensive industries are more
economically impacted by data restrictions than are non-data-intensive ones. And while
calculating DIM exogenously helps control for issues of endogeneity within countries’
downstream industries, the model further assumes equal technologies between countries.
However, that assumption is commonly made among the literature of econometric modeling on
this subject and is of less concern when the set of countries within a regression model are all
economically developed ones.
Figure 1: Data intensity by KLEMS industry (as log of noncapitalized software expenditure
per worker)
Data Restrictiveness Linkage and Regression Modeling
Lastly, the model develops a composite index—the data restrictiveness linkage (DRL)—linking
the measurement of national data restrictiveness in a given year to the data-intensity of a given
industry to produce observations in terms of country-year-industry. The DRL is the independent
variable tested in regression modeling against economic performance observed at the level of
country-year-industry. Equation 4 of Appendix B (also below) provides the calculation for a given
country-year-industry’s DRL, which is simply the product of DRI and DIM.52
0
2
4
6
8
10
INFORMATION TECHNOLOGY & INNOVATION FOUNDATION | JULY 2021
PAGE 13
(4)
=
The model is used to test three separate regressions modeling trade outputs, prices, and
productivity to examine the economic impact national data restrictions have on downstream
industries. Dependent variable data at the level of country-year-industry is most widely provided
by the EU-KLEMS database, from which we select three measurements to be regressed against
DRL: gross output volume (GOV) to indicate trade activity (equation 5), TFP to indicate economic
productivity (equation 6), and price index based on value added to indicate prices of goods and
services (equation 7).
While OECD PMR data allows 46 countries to be sampled, the constrained availability of data in
the EU-KLEMS database means that industry-level trade data is limited to 28 developed OECD
member nations. These 28 countries include in both OECD and EU-KLEMS data comprise the
set of countries included in regression analysis. The downside is this omits many developing and
non-OECD countries. However, the model’s core components (DRI and DIM, and the impact they
have on trade volumes, prices, and productivity) can be applied to any country, as they are
representative estimates of data usage and the effect of restrictions (such as in Russia, China,
and Indonesia). Equations 5, 6, and 7 provide the full regression models used to produce results
shown in table 2.
(5) [Trade Volume Regression: Volume of Gross Output Traded using 2010 Reference Prices
(GOV)]
ln= + + + +
(6) [Productivity Regression: Total Factor Productivity]
ln= + + + +
(7) [Prices Regression: Aggregate Price Index for Valued Added on Industry Goods and Services
(PVA)]
ln= + + + +
GOVxyt, PVAxyt, TFPxyt
are the economic measurements for a given country-industry-year. ϕ
is the
equation intercept (β0 estimate in log-linear regressions). θ
is the
coefficient of DRL (β1 estimate
in log-linear regressions).
DRLx y t-1
is the DRL for a given country-industry-previous year. ε
xyt
represents the equation error term. The model further controls for issues of endogeneity by
implementing a time lag, wherein economic indicators in a given year are regressed against the
DRL of the previous year. Change in economic performance is also not often immediately
observable in the year new policy is enacted, further supporting a time lag. Lastly, this model
provides controls so that regression results of DRL’s impact on GOV, PVA, and TFP are accurately
estimated by providing fixed effects for country-year and industry-year level. Fixed effects are
added based on best econometric practice and control for the many country-, time-, and
industry-specific factors not able to be accounted for that assuredly affect GOV, PVA, and TFP.
INFORMATION TECHNOLOGY & INNOVATION FOUNDATION | JULY 2021
PAGE 14
These dependent variables are taken as natural logs to be regressed because log-linear regression
coefficients best estimate the percentage changes associated with unit changes in the
independent variable of interest.
General Model Results: Data Restrictiveness Has a Significant Impact on Prices, Trade,
and Productivity
The model shows that restricting data flows has a statistically significant negative impact on an
economy. Table 2 provides greater statistical detail on regression results. All coefficient
estimates are statistically significant above the 90 percent confidence level, with PVA having an
estimate p-value just above 0.05 (95 percent confidence level). TFP and GOV, however, are both
highly statistically significant above the level of 99 percent confidence. Interpreting the
coefficient estimates of DRL by the log-linear regression interaction provides the percentage
changes in GOV, TFP, and PVA associated with a one unit increase in a country’s DRI.
Table 2: Regression results
Dependent
Variable
Coefficient
Estimates of Data
Restrictiveness
Linkage
Pr(>|t|) Standard
Error
Number of
Observations R-Squared
ln(TFP) -0.02918 *** 0.000937 0.0088 1691 0.1165
ln(PVA) 0.01448* 0.063356 0.0078 2351 0.2271
ln(GOV) -0.07306*** 0.00005 0.018 1990 0.9496
Note: Robust standard errors in parentheses, *** p<0.001, ** p<0.05, * p<0.1
Source:
Authors.
Restrictions on data flows are most strongly associated with a decrease in GOVs. Gross output
measures the total amount of goods and services traded, including both final and intermediate
output. By interpreting the regression coefficient -0.073, the model finds that on average, a 1.0
unit increase in a country’s DRI (from the sample of 28 OECD member countries) is associated
with a 7.05 percent decrease in its gross output traded. This naturally gives a relationship
between data restrictions and gross output that is higher than a more traditional measurement of
economic growth such as gross domestic product (GDP), which accounts for only final outputs
produced. Loss in gross output surely still indicates a loss in GDP, but by a notably smaller
proportion given that GDP excludes measurement of intermediate outputs. While the highest
data-intensive industries identified in the model would be most affected, such as
Telecommunications or Other Business and ICT, nearly every single sector of economic activity
requires some usage of data to facilitate trade, from mining to retail to construction.
More significant data restrictions also artificially increase the prices (and reduce the supply) of
goods and services that rely on data, such as data analytics, targeted advertising, and software
used to manage global workforces, product networks, and supply chains. The model estimates
INFORMATION TECHNOLOGY & INNOVATION FOUNDATION | JULY 2021
PAGE 15
that countries that restrict data transfers experience lower trade volumes, leading to increased
prices of goods due to reduced supply. Data localization may also force a more-innovative and
price-competitive service provider from the market, thus allowing a more expensive or inferior
product to seize market share.
Over five years, a one-unit increase in a country’s DRI is associated with a 7 percent decrease in its
gross output traded, a 2.9 percent decrease in productivity in downstream industries, and a 1.5
percent increase in prices among the goods and services those industries provide.
The regression model’s results support this intuitive analysis of the trade and economic impact
resulting from countries’ data localization policies. The model finds that a one-unit increase in a
country’s DRI is associated with a 1.5 percent increase in the prices of goods and services that
downstream industries produce (in aggregate, over five years). This result means that as data
becomes more heavily restricted, the remaining output among industries becomes more
expensive to consumers than would otherwise be expected in a scenario wherein there exists free
flows of data and data-driven goods and services.
Data and data-driven tools are increasingly important determinants of productivity, which is
essential to long-run economic growth. Estimating TFP helps policymakers understand how
efficient industries are at using their production inputs and how innovative those industries are
at utilizing new technologies. Our regression modeling on TFP finds that a one-unit increase in a
country’s DRI is associated with a 2.9 percent decrease in productivity in downstream industries.
This negative productivity shock can cause GDP to decrease, with a 2.9 percent decrease in a
country’s productivity translating to notable losses in living standards and economic growth.
Without access to the most competitive and innovative data-related inputs, firms must use
available labor and capital less efficiently, which reduces productivity and, of course, translates
into decreased economic growth at the national-economy level.
Specific Model Results: China, Indonesia, Russia, and South Africa All Suffer From
Data Restrictiveness
Applying the model’s statistically significant relationships on data restrictiveness, lower
productivity, less trade, and higher prices allows one to estimate the economic costs in countries
of interest beyond the OECD sample set. While the model’s findings on the relationships between
increased data restrictions and changes in TFP, PVA, and GOV are identified in the context of
developed OECD countries, the model’s findings still have value in being applied to countries
beyond this context, given the degree of statistical significance identified in variable
relationships and the lengths of controls placed in the model via multiple fixed effects. Since
econometric modeling using a proxy variable (DRI, and in turn, the compositive index DRL) is not
an exact measurement of national data restrictions per country, some countries may naturally be
underestimated or overestimated. Proxies are further constrained in their extended application by
the availability of data for observations outside a studied sample. However, analysis of a proxy
variable still identifies significant trends in data on average.
ITIF selected four nations—China, Indonesia, Russia, and South Africa—whose DRI and changes
in DRI (between 2013 and 2018) strongly support qualitative findings of expanded data
restrictions in this report and are therefore known to be well fitted by the proxy variable used.
INFORMATION TECHNOLOGY & INNOVATION FOUNDATION | JULY 2021
PAGE 16
The countries listed in table 3 all have data in the OECD’s PMR database for both 2013 and
2018 (the most recent years available), allowing us to calculate their changes in DRI over that
time (unfortunately, there isn’t data for India for both years, otherwise it would also be added).
The ranking includes all 46 countries with DRI able to be calculated between 2013 and 2018
(where a rank of first indicates the most data restrictiveness). Figures 2 and 3 of Appendix B
details 2013 and 2018 rankings for these 46 countries. By multiplying the changes in DRI
observed between 2013 and 2018 by the percentage changes in GOV, TFP, and PVA associated
with a unit increase in DRI, the model can estimate the economic costs borne by countries that
imposed additional restrictions on data (model produces an aggregate total for 2013 to 2018).
Changes in the DRI ranking align with the report’s analysis and listing of data localization
measures. China was the most restrictive country in both 2013 and 2018. Over those six years,
China’s DRI increased by 0.25 points. Our econometric analysis estimates that over five years,
these restrictions decrease output by 1.7 percent and productivity by 0.7 percent and leads to a
0.4 percent rise in prices among downstream industries.
Table 3: Economic costs of case studies due to changes in DRI
Country 2013
DRI
2013
DRI
Ranking
2018
DRI
2018
DRI
Ranking
DRI
Difference
Total
Cumulative
Change in Gross
Output Volume
(2013–2018)
Total Percent
Change in
Productivity
(2013–2018)
Total Percent
Change in
Prices
(2013–2018)
China 3.88 1st 4.13 1st 0.25 -1.7% -0.7% 0.4%
Indonesia 2.03 19th 3.14 4th 1.11 -7.8% -3.2% 1.6%
Russia 1.38 39th 2.08 12th 0.70 -4.9% -2.0% 1.0%
South
Africa 2.17 16th 3.47 2nd 1.30 -9.1% -3.7% 1.9%
Note:
DRI rankings are based out of 46 countries maintained in both 2013 and 2018 within the OECD “Indicators of
PMR” database. As a result, this ranking excludes notable countries such as India and Argentina.
Source:
Authors.
Indonesia, Russia, and South Africa are all notable cases that reflect their growing interest in
enacting barriers to data flows in recent years. Both Indonesia’s and South Africa’s DRI rankings
increased by 1.0 point between 2013 and 2018. These two countries face the most significant
marginal losses by changes in data restrictiveness policy over this time span. The model
estimates that over five years from 2013 to 2018 (cumulatively), South Africa’s volume of gross
output fell by 9.1 percent, productivity fell by 3.7 percent, and prices rose by 1.9 percent due to
increased restrictions imposed on data flows.
For Indonesia, the model estimates that over the five years, its more-significant data restrictions
reduced GOVs by 7.8 percent, lowered productivity by 3.2 percent, and raised prices by 1.6
percent. In the case of Russia, its heightened data restrictions between 2013 and 2018 cost an
INFORMATION TECHNOLOGY & INNOVATION FOUNDATION | JULY 2021
PAGE 17
estimated 4.9 percent reduction in trade volume, a 2.0 percent reduction in productivity, and a
1.0 percent increase in prices of goods and services on average nationally.
These losses in trade and productivity due to increased data restrictiveness held back these
countries’ potential economic growth. Had South Africa and other countries not enacted more
restrictions on data, their economies would not have suffered the expensive marginal costs of
data localization estimated by the model.
RECOMMENDATIONS TO BUILD GLOBAL DATA GOVERNANCE AND CONSTRUCTIVE
ALTERNATIVES TO DATA LOCALIZATION
Building an open, rules-based, and innovative global digital economy will depend on a small
group of proactive and ambitious countries working together. This path ahead reflects the fact
that there is no global forum for cooperation and progress on data issues—and nor should there
be at this stage. Former Japanese prime minister Abe deserves a lot of credit for putting data
governance and localization on the global agenda with his concept for “data free flow with trust,”
which is a vision wherein openness and trust exist in symbiosis, not as contradictions.53 However,
it is still conceptual and has not been defined.
Countries that support this goal will need to work together to develop new norms, rules,
cooperation mechanisms, and agreements to address legitimate concerns raised by cross-border
data flows while supporting the free flow of data. These initiatives can then form the foundation
for broader debate, adaptation, and adoption to expand to more issues and countries. It will be
challenging to develop a common agenda, even among core countries such as Australia, Canada,
Chile, Japan, New Zealand, Singapore, the United Kingdom, and the United States. It will be
difficult, if not impossible, to make meaningful progress in any forum that involves China,
Russia, and others that support digital protectionism and control. It’s hard to include Europe
given its inability to genuinely engage and collaborate with counterparts unless its privacy
preferences prevail over everyone else’s.
This section outlines key recommendations to build global data governance. It starts by providing
high-level recommendations.
Recommendations on data governance best practices:
▪ Governments should provide multiple mechanisms for the cross‑border transfer of
personal data. These mechanisms should be accessible to firms of all sizes. Countries
should explicitly mention acceptable frameworks and standards for transfers.
▪ Governments should encourage businesses to improve transparency on how they manage
data, including on a global basis, such as by regularly disclosing information about
government requests for data.
▪ Governments should support global, market‑led, voluntary, and consensus‑based efforts
to develop and use data and digital technology standards, such as via multistakeholder
forums and intergovernmental forums (e.g., OECD).
INFORMATION TECHNOLOGY & INNOVATION FOUNDATION | JULY 2021
PAGE 18
▪ Governments should protect cloud-based government data and services by ensuring that
cloud providers are audited and certified against national and international standards,
sector-specific regulations (such as health care and financial), national certifications
(e.g., U.S. FedRAMP, Germany C5, Australia IRAP), and global accreditations (e.g., ISO
27001 and ISO 27018).54
▪ Developed economies should provide technical assistance and capacity‑building
assistance to developing economies to help them build their data governance framework.
Recommendations to support digital free trade and counter digital protectionism:
▪ Support an ambitious outcome on data flows at the e-commerce negotiations at the WTO,
including an explicit prohibition on data localization and narrow and detailed exceptions.
The United States and others should exclude China and Russia and others that do not
support ambitious outcomes. A weak result may be worse than no deal at all.
▪ To create reciprocity, policymakers from digital free-trade countries should develop new
countermeasures against countries that enact data localization and other digital
protectionist measures. Firms from digital protectionist countries shouldn’t benefit from
open digital markets.
▪ Policymakers should encourage national, regional, and global organizations to conduct
detailed surveys about the impact of data localization and other barriers to cross-border
data transfers.55
▪ Digital free-trade countries should advocate for transparency and good regulatory
practices as part of trade agreements, such as allowing parties to request the publication
of impact assessments to ensure that digital regulations are appropriate, proportionate,
and effective.
Build Interoperability Into Global Data and Digital Economy Governance
Policymakers should put the concept of “digital interoperability” at the center of their strategy
for developing rules for the global digital economy. Interoperability means that countries enact
laws to address data privacy, cybersecurity, and other issues in broadly similar ways so that they
each provides a similar level of protection or similarly addresses a shared objective, even if their
specific legal and regulatory frameworks differ. At its most fundamental level, interoperability is
the ability for firms to transfer and use data and other information across applications, systems,
services, and jurisdictions.56 Interoperability is the most realistic goal for global data governance.
It accounts for the fact that countries have differing legal, political, and social values and
systems, and there is no one law for any specific data-related issue.
Policymakers should put the concept of “digital interoperability” at the center of their strategy for
developing rules for the global digital economy.
Interoperability is central, yet often invisible, to the integration of the global digital economy.57
Interoperability depends on governments, businesses, and other stakeholders developing
common ways to mitigate risks and address shared concerns. Interoperability has many benefits.
It supports innovation, competition, and consumer choice as it facilitates access and
development of more data and data-driven services, which reduces barriers to market entry.58 It
INFORMATION TECHNOLOGY & INNOVATION FOUNDATION | JULY 2021
PAGE 19
improves regulatory outcomes and trust as jurisdictions with similar legal concepts and
approaches address issues that arise from cross-border data flows similarly (thus avoiding
regulatory conflict, arbitrage, and avoidance). In this way, interoperability supports reciprocity
given regulatory compatibility.59 Interoperability can also build trust between trading partners, as
they have some assurance that counterparts won’t use data localization to target their firms, and
their firms’ digital products, unfairly.
While data privacy is a critical focal point for the concept of interoperability, it extends much
further to cybersecurity, payment services, financial oversight, and any number of digital
processes and services that relate to trade.60 What interoperability looks like in practice depends
on the specific sector and policy concern. Stakeholders working to build interoperability in the
global digital economy should look to develop and use different tools at different technological
layers and levels of integration (figure 1).
Figure 1: The different layers of global digital interoperability
At the first stage, stakeholders can build policy interoperability by supporting early research and
discussions about potential best practices (such as to address bias, violent content online,
certain uses of AI, e-identity, e-invoicing, or other issues) and joint pilot projects and regulatory
sandboxes to test potential regulations. All stakeholders (government, private sector, academia,
and others) should have the opportunity to participate, given these early discussions represent
brainstorming and the testing of regulatory ideas.
At the second stage, stakeholders can build technical interoperability so that data and digital
services can move across jurisdictions, and between different applications and infrastructure,
with straight-through processing—that is, processing data and digital services without additional
human intervention. Otherwise, differential and restrictive regulations can prevent technical
systems from working across borders. Application Programming Interfaces (APIs) and
international standards are two key tools that create common protocols and specifications that
allow different services and applications to connect and work across jurisdictions.61 For example,
the International Organization for Standardization and the International Electrotechnical
Commission joint committees are developing standards to facilitate technology interoperability,
INFORMATION TECHNOLOGY & INNOVATION FOUNDATION | JULY 2021
PAGE 20
including of AI, big data, and Internet of Things systems.62 Digital economy agreements cite
specific international standards to ensure interoperability between payment systems.63 There are
also initiatives such as the U.S. National Institute of Standards and Technology’s Cybersecurity
Framework and APEC’s Cybersecurity Workstream that seek to build a risk- and standards-based
approach to cybersecurity.
At the third stage, stakeholders can build network interoperability so multiple parties can
connect their individual systems to a broader network to ensure seamless processing. Much like
the Internet, networks need common rules and regulations to support reliability and access. For
example, payment network interoperability involves bilateral agreements and connections (e.g.,
between a payment network and a central bank or a remittance provider) to provide processing
across multiple networks for complex cross-border transactions.
At the fourth and final stage, governments build regulatory interoperability through mutual
recognition agreements between countries, recognizing other countries’ respective regulatory
approvals or certifications as valid in their own country, and explicitly referencing specific
standards and legal frameworks (such as APEC CBPR).
Pursue New Digital Economy Agreements and Mechanisms for Cooperation
The global digital economy is in dire need of new rules to protect digital trade and data flows.
However, these rules are not sufficient given how fast technology and regulatory requirements
change. Technology and associated business models outpace traditional trade agreements and
domestic regulations related to data and digital trade. This mismatch in speed will continue.64
Digital trade needs early and ongoing engagement to ensure regulatory interoperability, both now
and in the future. It is the reverse approach in Europe—rush to regulate and restrict and then
consider international implications (when reforms to address barriers to trade are hard to do).
Digital trade cannot be just one and done as in traditional trade negotiations. Digital economy
agreements should be living agreements.65 Countries such as Canada, Japan, the United States,
and others that support an open, innovative, and integrated global digital economy should join or
emulate the digital economy agreements Australia, Chile, New Zealand, and Singapore have
negotiated.66
Digital economy agreements combine legally binding and enforceable commitments on well-
known digital trade issues (such as data localization) and soft commitments to cooperate on
emerging regulatory issues (via memorandums of understanding (MOUs)). They can adjust to the
changing nature of digital trade, technology, and regulation. This involves proactively bringing
domestic regulatory agencies into trade discussions when they are only just starting to think
about new rules for digital issues. The nonbinding nature of the cooperation enables
experimentation and allows partners to address new problems quickly without getting distracted
by the horse trading involved in traditional trade negotiations.
Digital economy agreements represent a flexible and accessible approach to building
interoperability between digital economies at varying levels of development. In particular, the
Chile-New Zealand-Singapore Digital Economy Partnership Agreement (DEPA) and its modular
structure for its various issue (AI, e-identities, data flows, open data, fintech, e-invoicing, etc.)
areas are open to all who can meet its ambitions.67 Canada and Korea have expressed interest in
joining. Just as APEC’s early and ongoing digital economy discussions built the foundation for
the ambitious digital rules in the Comprehensive and Progressive Agreement for Trans-Pacific
INFORMATION TECHNOLOGY & INNOVATION FOUNDATION | JULY 2021
PAGE 21
Partnership (CPTPP), so too can these digital economy modules provide the basis for new norms
and rules.68
Digital economy agreements raise different challenges to traditional trade negotiations. Mainly,
they require genuine buy-in from regulatory agencies to work with their trade colleagues and their
foreign counterparts. MOUs and soft commitments to cooperate in trade agreements are a dime a
dozen. The benefits of digital economy agreements depend on parties bringing the commitment
to cooperate to life. For example, Australia and Singapore have already done a joint study to
identify ways to cooperate on new digital standards. They are also developing pilot projects for
shared e-identify and e-invoicing policies.69
The benefits of digital economy agreements are harder to quantify than are the econometric
modeling of tariff cuts in traditional trade agreements. Firms benefit from the certainty of
knowing they can transfer data as part of cross-border digital trade and innovation. In the long
term, firms also benefit from early regulatory interoperability by avoiding barriers to digital trade
related to new laws. Regulatory engagement also builds trust and confidence among regulators
(and consumers) that trade commitments on data do not impede regulatory responsibilities (for
privacy, etc.) and can improve oversight as it allows information sharing and joint investigations.
Support Data-Driven Health Research via Interoperability Frameworks
Countries that recognize the value in supporting data-driven health research should work together
to create domestic and international frameworks to facilitate the reasonable, responsible, and
ethical cross-border sharing of health and genomic data. Data-driven health services and
research holds enormous societal and economic benefits. From screening chemical compounds
to optimizing clinical trials to improving post-market surveillance of drugs, the increased use of
data and better analytical tools such as AI hold the potential to transform drug development,
leading to new treatments, improved patient outcomes, and lower costs.70
Yet, health and genomic data are among the most common targets of data localization.71 Health
data requires specific attention, as it often involves sensitive personal data. However, enacting
overly severe restrictions on its use does nothing to help improve health outcomes. For example,
multiple joint EU-U.S. health research initiatives have ended or been severely restricted due to
the EU’s GDPR.72 A growing number of health firms and researchers have called for governments
to step in as restrictive data privacy rules prevent cross-border health research. For example, in
February 2020, leading health researchers called for an international code of conduct for
genomic data following the end of their first-of-its-kind international data-driven research project
that ran into significant issues when using data centers across various regions.73
Policymakers should create clear rules and frameworks to allow people, firms, universities, and
public agencies to share health data. For example, the Global Alliance for Genomics and Health
brings together hundreds of health care, university, and biopharmaceutical and technology
companies to create ways to enable the responsible, voluntary, and secure sharing of genomic
and health-related data.74 The World Economic Forum’s Breaking Barriers to Health Data is also
working to build a pilot project that uses federated data systems to share genomic data.
INFORMATION TECHNOLOGY & INNOVATION FOUNDATION | JULY 2021
PAGE 22
Use APEC’s Cross-Border Privacy Rules to Build a Global Data Privacy Framework
Australia, Canada, Japan, Singapore, the United States, and others interested in developing a
high-standard framework for data protection and digital trade should use APEC’s Cross Border
Privacy Regime to create a global interoperable model for data governance.
Europe’s push for harmonization—that every country adopt its ever-shifting and restrictive
approach to data privacy—is misguided and untenable in the long term. There is no single data
privacy law. Countries should ignore European privacy officials' critical view of interoperability,
which threatens their strict adherence to privacy fundamentalism.75 There is no way every
country will harmonize rules on government surveillance, government access to data, and data
privacy. As U.S. Deputy Assistant Secretary for Services Christopher Hoff tweeted, “A lot of
awesome things about the GDPR but there have been 13 adequacy decisions in the past
26 years and one keeps getting knocked down. So interoperable frameworks ... have to be
the future.”76
APEC’s CBPR is an accountability-based mechanism that facilitates privacy-respecting data
flows.77 Firms must implement a set of data privacy policies consistent with the APEC Privacy
Framework, such as those on accountability, notice, choice, collection limitation, integrity of
personal information, uses of personal information, and preventing harm. An APEC-approved
accountability agent audits and certifies companies meet these commitments. Each CBPR
member country’s data privacy agency is responsible for enforcement. Despite being in place for
some years, CBPR is still in its early stages, with only around 40 certified companies, such as
Apple, Cisco, IBM, Tencent (their Singapore entity), and Mastercard. Thus far, Australia,
Canada, Chinese Taipei, Japan, Mexico, Singapore, South Korea, and the United States
have joined CBPR.
Countries that recognize the value in supporting data-driven health research should work together to
create domestic and international frameworks to facilitate the reasonable, responsible, and ethical
cross-border sharing of health and genomic data.
Existing CBPR members should open CBPR to non-APEC members so it can become a global
(rather than regional) model for data governance. The United States has proposed this.78 CBPR
would be attractive to a diverse range of countries. Other APEC and non-APEC countries could
join the system, the benefits of which would grow with each new member. The Philippines is
already in the process of joining CBPR. Adding Brazil, Chile, Colombia, New Zealand, Peru, the
United Kingdom, and others would make it a global framework. A global CBPR would be
attractive to governments as it would focus on core principles and accountability (rather than
strict legal harmonization), recognizing that there is no one-size-fits-all approach to privacy.
CBPR certification would also be attractive to firms as it would mean that they would essentially
be subject to one privacy regime for data transfers between all CBPR members. It would provide
enormously valuable economies of scale in terms of incentivizing firms to undergo certification.
The United States and others would need to create a new CBPR outside of APEC, as China and
Russia would likely oppose efforts to make reforms within APEC (even though they are not
members of CBPR). CBPR would essentially become a global data privacy certification
mechanism that countries could recognize as a valid legal transfer mechanism in domestic laws
INFORMATION TECHNOLOGY & INNOVATION FOUNDATION | JULY 2021
PAGE 23
(as Bermuda has done, even though it is not in APEC).79 Ultimately, a new global CBPR also
presents an opportunity for Australia, Japan, the United States, and others to bring to life a clear
alternative data governance model to the EU’s restrictive GDPR and China’s model of digital
control and protectionism.
Build a Framework for Government Access to Data
Like-minded, value-sharing democratic countries should work together to develop a “Geneva
Convention for Data” to establish common principles, processes, and safeguards to government
access to data. Such an agreement could also settle questions of jurisdiction, establish rules of
transparency, create better cooperation for legitimate law enforcement requests, and limit
unnecessary access to data by governments. Like-minded countries need to find a way to develop
a common approach that balances privacy, trade, law enforcement, and national security
interests, as concerns about mass government access to data underpin many data localization
proposals worldwide.
The Snowden revelations about U.S. government surveillance created the first major wave of data
localization proposals. Since then, concerns—real and imagined—about foreign government
access to data have led to greater data localization worldwide, even if these concerns are often
selectively and hypocritically applied (such as in Europe). Concerns about Chinese government
access to data is motivating a second wave of restrictions.
A new global CBPR also presents an opportunity for Australia, Japan, the United States, and others to
bring to life a clear alternative data governance model to the EU’s restrictive GDPR and China’s model
of digital control and protectionism.
Government access to data, especially for national security-related surveillance, is an
extraordinarily sensitive issue. Despite its sensitivity, a tightrope to progress has appeared. In
2021, the G7 put the issue on its agenda and tasked OECD to provide research and advice,
including a comparative assessment of frameworks that will hopefully identify commonalities,
conflicts, and gaps. This is enormously useful and will hopefully provide the basis for
constructive discussions.80
The best chance of developing a common approach would be via a small group of democratic,
rule-of-law countries—brought together due to shared values and interests and a commitment to
digital innovation—to discuss pragmatic ways to balance competing equities, including privacy
expectations, national security concerns, economic interests, and democratic values. The goal
would be to move away from creating nation-based clouds and instead move toward value-based
clouds. It would be pragmatic by creating common oversight and accountability measures to
reduce costs and improve trust. Ideally, any such Geneva Convention for Data would settle
questions of jurisdiction; set common terminology, safeguards, and remedies; improve
accountability and transparency; provide some independent oversight; and increase cooperation
and understanding between national security, data protection agencies, and the broader public.
INFORMATION TECHNOLOGY & INNOVATION FOUNDATION | JULY 2021
PAGE 24
Focus on Access, Not Location: Support Financial Regulatory Oversight and Data Flows
Australia, Japan, Singapore, the United Kingdom, and the United States should develop a
financial data governance strategy to advocate that financial, banking, securities exchange, and
payment regulators focus on access to data rather than where it’s stored.
Financial data is among the most targeted categories for localization. Yet, in the logical end state
where many countries enact localization, all will be hampered because today’s global digital
economy means there will inevitably be cross-jurisdictional data. Several enlightened financial
regulators—usually reticent to give up any semblance of control—have worked with their trade
officials and foreign counterparts on new legal frameworks and mechanisms for cooperation. The
goal is to support cross-border data flows while ensuring they still have access to data for
oversight purposes.81
Like-minded, value-sharing democratic countries should work together to develop a “Geneva
Convention for Data” to establish common principles, processes, and safeguards to government access
to data.
Recommendations:
▪ Leading countries and their regulators need to develop a global financial data strategy to
create “trust” mechanisms between financial regulators to ensure financial oversight does
not impede financial data flows and innovation. Financial regulators from Australia,
Singapore, the United Kingdom, and the United States demonstrate how this can be done
via new MOUs that provide certainty about regulatory responsibilities, improve
cooperation between regulators, and give assurances to firms that financial data can
move freely.82
▪ Leading countries should advocate for clear and detailed financial data governance and
transfer rules in trade agreements, such as in the U.S.-Mexico-Canada Trade Agreement
and the Australia Hong Kong Free Trade Agreement.83
▪ Build out the G7’s role as a central forum for leading countries and institutions to
manage shared concerns about financial data flows and governance. It already involves
leading governments and institutions, such as the Financial Stability Board, the Bank for
International Settlements, and the International Monetary Fund.
▪ Leading countries should pursue greater bilateral engagement to help encourage as many
countries as possible (and not in the G7/G20) that the same principles and processes are
relevant. Building understanding among financial regulators through engagement,
workshops, and conferences will be a slow process. Still, it is essential to get them
onboard with enacting the proper framework for managing financial data across
jurisdictions.
Improve Mechanisms to Help Law Enforcement Make Cross-Border Requests for Data
The globalization of criminal evidence should drive reforms regarding how law enforcement can
access communications and other records in other countries as part of legitimate investigations
while abiding by privacy and human rights protections. Criminals should not escape the law
simply because police cannot access the data they need efficiently. Unfortunately, in the
INFORMATION TECHNOLOGY & INNOVATION FOUNDATION | JULY 2021
PAGE 25
absence of updated legal mechanisms, there is the potential for a legal arms race calling for
mandatory data localization requirements, which will ultimately hurt all law enforcement efforts
to deal with what is a global problem. The following recommendations proceed along a sliding
scale from least to most advanced, depending on the country and its situation.
Countries such as India and Indonesia should review and reform domestic legal frameworks to
enable more efficient cross-border access. For example, the EU’s “e-evidence” proposal
streamlines cooperation between service providers and law enforcement in the bloc.84 Central to
this effort would be a working group with diverse stakeholders, including representatives from
different government departments, the private sector, civil society organizations, researchers, and
experts in international law to formulate reforms and model data transfer agreements.85 There are
various issues involved in improving legal cooperation and compatibility: the standard of proof,
authorized authorities and the judicial or independent validation of requests, necessity and
proportionality, the ability for service providers to challenge requests, the types of crimes
covered, and others.86
Countries should pay attention and provide the necessary resources to improve existing legal
processes and treaties, as existing legal processes and treaties are out of date, needlessly
complex, and often delayed due to poorly resourced local agencies.87 At the moment, MLATs
remain the dominant international framework for enabling cross-border data access. The MLAT
process is not working well. For example, the U.S. government can take up to 10 months to
complete MLAT requests (leading to a massive backlog), while requests from the United States
to Ireland take only 15 to 18 months.88 Meanwhile, some countries take years to respond to
requests, while others, such as Russia, often do not respond at all.89
Countries should sign on to the Budapest Convention on Cybercrime—the world’s first
cybercrime treaty, negotiated 20 years ago—and support ongoing efforts to improve it via a new
(second) protocol. This new protocol would help law enforcement agencies secure evidence from
service providers in foreign jurisdictions.90 The proposed language of the second protocol focuses
on five major provisions: language of requests, videoconferencing, emergency mutual legal
assistance, direct disclosure of subscriber information, and giving effect to foreign orders for the
expedited production of data.91
Criminals should not escape the law simply because police cannot access the data they need
efficiently. Unfortunately, in the absence of updated legal mechanisms, there is the potential for a
legal arms race calling for mandatory data localization requirements
At the most advanced stage, countries should consider new legal mechanisms that make the
exchange of data for law enforcement purposes more efficient while still providing privacy and
other safeguards. For example, the EU-U.S. Umbrella Agreement, the EU-U.S. Terrorist Finance
Tracking Program Agreement, and the U.K.-U.S. CLOUD Act executive agreement represent
useful models. They incorporate commonly recognized global privacy principles while accounting
for local interpretation and different legal structures. And overall, they work without impeding
data flows.92
The United States should pursue more CLOUD Act agreements, just as other countries should
consider reforms to allow them to enter negotiations. The United States’ first CLOUD Act
INFORMATION TECHNOLOGY & INNOVATION FOUNDATION | JULY 2021
PAGE 26
agreement with the United Kingdom established a baseline for talks with Australia and the
European Union.93 They provide a lawful mechanism for law enforcement in either the United
States or the other signatory to request data directly from a service provider in the other country
without going through the mutual legal assistance process.94 CLOUD Act agreements do not give
law enforcement agencies any new legal authority to acquire data. They simply help like-minded,
rights-respecting countries improve the exchange of data for legitimate law enforcement
investigations.95 Furthermore, the United States has made clear that it wouldn’t pursue CLOUD
Act agreements with countries that do not respect the rule of law and fundamental human
rights.96
CLOUD Act agreements are in everyone’s best interest. They minimize potential conflicts of law
between countries, thus providing legal certainty for both firms and law enforcement agencies. If
anything, non-U.S. law enforcement agencies benefit more from CLOUD Act agreements, as
many of the world’s leading service providers are American. It helps firms because it is a clear,
efficient framework. The CLOUD ACT is also a direct tool to counter data localization. It requires
DOJ to provide a written certification that a country "demonstrates a commitment to promote and
protect the global free flow of information and the open, distributed, and interconnected nature
of the Internet."97
CONCLUSION
Data-driven innovation and digital trade are only going to become more central to the global
economy. Governments need to update laws to address legitimate data-related concerns that
arise, but this should be done in a considered way so that people, firms, and governments can
maximize the enormous societal and economic benefits of data and digital technologies.
Restricting the movement of data does nothing to help improve societal or economic outcomes.
The recommendations show how like-minded countries can develop shared governance
arrangements that can work across legal systems, create reciprocity and nondiscrimination, and
build-in independent redress and oversight, all the while allowing data flows.
Meanwhile, digital protectionists and scofflaws such as China and Russia refuse to support
digital free trade or join global efforts to improve law enforcement cooperation on cybercrime.98
What is particularly crucial is that countries that support shared digital governance need to
dedicate far more resources to help the many “swing states” that have not enacted localization
and have not yet decided to follow the EU or China’s model of restrictions and control. The
success or failure of this engagement and these new agreements and legal mechanisms will go a
long way toward shaping the Internet of the future and whether it remains open, integrated, and
innovative or closed, fragmented, and based on state control.
INFORMATION TECHNOLOGY & INNOVATION FOUNDATION | JULY 2021
PAGE 27
APPENDIX A: LIST OF DATA LOCALIZATION MEASURES
This a comprehensive list of explicit, de facto, and proposed data localization policies around the
world, organized by specific region, and in some cases, country.
AFRICA
Country Type of Data Data-Localization Policy
Cote-d’Ivoire
Indirect and De Facto Localization
2013: Cote-d’Ivoire enacted privacy laws which required
firms to get pre-approval from the regulator before
processing personal data outside of the Economic
Community of West African States (ECOWAS, which
includes 15 member countries, ranging from Benin,
Ghana, Liberia, Mali, Niger, Nigeria, and Senegal).99
Ghana
Direct and Explicit Localization
2019: Ghana enacted the Ghana Payment Systems Bill &
Guidelines, which among many other things, set out the
requirements to obtain a payment systems operator
license.100 In particular, it calls for: firms to establish a
local entity, at least 30 percent local ownership, and for a
board of directors that includes at least three Ghanaians,
one of which must be the CEO. In July 2018, Ghana
issued draft regulation that required all domestic
transactions to be processed by the Ghana Interbank
Payment and Settlement Systems Limited (GhiPPS, which
is wholly owned by the Central Bank of Ghana). However,
there was significant industry concerns, so the final
implementing directive has not yet been issued.
Kenya
Indirect and De Facto Localization
2019: Kenya’s Data Protection Act excluded explicit data
localization provisions from in earlier drafts, but still
included unclear and potentially restrictive provisions
governing the cross-border transfer of personal
information, such as explicit consent for transfers of
“sensitive personal data” (a broad category) and that data
controllers provide unspecified proof that personal data
transferred abroad receives the same protection as if
stored at home. Furthermore, it empowers a political
official to prohibit the cross-border transfer of certain
INFORMATION TECHNOLOGY & INNOVATION FOUNDATION | JULY 2021
PAGE 28
categories of data, creating uncertainty for businesses.
Regulations implementing these provisions are being
developed.
Proposed Measures
2021: Kenya’s released draft data protection regulations
(to implement the Data Protection Bill) requires firms to
store data (a copy) and process data locally if the data
processing is done “for the purpose of actualizing a public
good.” This apparently includes managing an electronic
payment systems licensed under the National Payment
Systems Act; processing health data for any other purpose
other than providing health care directly to a data subject;
managing personal data to facilitate access of primary and
secondary education: and management of a system
designated as a protected computer system under the
Computer Misuse and Cybercrime Act, 2018.101
2018: Kenya released a draft Data Protection Bill for
comment that included a number of provisions that either
directly or indirectly lead to data localization.102 Kenya’s
Data Protection Bill (part VI, section 44) states: Every data
controller or data processor shall ensure the storage, on a
server or data center located in Kenya, of at least one
serving copy of personal data to which this bill applies;
The cabinet secretary shall prescribe, based on strategic
interests of the state or on protection of revenue,
categories of personal data as critical personal data that
shall only be processed in a server or data center located
in Kenya; and Cross-border processing of sensitive
personal data is prohibited.103
2016: Kenya’s Communications Authority considered
including data localization provisions within Kenya
Information Communications (Cyber-Security) Regulations
(2016). Article 10(1) required the hosting and storage of
“public information” within Kenya.
104
Nigeria
Direct and Explicit Localization
2015: Nigeria enacted broad data localization
requirements as part of the Guidelines for Nigerian
Content Development in ICT. Nigeria wants ICT companies
to “host all subscriber and consumer data” and all
government data inside the country.105
2011: The Central Bank of Nigeria enacted local storage
and processing requirement for entities engaging in point
of sale (POS) card services. Domestic transactions cannot
be routed outside Nigeria for switching between Nigerian
issuers and acquirers.
106
INFORMATION TECHNOLOGY & INNOVATION FOUNDATION | JULY 2021
PAGE 29
Rwanda
Direct and Explicit Localization
2012: Rwanda enacted a regulation that all critical
information data within government (website hosting,
email hosting, shared applications such as Document
management and e-archiving, and enterprise applications)
should be hosted in their national data center.107
Indirect and De Facto Localization
2017: Rwanda’s telecommunications regulator fined MTN
(a telecommunications company that is a subsidiary of
South Africa’s MTN Group) US$8.5 million (10 percent of
its annual turnover) for maintaining Rwandan customer
data in Uganda and for running its IT services outside the
country in breach of its license.
108
Senegal
Direct and Explicit Localization
2021: Senegal announced that it will move all government
data and digital platforms from foreign servers to a new
national data centre in hopes of strengthening its digital
sovereignty.
109
South Africa
Direct and Explicit Localization
2018: The South African Reserve Bank imposed a
moratorium prohibiting the migration of domestic
transaction volumes from Bankserv (South Africa’s bank-
owned domestic payment switch) to international payment
schemes. The South African Reserve Bank enacted the
moratorium after it found out that domestic South African
banks planned to move more of their transactions to global
payment service networks. The moratorium was to be in
place until a new policy was developed and enacted.110
Indirect and De Facto Localization
2013: South Africa’s Protection of Personal Information
Act (the POPI Act), which makes the transfer of personal
information outside of South Africa subject to certain
exceptions, which raise potential concerns about how
these rules will be interpreted and enforced, as they could
become de facto data localization tools, especially given
its requirement for explicit consent for transfers.111
Proposed Measures
2021: South Africa’s “Draft National Policy on Data and
Cloud” recommends data localization and local data
processing for all data related to “critical information
infrastructure” and data mirroring for personal data (for
the purposes of law enforcement). It also states that all
data generated in South Africa shall be the property of
South Africa, regardless of the nationality of the firm
involved in collecting it.
112
INFORMATION TECHNOLOGY & INNOVATION FOUNDATION | JULY 2021
PAGE 30
EUROPE
Country
Type of Data
Description
Andorra
Indirect and De Facto Localization
2004: According to the Protection of Personal Data Law,
personal data can only be transferred freely to states
deemed sufficiently secure in their cyber capabilities.
Personal consent must be obtained to transfer data to an
insecure state.113
Armenia
Indirect and De Facto Localization
2015: According to the Law on Personal Data, personal
data may only be transferred cross-border when there is
personal consent, or it is necessary to finish processing
previously consented to by the individual. A transfer permit
is required to transfer personal data to states deemed
insufficiently secure.
114
Azerbaijan
Indirect and De Facto Localization
2010: According to the Law on Personal Data, cross-border
personal data transfers are prohibited if the transfer
creates a threat to the national security of the Azerbaijan
Republic, or if the transfer is going to a country not
deemed sufficiently secure. Personal data can still be
transferred to an insecure country if the individual
consents to it, however.
115
Belgium
Direct and Explicit Localization
2005: According to Companies Code – Article 463, the
company register of shareholder and register of bonds must
be kept at the office, or since 2005 can be stored
electronically as long as they are readily accessible at said
office.116
1992: According to the Income Tax Code – Article 315,
income tax documents must be kept at the disposal of the
office where they have been kept, prepared, or sent.117
1992: According to VAT Code – Article 60, VAT invoices
must be stored in Belgium or another EU member state.
118
Bosnia and
Herzegovina
Indirect and De Facto Localization
2006: According to the Law on Protection of Personal
Data, personal consent, contractual necessity, or vital
interest are needed to transfer personal data cross-border
to a state deemed insufficiently secure. However, there is
no specific list of which states Bosnia and Herzegovina
views as secure, so the individual data controller is
responsible for making this decision.
119
Bulgaria
Direct and Explicit Localization
2012: According to the Gambling Act, when applying for a
gaming license all relevant data must be stored on a server
in Bulgaria. Communications equipment and the central
computer must be located in the EEA or Switzerland.120
INFORMATION TECHNOLOGY & INNOVATION FOUNDATION | JULY 2021
PAGE 31
Cyprus
Direct and Explicit Localization
2007: Cyprus has failed to replace several restrictive
provisions under the Directive on Data Retention, which
was declared invalid by the Court of Justice of the
European Union (ECJ). This directive required data
operators to retain certain categories of traffic and location
data (excluding the content of those communications) for a
period between six months and two years and to make
them available, on request, to law-enforcement authorities
for the purposes of investigating, detecting, and
prosecuting serious crime and terrorism.
121
Denmark
Direct and Explicit Localization
2007: According to the Audit Act (section 45), financial
records for government institutions must be stored
domestically. This data can be stored abroad as long as a
copy is made monthly and stored in Denmark.122
2006: According to the Bookkeeping Act (section 12),
financial records must be stored either in Denmark or one
of the Nordic countries.123
Indirect and De Facto Localization
2011: According to the Danish Data Protection local
authorities’ data cannot be processed outside Denmark
without a standard contractual clause. Software commonly
used in offices such as Dropbox, Microsoft Office 365, and
Google Apps therefore cannot be used until a standard
contractual clause is agreed upon.
124
European Union
Indirect and De Facto Localization
2020: The July 2020 decision by the European Court of
Justice (ECJ) to invalidate the EU-U.S. Privacy Shield will
have an immediate and potentially long-term impact on the
thousands of organizations that relied on it to legally
transfer data abroad. By making transfers of European
personal data so costly and complicated, if not illegal, the
European Union’s General Data Protection Regulation
(GDPR) is becoming a de facto data localization
requirement.125
2019: Originally announced in 2019, France and Germany
have been spearheading a project titled “GAIA-X" that
would create a European cloud system in an effort to claim
“digital sovereignty” and end reliance on U.S. cloud
companies.126 It is also portrayed as a “trusted cloud” for
EU member states’ public data.127
2018: According to the General Data Protection
Regulation, personal data may flow freely between
European Economic Area (EEA) states as well as select
states deemed sufficiently secure in their data protection.
In order to transfer data to any other state, there must be
binding contractual agreements, the consent of the data
INFORMATION TECHNOLOGY & INNOVATION FOUNDATION | JULY 2021
PAGE 32
subject, or the data transfer is necessary to carry out a
contract for the data subject.128 Through the US-EU
Privacy Shield Framework, the United States was one of
the countries allowed free data transfers with the EU.
However, since a 2020 CJEU decision, Privacy Shield’s
adequacy decision has been invalidated129
Proposed Measures
2021: Portugal (as president of the EU) proposed for a
European Data Governance regulation that would restrict
foreign governments’ access to European industrial data,
impose more obligations to transfer data held by a
European public body, to ask for explicit consent if the
public data relates to a person, and to create a European
Data Innovation Board to “advise and assist” the European
Commission when deciding to restrict “highly sensitive”
industrial data flows.
130
Finland
Direct and Explicit Localization
1997: According to the Accounting Act, a copy of
accounting records must be stored in Finland. The data
can be stored in another EU member state if immediate
access is guaranteed.
131
France
Direct and Explicit Localization
2016: A ministerial circular announced that data produced
by public administrations cannot be stored in a non
“sovereign” (i.e., foreign) cloud, as this data is to be
considered archives and stored domestically.132
Proposed Measures
2021: Two French tech giants have announced plans to
create a trusted cloud (“Cloud de Confiance”) called
“Bleu.” Bleu will meet the sovereignty requirements to be
used by French public bodies. This is part of the wider
GAIA-X project to make an EU-wide sovereign cloud.
133
Georgia
Indirect and De Facto Localization
2014: According to the Law on Protection of Personal
Data, cross-border transfers of personal data are only
permitted to select countries deemed sufficiently secure in
their data protection. Transfers to any other state must be
approved by the Georgian Data Protection Authorities.134
Germany
Direct and Explicit Localization
2017: According to the German Telecommunications Act,
telecommunications providers must store data on phone
numbers, the time and place of communications (except
for emails), and involved IP addresses for four to 10 weeks
on servers within Germany.135
2013: According to the Tax Code, persons and firms that
are required to keep books and records must keep them
within Germany. There are some exceptions for
multinational companies.
136
INFORMATION TECHNOLOGY & INNOVATION FOUNDATION | JULY 2021
PAGE 33
2013, According to the Act on Value Added Tax, all VAT
invoices must be stored within Germany. When these
invoices are stored electronically, they can be stored within
another EU member state; however, the tax authority must
be notified of the location of the data servers, and have the
ability to access and download the data.137
2008: According to the German Commercial Code,
accounting documents and business letters must be stored
on servers within Germany.
138
Greece
Direct and Explicit Localization
2011: According to Law No. 3971/2011, retained data on
traffic and localization must remain within Greece.
139
Italy
Indirect and De Facto Localization
1972: According to Presidential Decree no. 633,
accounting data for VAT declarations can only be kept in a
third country if that country has signed a convention with
Italy regarding the exchange of information for direct
taxation. Therefore, all EU member states qualify.
140
Kosovo
Indirect and De Facto Localization
2010: According to the Law on the Protection of Personal
Data, to transfer data to a country that has not been
deemed sufficiently secure in its data protection, the
Kosovar data protection authorities must be notified and
give authorization, and these transferred will only be
approved if there is individual consent, contractual
necessity, or vital interest.
141
Luxembourg
Direct and Explicit Localization
2012: According to the Circular CSFF 12/552, financial
institutions must process data within Luxembourg, except
with explicit consent or for an entity of the group to which
the institution belongs.
142
Malta
Indirect and De Facto Localization
2003: According to the Data Protection Act, a cross-border
transfer of personal data must be notified to the
Commissioner's Office.
143
Moldova
Indirect and De Facto Localization
2012: According to the Law on Personal Data Protection,
to transfer data to a country that has not been deemed
sufficiently secure in its data protection, the Moldovan
data protection authorities must be notified and give
authorization, and these transferred will only be approved if
there is individual consent, contractual necessity, or vital
interest.
144
Monaco
Indirect and De Facto Localization
1993: According to the Protection of Personal Data Act,
personal data can only be transferred to states deemed
insufficiently secure in their data protection with consent,
vital interests, contractual necessity, or the authorization of
INFORMATION TECHNOLOGY & INNOVATION FOUNDATION | JULY 2021
PAGE 34
the Monégasque data protection authorities on the basis of
appropriate contractual clauses.
145
Montenegro
Indirect and De Facto Localization
2012: According to the Personal Data Protection Law,
personal data can only be transferred to states deemed
insufficiently secure in their data protection with consent,
contractual necessity, vital interest, or authorization from
the data protection authorities.146
Netherlands
Direct and Explicit Localization
1995: According to the Public Records Act, records that
have been stored in archives in certain locations in the
Netherlands must be stored within the country, this applies
to paper and electronic records.147
North Macedonia
Indirect and De Facto Localization
2005: According to the Law on Personal Data Protection,
personal data can only be transferred to states deemed
insufficiently secure in their data protection with consent,
contractual necessity, vital interest, or authorization from
the data protection authorities. Authorization from the data
protection authorities can be obtained with a written data
transfer agreement, preferably modelled off EU standard
contract clauses.148
Poland
Direct and Explicit Localization
2009: According to the Polish Gambling Act, data on legal
gambling activity must be archived in real time on a server
in Poland.149
Romania
Direct and Explicit Localization
2015: According to Law No. 124, all data related to the
provision of remote gambling services, including records
and identification of the players, the stakes placed and the
winnings paid out, must be stored within Romania.150
Indirect and De Facto Localization
2001: According to the Data Protection Law, any cross-
border transfer of personal data requires notification to the
National Supervisory Authority for Personal Data
Processing (NSAPDP), and requires NSAPDP approval if to
a country deemed insufficiently secure in its data
protection.151
INFORMATION TECHNOLOGY & INNOVATION FOUNDATION | JULY 2021
PAGE 35
Russia
Direct and Explicit Localization
2021: Russia released a draft (although it seems to already
be enforced) law that included a range of conditions and
restrictions on foreign firms using the Internet and
telecommunication services (especially Facebook, Twitter,
Google, and others) to provide services to more than
500,000 Russian users within a 24-hour period, including
storing all personal data locally and that such foreigners
setup a branch or representative office.152
2019: Russia enacted a two-year ban on the public
procurement of data storage from foreign firms.
Policymakers justified the ban on the need to protect
Russia’s “critical informational infrastructure.”153
2018: Russia enacted another set of Yarovaya
amendments that required companies to retain a broader
range of communications content for six months, to store
this data on Russian servers, and make them available to
the authorities on demand without judicial oversight.154 In
2019, Russia enacted additional amendments that internet
service providers store data, as prescribed by the Yarovaya
amendments, using only Russian-manufactured technical
means.155
2016: Russia enacted new laws (the first of the so called
“Yarovaya” Amendments) that require telecommunications
and certain internet companies to retain copies of all
contents of communications for six months (including text
messages, voice, data, and images) in Russia for up to
three years and to this data to authorities on request and
without a court order.156
2014: Russia’s Federal Law No. 242-FZ “On Amending
Certain Legislative Acts of the Russian Federation
Regarding Clarifying the Personal Data Processing
Procedure in Information and Telecommunication
Networks’’ require personal data localization. After initial
collection and storage, it can be transferred overseas
(subject to conditions). It does not prohibit remote access
to personal data stored in Russia. Any subsequent
modification to the personal data should also be performed
first in Russia.157 In 2019, Russia’s Federal Security
Service required companies to install special equipment
giving the FSB automatic access to their information
systems and encryption keys to decrypt user
communications without authorization through any judicial
process.158 Russian policymakers have justified these rules
by citing a need to protect state security, the Russian
internet, and the privacy of Russian users.
2014: According to Federal Law No. 161-FZ “On the
National Payment System,” international payment cards
must be processed locally. International payment systems
INFORMATION TECHNOLOGY & INNOVATION FOUNDATION | JULY 2021
PAGE 36
must transfer their processing capabilities for Russian
users to the local state-owned operator.159
2013: Russia enacted a regulation that requires all “credit
institutions” (presumably banks and other financial
institutions, although it’s unclear) should store all data
locally.160 It does not detail whether this is a strict
localization requirement or mirroring requirement.161
Indirect and De Facto Localization
2009/2016: The Bank of Russia has issued
recommendations, such as Recommendations RS BR
IBBS-2.22009 and Recommendations RS BR IBBS-2.9-
2016, which imply that financial institutions should store
certain sensitive (confidential) data (the scope of which is
defined very broadly and would include personal data) in
Russia. While these are not normative acts and thus not
binding, they are authoritative and financial institutions
follow them in practice.162
2012: Russia has licensing and certification requirements
(relating to protection of confidential information, as well
encryption licenses, and certification of the information
systems used for the storing and processing the data) for
credit and financial institutions and the data they manage
that, in practice, can only be satisfied by Russian cloud
storage providers.
163
San Marino
Indirect and De Facto Localization
1995: According to The Law Regulating the Collection of
Personal Data, in order to transfer personal data on any
citizen or company to any third country, authorization is
required from the data protection authorities, though there
are no specific conditions that need to be met to obtain
this authorization.
164
Serbia
Indirect and De Facto Localization
2009: According to The Law on Personal Data Protection,
in order to transfer personal data to a country not deemed
sufficiently secure in its data protection, authorization from
the Serbian data protection authorities is required.
165
Sweden
Direct and Explicit Localization
1999: According to the Swedish Accounting Act, firms’
annual financial reports and balance sheets must be
physically stored in Sweden for seven years.166
Indirect and De Facto Localization
2019: Financial services are de facto required to physically
store data within Sweden as The Financial Services
Authority requires physical access to data servers.
167
INFORMATION TECHNOLOGY & INNOVATION FOUNDATION | JULY 2021
PAGE 37
Switzerland
Indirect and De Facto Localization
2020: Cross-border data transfers of personal data to
countries deemed insufficiently secure in their data
protection requires the use of standard contract clauses or
binding corporate rules.168 The list of insufficiently secure
countries includes the United States after a 2020 decision
that the Swiss–U.S. Privacy Shield Framework does not
provide an adequate level of protection.
169
Turkey
Direct and Explicit Localization
2020: Turkey’s Banking Regulatory and Supervisory
Authority released the Regulation on Information Systems
of Banks, which reinforces that banks and financial
services keep their primary (live/production data) and
secondary (back-ups) information systems within the
country.170
2020: Turkey passed legislation (“Law on Amendment of
the Law on the Regulation of Publications on the Internet
and Suppression of Crimes Committed by Means of such
Publications”) that includes data localization and grants
the government sweeping new powers to regulate content
on social media. The law requires social network providers
with more than 1 million users to: establish a
representative office in Turkey; respond to individual
complaints in 48 hours or comply with official take-down
requests of the courts in 24 hours; and keep personal data
of Turkish citizens in country.171
2019: Turkey released a Presidential Circular on
Information and Communication Security Measures No.
2019/12, which includes data localization and other
digital restrictions. Article 3 prohibits public institutions
and organizations’ data from being stored in cloud storage
services that are not under the control of public
institutions. The Circular also requires that critical
information and sensitive data be stored domestically.
Draft regulation is expected that will also mandate
localization of data produced by banks and financial
services.172
2018: Turkey’s Capital Markets Board (CMB) enacted new
rules (the Communiqué on the Management of the
Information Systems (VII-128.9)) for how publicly traded
firms should manage their IT systems—which included
data localization—in requiring primary and secondary IT
systems only be in Turkey. The regulations cover a broad
range of firms and organizations, including all publicly
traded companies; the Istanbul Stock Exchange; organized
markets; pension funds; the Istanbul Clearing, Settlement
and Custody Bank; the Central Securities Depository of
Turkey; custodians; the Capital Markets Licensing Agency;
capital markets institutions; the Turkish Capital Markets
Association; and the Turkish Appraisers Association.
173
INFORMATION TECHNOLOGY & INNOVATION FOUNDATION | JULY 2021
PAGE 38
2013: Turkey enacted a law—the Law on Payments and
Security Settlement Systems, Payment Services and
Electronic Money Institutions—that forces Internet-based
payment services, such as PayPal, to store all data in
Turkey for 10 years.174
Indirect and De Facto Localization
In 2016: Turkey enacted the Law on the Protection of
Personal Data, which requires all cross-border transfers of
sensitive and non-sensitive personal information require
the explicit consent of data subjects, or have to meet other
legal grounds.175 Data may only be transferred without
consent to a country with sufficient protections in place.
The Personal Data Protection Board determines which
countries have adequate standards of protection and
approves cross-border transfers to countries that lack such
a standard.176 U.S. industry reports that conditions make it
hard to transfer data. Turkey has not yet announced a list
of countries that meet the standard of adequate level of
protection. Further, the Data Protection Board has yet to
grant approval to companies that have sought the ad-hoc
approval.177
2008: According to the Electronic Communications Act,
the data subject’s explicit consent is required to transfer
traffic and location abroad anywhere.
178
Ukraine
Indirect and De Facto Localization
2011: According to the Law on the Protection of Personal
Data, cross-border personal data transfers to a country
deemed insufficiently secure requires consent, contractual
necessity, or vital interest.
179
United Kingdom
Indirect and De Facto Localization
2014: According to the National Health Service
information governance rules, it is not illegal to store NHS
data abroad; however, it is viewed as a risk factor to do so
and is therefore discouraged.180
2006: According to the Companies Act, if accounting
records are stored outside the U.K., a copy of the accounts
and returns must be stored domestically and available for
inspection at all times.
181
INFORMATION TECHNOLOGY & INNOVATION FOUNDATION | JULY 2021
PAGE 39
MIDDLE EAST AND NORTH AFRICA
Country Type of Data Description
Algeria
Direct and Explicit Localization
2018: Algeria signed into law legislation requiring
electronic commerce platforms conducting business in
Algeria to register with the government and to host their
websites from a data center located in Algeria.182
Egypt
Indirect and de Facto Measures
2020: Egypt enacted the Personal Data Protection Act
(Law No. 151/2020), which requires licenses for cross-
border data transfers.
183
Jordan
Proposed Measures
2020: Jordan’s draft Personal Data Protection Law
prohibits the transfer of personal data outside the Kingdom
to any person that does not have sufficient levels of
personal data protection. Exceptions to this rule include
international cooperation, intra-organizational transfers,
and health data that matters for the public health of the
kingdom. Further, Article 5 requires the Council of
Personal Data Protection to implement an approval process
and permits for transferring data as well as issue a list of
countries with sufficient levels of protections.
184
Kuwait
Indirect and de Facto Measures
2021: Kuwait’s Data Confidentiality Protection Regulations
requires firms to notify data subjects if their data is
transferred abroad. The regulation requires firms to provide
information on how long data will be stored overseas and
where it is stored (an onerous and infeasible administrative
requirement).185 The regulations are not applicable to
security agencies.
Saudi Arabia
Direct and Explicit Localization
2020: Saudi Arabia’s National Data Management Office
published the National Data Governance Interim
Regulations, which requires firms to store and process
personal data within Saudi Arabia “in order to ensure
preservation of the digital national sovereignty over such
data.” Data Controllers may only process or transfer
personal data outside the Kingdom after obtaining written
approval from the relevant regulatory authority.186 The legal
status (whether they are mandatory regulations or voluntary
guidance) remains unclear.
2018: Saudi Arabia issued its cloud computing regulatory
framework, which includes data localization requirements
for various categories of data.187 As part of its classification
framework, it states that no level 3 data (including data
from private-sector-regulated industries (it is unclear what
these are) and sensitive data from public authorities) can
be transferred outside of Saudi Arabia, for whatever
INFORMATION TECHNOLOGY & INNOVATION FOUNDATION | JULY 2021
PAGE 40
purpose and in whatever format, whether permanently or
temporarily (e.g., for caching, redundancy, or similar
purposes), unless expressly allowed by the government.
Furthermore, the framework (section 3.3.9) states that
cloud providers are not allowed to transfer, store, or
process level 3 data in any public, community, or hybrid
cloud unless registered with local authorities. Cloud
providers must also register and disclose where their data
centers are in Saudi Arabia, and the countries where they
have data centers process, store, transit, or transfer data
from Saudi Arabia.188
2018: Saudi Arabia’s National Cybersecurity Authority
2018 Essential Cybersecurity Controls framework states
that data hosting and storage when using cloud computing
services must be located with the country.189 The draft
NCA 2020 Cloud Cybersecurity Controls framework
requires operators to provide cloud computing services
from within country, including all systems including
storage, processing, monitoring, support, and disaster
recovery centers. The requirement applies to all levels
of data.
190
United Arab
Emirates
Direct and Explicit Localization
2019: The UAE’s health data protection law (UAE Federal
Law No.2 of 2019) introduced a general prohibition
(article 13) on the transfer of health data outside the
UAE.191 In 2021, the UAE’s Ministry of Health and
Prevention issued a long awaited resolution setting out
exceptions that allow health data transfers, but the general
prohibition remains in place.192
Proposed Measures
2021: The UAE’s draft Data Privacy Law requires firms to
get a permit from the local data protection authority prior
to transferring sensitive personal data (article 38).
Sensitive data is broadly defined, including any data that
directly or indirectly relates to a person’s family or ethnic
origin, health or personal data, or any Data that discloses
psychological, genetic and biometric data, financial or
economic data, and data related to religious beliefs and
political opinions.
193
INFORMATION TECHNOLOGY & INNOVATION FOUNDATION | JULY 2021
PAGE 41
CENTRAL ASIA
Country Type of Data
Description
Kazakhstan
Direct and Explicit Localization
2021: Kazakhstan adopted new rules as part of its
personal data protection framework, which specified that
all personal data should be stored locally.194
2015: Kazakhstan enacted a law (No. 418-V) on
informatization that reaffirmed that organizations store
electronic databases containing personal data in the
country.195
2013: Kazakhstan enacted an amendment to its personal
data protection law that requires owners and operators
collecting and using personal data to keep such data in-
country. The requirement for localization of personal data
applies to companies established in Kazakhstan and
individual proprietors in Kazakhstan, including branches
and representative offices of foreign companies.196
2010: Kazakhstan enacted a regulation on
telecommunication subscriber information, which prohibits
the storage of subscriber information outside the
country.197
2005: Kazakhstan requires all domestically registered
domain names (i.e., those on the “.kz” top-level domain)
operate on physical servers within the country).198
2004: Kazakhstan enacted a communications law that
requires certain communication services to store data in
the country.
199
Uzbekistan
Direct and Explicit Localization
2019: Uzbekistan’s revised personal data law requires
explicit local personal data storage and processing.
200
SOUTH ASIA
Country
Type of Data
Description
Bangladesh
Indirect and de Facto Measures
1991: Bangladesh’s Bank Company Act (section 12) states
that banks can’t transfer business related documents
outside the country without first getting the Bangladesh
central bank’s permission.201
Proposed
2020: Bangladesh’s draft Data Protection Act includes
data localization and data mirroring provisions. Also, it
requires firms to segregate data post-processing into
sensitive, critical, and general personal data is technically
INFORMATION TECHNOLOGY & INNOVATION FOUNDATION | JULY 2021
PAGE 42
impracticable. It also includes extremely broad and far-
reaching investigative powers, including the power to
obtain access to all personal data and access to any
premises.202
2020: Bangladesh’s draft National Cloud Policy includes
explicit data localization for all personal and government
data. Transfers of data are only allowed for backup
purposes, but only if the data doesn’t include any personal
or sensitive data or data that is otherwise “not detrimental
to the security of Bangladesh and important infrastructure”
and if the transfer is to a country where Bangladesh can
fully (unspecified) enforce its laws through bilateral or
multilateral agreements.
203
India
Direct and Explicit Localization
2021: The Reserve Bank of India released a revised
regulations on electronic know your customer (eKYC)
requirements which states that the technology
infrastructure should be housed in the Regulated Entity
own premises and the video-based customer identification
process connection and interaction (to do digital due
diligence and verification of a customer) shall necessarily
originate from its own secured network domain.204
2020: The Securities and Exchange Board of India
released a cybersecurity-related circular that financial
institutions should “…ensure complete protection and
seamless control over…critical systems…while keeping the
critical data within the legal boundary of India.”205
2018: The Reserve Bank of India enacted rules forcing all
payment to be stored in India.206 Despite not providing any
evidence of having faced regulatory issues pertaining to
access to data, the RBI’s notional reasons for data
localization were concerns over regulatory oversight and
cybersecurity, as the bank cited the need for “continuous
monitoring and surveillance” of payments data in order to
reduce the risk of data breaches by ensuring payment
services use the best global cybersecurity standards.207
There is no bar on processing of payment transactions
outside India. However, the data shall be stored only in
India after the processing. In case the processing is done
abroad, the data should be deleted from the systems
abroad and brought back to India not later than the one
business day or 24 hours from payment processing,
whichever is earlier.208 In June 2019, RBI stated that the
requirement to store payments data locally also applies to
banks operating in India.209
2017: The Ministry of Electronics and Information
Technology released Guidelines for Government
Departments on Contractual Terms Related to Cloud
Services. The guidelines require that any government
INFORMATION TECHNOLOGY & INNOVATION FOUNDATION | JULY 2021
PAGE 43
contracts contain a localization clause mandating that all
government data residing in cloud storage networks is
located on servers in India.210
2017: The Consolidated FDI Policy Circular of 2017
mandates certain conditions for the Broadcasting Sector.
Clause1.3 (ix) states that:“the Company shall not transfer
the subscribers’ databases to any person or place outside
India unless permitted by relevant law.”211
2017: The Insurance Regulatory and Development
Authority of India mandates that all original policyholder
records should be maintained in India and obtain express
consent from the data subject to transfer data outside
India.212
2013/2014: India enacted the Companies (Accounts)
Rules law, which said if financial information is primarily
stored abroad, its backups must be stored in India.213
2012: India enacted the “National Data Sharing and
Accessibility Policy,” which effectively means that
government data must be stored in local data centers.214
2007: The terms of India’s unified telecom license
agreement required Indian telecom service providers not to
transfer certain subscriber information outside India.215
1993: Section 4 of the Public Records Act 1993 prohibits
public records from being transferred out of India except
for official public purposes. Section 4 states: “No person
shall take or cause to be taken out of India any public
records without prior approval of the Central Government:
provided that no such prior approval shall be required if
any public records are taken or sent out of India for any
official purpose.”216
Indirect and de Facto Measures
2021: India’s new Intermediary Guidelines and Digital
Media Ethics Code includes a very short time period (72
hours) to respond to government orders to remove illegal
content that would create a de facto data localization
requirement for online intermediaries as it’d otherwise be
hard, if not impossible, for them to comply (and thus avoid
fines and other penalties).217
2011: Amendments to India’s Information Technology Act
of 2000, limited the transfer of data in cases only “if it is
necessary for the performance of the lawful contract” or
when the data subject consents to the transfer. However,
the necessity requirement is not adequately explained,
effectively limiting transfer of data only when consent is
given.218
INFORMATION TECHNOLOGY & INNOVATION FOUNDATION | JULY 2021
PAGE 44
Proposed
2021: India’s Department of Science and Technology
released the Draft National Geospatial Policy includes data
localization and measures that discriminate against foreign
firms and products.219
2020: Report by the Committee of Experts on Non-
Personal Data Governance Framework includes a range of
data localization measures for non-personal data.220
2019: The Securities and Exchange Board of India
considered forcing foreign financial institutions (like
banks) who operate brokerage and custodian services to
store all data locally.221
2019: India’s Draft Personal Data Protection Bill proposed
mandating the storage of 'one serving copy' of all personal
data within India. The bill would also impose onerous
conditions on the cross-border transfer of “sensitive”
personal information, including “explicit consent” by the
data principal. “Critical” personal information––an
undefined category––could not be transferred out of India
under any circumstances. This Bill also proposes to
empower the central government to classify any personal
data as 'critical personal data' to be processed exclusively
in India.222 The draft bill is still being debates and
amended.
2018/2019/2021: Various drafts of India’s National E-
commerce Policy explicitly call for forced data localization
as a privacy, cybersecurity, and regulatory measure.223
2018: the Central Government released a draft set of rules
to regulate online pharmacies in India. This was in the
form of amendments to the Drugs and Cosmetics Rules,
1945. The proposed rule mandates that: “The e-pharmacy
portal shall be established in India through which they are
conducting the business of e-pharmacy and shall keep the
data generated localized: Provided, that in no case the data
generated or mirrored through e-pharmacy portal shall be
sent or stored, by any means, outside the India.”224 As at
writing, the final version had not been released.
2015: India released a National Telecom Machine-to-
Machine (M2M) road map that requires all relevant
gateways and application servers that serve Indian
customers be located domestically. The Roadmap has not
yet been implemented.225 It was an overarching policy
strategy, so did not have any mandated localization
measures.
2014: The Indian National Security Council proposed a
policy that would institutionalize data localization by
requiring all email providers to set up local servers for their
INFORMATION TECHNOLOGY & INNOVATION FOUNDATION | JULY 2021
PAGE 45
India operations, and mandating that all data related to
communication between two users in India should remain
within the country.
Pakistan
Proposed
2020: Pakistan’s draft Personal Data Protection Bill
includes a range of data localization and processing
requirements (including for “critical personal data” (which
is not clearly defined)). It requires Pakistan’s Personal Data
Protection Authority to introduce a broad data localization
framework to force firms to store copies (mirroring) of
personal data in Pakistan, even where that data may
otherwise be allowed to be transferred out of the
country.
226
Sri Lanka
Proposed
2019: Sri Lanka’s draft Data Protection Bill only allows
cross-border transfers of data to countries designated by a
government minister (it does not provide details about the
approval process, nor assessment criteria). Furthermore,
the draft bill does not acknowledge a range of other
common legal mechanisms that firms use to transfers data,
such as through standard contractual clauses,
certifications, and binding corporate rules, as well as
bilateral, reginal, and multilateral mutual recognition
frameworks.227 Personal data processed by a 'public
authority' as a data controller is to be processed only in Sri
Lanka, unless the data protection agency classifies such
categories of personal data that are permitted to be
processed outside Sri Lanka.228
SOUTHEAST AND NORTHEAST ASIA
Country
Type of Data
Description
Indonesia
Explicit Data Localization
2021: Indonesia’s Ministry of Communication and
Information Technology issued Ministerial Circular No.
3/2021 on the use of third-party cloud services for central
government agencies for FY2021. The circular sets out 13
security criteria for third party cloud providers that public
agencies can use, among others: they must have at least 2
(two) availability zones at different data center locations in
Indonesia; and they must store encryption keys within
Indonesia.229
2016: Indonesian Regulation 69/POJK.05/2016 mandates
insurers/reinsurers to establish data centers and disaster
recovery centers in Indonesia. Indonesia is considering
national legislation and additional regulations on personal
data protection, which could expand requirements for data
localization.230
INFORMATION TECHNOLOGY & INNOVATION FOUNDATION | JULY 2021
PAGE 46
Indirect and De Facto Localization
2020: Indonesia’s Ministry of Communications and
Information Technology (KOMINFO) issued the “Regulation
on Governance of Private Scope Electronic System
Administrators (ESA),” which is very vague and broad and
contains de facto localization requirements that contravene
existing regulations (GR71) which allow firms to store data
offshore. The definition of what a private scope ESA is not
clear and could be cover a broad range of digital activity. It
requires all ESAs to register (whether foreign or domestic)
with KOMINFO. Those that fail to register face sanctions,
such as having their website/service blocked. Article 6 on
the management, processing, and/or retention of data
requires all ESAs to have approval from the minister, who
must take into account the requirements and consideration
of “national interests,” such as to ensure effective
regulatory supervision and law enforcement access to data.
It doesn’t specify the requirements and criteria to obtain
approval to maintain data outside Indonesia. It also only
provides firms 12 hours to remove illegal content after
notification, which would create a de facto localization
requirement as it’d be technically impossible for firms to
abide by such a requirement. It requires private ESAs to
provide access to their systems and data to government
ministries and law enforcement within 24 hours after
receiving a request. Further, Article 99 of GR 71 states
that institutions holding “Strategic Electronic Data” must
hold archives and must be connected to a specific data
center (presumably one that is managed by the
Government). Included in sectors stipulated as holder of
“Strategic Electronic Data” are: energy, transportation,
financial, healthcare, ICT, food, defense, and any other
sectors stipulated by the Government.231
2020: Indonesia’s General Regulation Number 80 of 2019
(GR 80) stipulates that personal data cannot be transferred
offshore, unless the receiving nation is deemed by the
Ministry of Trade as having the same level of personal data
standards and protection as Indonesia. However, this
stipulation in GR 80 may not be immediately enforced, as
the regulation has a 2-year transition period.232
Proposed Measures
2020: Indonesia’s Ministry of Communications and
Information Technology draft Ministerial Regulation No.
5/2020 (which deals with sensitive online content and
electronic system operators and therefore relates to the
above) contains a range of problematic provisions that lead
to de facto localization. It only allows for 24 hours to
respond to requests to take down illegal content, and for
content deemed urgent, only 4 hours. It also included
providing mandatory access to data for government and law
enforcement agencies. It also allows them to obtain traffic
and subscriber data, without a clear requirement to provide
INFORMATION TECHNOLOGY & INNOVATION FOUNDATION | JULY 2021
PAGE 47
legal reasoning. These would potentially apply to a broad
range of services, such as startups, e-commerce players,
social media, and game developers.
233
Malaysia
Indirect and De Facto Localization
2020: For several years Malaysia’s central bank enacted a
law maintained a moratorium on outsourcing hindering
financial institutions’ ability to utilize their global digital
platforms. Bank Negara Malaysia also has data localization
elements in its Risk Management in Technology
framework, but has indicated that it intends to remove
them. It has amended its recent Outsourcing Guidelines to
remove original data localization requirement.
234
South Korea
Explicit Data Localization
2019: Korea’s Cloud Security Assurance Program (CSAP,
which governs cloud services for public sector agencies)
requires the physical location of the cloud system and data
shall only be within Korea and that cloud services for
public institutions shall be physically separated from the
cloud service area for private institutions.235
2016: Korea’s Regulation on Supervision of Electronic
Financial Transactions was amended to allow the use of
cloud services by financial firms; however, the Financial
Services Commission specifically requires that such data
be maintained on servers located in Korea.236
Indirect and De Facto Localization
2014: South Korea’s Act on the Establishment,
Management, Etc. of Spatial Data Korea and associated
(discriminatory) licensing regime prevents firms from
transferring location-based data outside the country.237
2011: Korea’s Personal Information Protection Act requires
companies to obtain consent from “data subjects” (i.e., the
individuals associated with particular data sets) prior to
exporting that data. The act also requires “data subjects”
to be informed of who receives their data, the recipient’s
purpose for having that information, the period that
information will be retained, and the specific personal
information to be provided. This is clearly a substantial
burden on companies trying to send data across borders.
238
Vietnam
Explicit Data Localization
2020: Vietnam: Decree 72 on the management, provision
and use of Internet services and online information: Among
other things, the new Decree proposes to regulate foreign
social media platforms, app store platforms, in-app
transaction payments, and all other businesses that need
to use user ID verification technologies. introduce new
obligations to both local telecoms and foreign platforms
who have caching servers in Vietnam, making them liable
for objectionable contents on the foreign platforms. An
internal government report associated with this decree
INFORMATION TECHNOLOGY & INNOVATION FOUNDATION | JULY 2021
PAGE 48
denotes how the country has become overly dependent on
foreign platforms and how government control/national
digital sovereignty has been weakened by these foreign
companies.239
Proposed Measures
2019: Vietnam: Draft of Law on Cybersecurity (effective
since January 1, 2019) includes extensive local data
storage requirements. The implementation decree is under
consideration with the Office of the Government and the
Ministry of Industry and Trade.
240
SOUTH AND CENTRAL AMERICA
Country
Type of Data
Description
Brazil
Explicit Data Localization
2018: Brazil’s Ministry of Planning released guidelines for
government contracts related to information and
communications, which may include encryption methods,
firewalls, and other measures. Confidential data or
information produced or safeguarded by the Federal Public
Administration, including backup data, shall receive a
security risk assessment, and potentially be prohibited
from being processed in a cloud computer software if
deemed sufficiently sensitive. This data shall also be
physically located in Brazil.241
Proposed Measures
2020: Policymakers introduced Bill 4723/2020 to Brazil’s
parliament to amend Brazil's Data Protection Law requiring
all personal data to be stored within the country. The bill
also would forbid the use of cloud computing for any data
processing when data is stored outside the country.242
Chile
Explicit Data Localization
2020: Chile’s financial regulatory authorities released
updated regulations (Chapter 20-7 of Recopilación
Actualizada de Normas Bancos, the Updated Compilation
of Banking Standards) requiring “significant” or “strategic”
outsourcing data be held in Chile. The same requirement is
outlined in Circular No. 2, which is addressed to non-
banking payment card issuers and operators. In effect,
these regulations can apply to any confidential records. In
the case of the international transfer of such data, transfer
may occur but duplicate copies of such records must be
held in Chile.
243
Peru
Proposed Measures
2021: Peru’s draft National Strategy for AI, they encourage
all projects financed with public resources to incorporate
INFORMATION TECHNOLOGY & INNOVATION FOUNDATION | JULY 2021
PAGE 49
the use of local data centers and/or cloud platforms whose
infrastructure is installed in Peru.244
2020: The Digital Government Secretariat of Peru released
draft regulations for a Digital Trust Framework, which gives
preferential treatment to domestic data storage and
domestic service providers.vi U.S. firms reports that the
draft proposal includes: (1) the creation of a whitelist of
permitted countries for cross-border transfer of data (even
though the Peruvian Data Protection Law does not include
such restrictions); and the creation of a national data
center intended to host the information provided by the
public sector entities.245
Venezuela
Explicit Data Localization
Venezuela has passed regulations requiring that IT
infrastructure for payment processing be located
domestically.246
CHINA
Country
Type of Data
Description
China
Direct and Explicit Localization
Overview: China’s Cybersecurity Law (CSL), draft Personal
Information Protection Law, and Data Security Law are
central to China’s evolving data governance framework, and
each include extensive explicit and de facto data
localization measures. However, even with these three
major pieces of legislation in place, the patchwork of
requirements related to data localization and cross-border
data transfers are liekly here to stay.247
Typical of Chinese policymaking, Chinese laws like the CSL
often only offer high-level requirements, so sectors wait on
subsequent draft laws, regulations, standards, and
implementing regulations be released and discussed to see
how it’ll ultimately affect how they do business. Another
factor that is unique to China is that it has many
regulations that are recommended best practices or
standards that in practice are mandatory requirement.
These measures exist in sectors such as banking,248
insurance,249 credit investigation,250 post and courier
services,251 population health and genetic information,252
online taxi booking businesses,253 location services254 and
civil aviation.255 Many of these overlap with listed policies,
but some are separate so a thorough analysis of localization
needs to consider bot