A Data Localization Free-for-All?

March 9, 2018

Data localization, the mandate that data of a country’s citizens be stored within the borders of that country, is a thorny issue dividing policymakers across the globe. In the global policy arena, there are two divergent paths when it comes to data localization policy. One path, which is championed by China among others, is a path of forced localization, in which countries restrict data flows and force companies to comply with their laws in order to do business there. The other path, followed primarily by the United States as well as, somewhat, by the European Union, allows for the free flow of cross-border data.

The degree of data localization measures worldwide has increased dramatically, most drastically since 2010. According to a United States International Trade Commission (USITC) report, data localization measures and specific laws pertaining to the flow of data have forced companies to leave specific markets and could impede the development of information technology. For example, Brazil debated laws as recently as 2014, and its Marco Civil imposes Brazilian law on all data crossing Brazil’s borders. In 2014, India enacted restrictions on data flows, requiring all communication data from Indian citizens to remain in India.¹   Other countries take a slightly different approach.  Australia does not have broad, sweeping legislation on data protection but it does have specific laws pertaining to instances of data-flows (e.g., requires telecommunications carriers to capture and retain certain information).² South Korea similarly lacks broad data localization measures, however they have specific data laws that are applied in specific cases such as when Google attempted to export mapping data even though, for national security reasons, South Korea bars any company from using mapping data not stored in South Korea.³

New restrictive data localization laws have forced businesses to make decisions about data storage, with China a global leader in this realm. China requires that “important data” concerning Chinese citizens be stored and processed locally. This data localization law allows China to restrict market access for cloud computing if the required data localization requirements are not met. The Chinese law also stipulates data localization requirements for the financial services industry and for telecommunications. China’s methods have been effective, as companies looking to do business there are increasingly complying with Chinese demands.⁴

Russia’s strict data localization policies also impact business decisions, and thus far there has not been a uniform response to Russian requirements. For example, Twitter has considered whether to store user data in Russia to comply with the new laws. It was reported that Twitter has agreed to transfer data on Russian citizens to a facility within Russian borders. While Russia passed the law in 2014, it has been lax in enforcing the law, evidenced by Twitter just now considering whether to comply. That being said, Google and Apple have complied with the law, while Facebook and Twitter have not. Russian regulators expelled LinkedIn from operating in Russia for failure to comply with the statute because LinkedIn chose not to locate a data center in Russia.⁵

For its part, the U.S. supports eliminating as many barriers to data flows as possible, and views data localization laws as another barrier to trade. As much, data localization measures are becoming increasingly intertwined with trade agreements. The U.S. is seeking new data localization laws within a renegotiated and modernized NAFTA. The U.S. is also particularly concerned with data flows and the financial services sector.⁶

The European Union, like the U.S., is also interested drafting data flow provisions for future trade deals that would eliminate cross-border data flow restrictions. The EU provision is aimed at preventing trade protectionists from shielding data flows that are crucial to developing international businesses. Although data protection is a fundamental right in the EU⁷ and thus cannot be negotiated in a trade agreement, Brussels is searching for ways to help facilitate cross-border data flows without compromising the right to privacy of EU citizens.⁸

Part of the EU’s bridging strategy is its hybrid approach toward data localization as outlined in the General Data Privacy Regulation (GDPR) set to go into effect in May 2018. Compared to its predecessor (the European Data Protection Directive), the GDPR increases the European Union’s oversight of data. The EU applies its jurisdiction to any personal data processing, in the EU or abroad, that originates in the EU. The GDPR also establishes penalty rates for noncompliance, rules on user consent, data erasure, breach notification, right to access, and data portability. But importantly, the GDPR allows for the flow of data to third party countries if the receiving country’s laws are in compliance with the GDPR’s rules.⁹  And this is where friction between the U.S. and EU approaches lies.

While the GDPR guidelines pertain to EU member states, many EU members have their own nation-specific data laws which heighten complexity, confusion and cost. For example, the Danish Bookkeeping Act requires firms to store financial data of Danish citizens in either Denmark or another Nordic country for five years. Greece enacted a data localization law in 2001, stipulating that data generated on physical media located in Greece must be stored on Greek territory.¹⁰ Germany established its own data localization laws, with slight deviations from the GDPR. If data is meant for further processing, it does not have to come under the same regulations designated by the GDPR if those regulations would disproportionately affect the further processing of the data. Germany also requires any company with at least ten employees to have a data protection officer, although the GDPR only stipulates the need for one in exceptional circumstances.¹¹

After Brexit, there is an opportunity for the United Kingdom to forge its own unique path when it comes to the issue. While uncertainties remain about the exact direction of British localization policy, signs are already starting to emerge. The UK will implement the GDPR, but it wishes to maintain a position of openness, hoping to prevent the internet from becoming ‘Balkanized.’ According to its Brexit position paper, the British government believes:

In an ever more connected world, we cannot expect data flows to remain confined within national borders. Moves towards data localisation, or the Balkanisation of the internet, risk stifling the competition, innovation and trade which produce better services for consumers, and can weaken data security.¹²

Additionally, the proposed “Data Protection Bill [HL] 2017-19” before the House of Lords would apply the GDPR and the Police and Criminal Justice Data Protection Directive (PCJ) in the UK and ensure the government has adequate data measures in a post-Brexit. The PCJ protects the European Union’s fundamental rights on data in the event of police investigations.¹³ While this is one plan, the Lords’ Select Committee on the European Union said that they are “struck by the lack of detail on how the Government plans to deliver this outcome.”¹⁴ Like much surrounding Brexit, the British data localization policy remains to be seen, however there at least appears to be a path forward.

¹ Coffin, David. “Global Digital Trade 1: Market Opportunities and Key Foreign Trade Restrictions”. USITC, 2017, https://www.usitc.gov/publications/332/pub4716_0.pdf 

² Fai, Melissa and Borowski, Alex. “Data Protection 2017: Australia”. International Comparative Legal Guides, 2017, https://iclg.com/practice-areas/data-protection/data-protection-2017/australia

³ “South Korea rejects Google’s request to use mapping data”. Associated Press, November, 2016, http://indianexpress.com/article/technology/tech-news-technology/south-korea-rejects-google-request-to-use-mapping-data-4381760/

⁴ Horwitz, Josh. “A key question is at the heart of China’s new cybersecurity law: Where should data live?”. Quartz, June, 2017, https://qz.com/999613/a-key-question-at-the-heart-of-chinas-cybersecurity-law-where-should-data-live/

⁵ Lomas, Natasha. “Twitter is reviewing whether to store some user data in Russia”. TechCrunch, April 2017, https://techcrunch.com/2017/04/19/twitter-is-reviewing-whether-to-store-some-user-data-in-russia/

⁶ Alini, Erica. “NAFTA, Trump and the cloud: What the negotiations mean for your personal data”. Global News, August 2017, https://globalnews.ca/news/3660107/nafta-trump-the-cloud-data-privacy-canada/

⁷ “CHARTER OF FUNDAMENTAL RIGHTS OF THE EUROPEAN UNION”. Official Journal of the European Union, 2012, http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A12012P/TXT

⁸ Fioretti, Julia. “EU moves to remove barriers to data flows in trade deals”. Reuters, February 2018, https://www.reuters.com/article/us-eu-data-trade/eu-moves-to-remove-barriers-to-data-flows-in-trade-deals-idUSKBN1FT2DC

⁹ “GDPR Key Changes”. EUGDPR.org, https://www.eugdpr.org/key-changes.html

¹⁰ Coffin, David. “Global Digital Trade 1: Market Opportunities and Key Foreign Trade Restrictions”. USITC, 2017, https://www.usitc.gov/publications/332/pub4716_0.pdf    

¹¹ Süme, Oliver. “Data Protection: Does the German Implementation Act (BDSG-E) undermine the GDPR?” FieldFisher, April, 2019, http://privacylawblog.fieldfisher.com/2017/data-protection-does-the-german-implementation-act-bdsg-e-undermine-the-gdpr/

¹² “The Exchange and Protection of Personal Data: a Future Partnership Paper”. Her Majesty’s Government, August 2017,  https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/639853/The_exchange_and_protection_of_personal_data.pdf

¹³ “DIRECTIVE (EU) 2016/680 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL”. Official Journal of the European Union, 2016, http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016L0680&from=EN

¹⁴ Woodhouse, John and Lang, Arabelle. “Brexit and Data Protection”. House of Commons Library, October 2017, http://researchbriefings.parliament.uk/ResearchBriefing/Summary/CBP-7838#fullreport

Authors:
William Alan Reinsch, Senior Adviser and William M. Scholl Chair in International Business
Andrew Lepczyk, Intern, William M. Scholl Chair in International Business