Data Localization Laws Affect Enterprise IT Around the Globe

Some data localization requirements derive from laws originally unrelated to IT.

Data residency—a.k.a. data localization—is a growing challenge for cross-border data flows. Here we will take a deeper dive into what various countries now require and how their differing rules are affecting international IT.

What is Data Localization?

Let’s start with a definition. Data localization is a country-specific requirement that particular data about, related to, or provided by its citizens must be hosted on local servers. Under the common understanding of data sovereignty, this puts such data under the auspices of that government for regulatory purposes. Data residency rules may also restrict data transfers across borders.

Data localization can be an explicit requirement. Examples would include strict new laws imposed by Russia in 2015 and China in 2017.

In other cases, data residency is a byproduct of policies that make out-of-country data storage, hosting, transfer, or processing unfeasible. For instance, mandating government consent for data transfers is not, in itself, a data localization requirement, but it does tend to barricade a market off from foreign data centers. By the same token, requiring a copy of a given dataset to be stored locally may lead to de facto data residency.

Some data localization requirements derive from laws originally unrelated to IT. For example, outdated accounting rules in some areas oblige businesses to hold documents on-premises, which now results in local data residency.

While there are blanket data localization regulations, many countries establish such requirements only for specific types of data or particular processes, services, or transactions. This may mean that citizens’ health data or government tax data must remain local, or that financial institutions or gambling apps conduct their data processing within the country.

IT pros and legal experts argue convincingly for regulatory modernization to eliminate legacy rules, such as those old accounting laws cited above, which restrict global information transfer. Of greater concern, however, is the recent data localization fever taking hold.

Many countries faced with cybersecurity issues and privacy complaints from citizens are looking to data residency as a solution, even though it may be of limited value. Other nations are operating in bad faith, using privacy and security as a cover to implement data rules whose real intent is protectionism or state surveillance. In both cases, the trends are worrisome.

The Trade Effects of Data Localization

By definition, data localization is a barrier to global trade. It looks increasingly possible that the relatively free flow of data over the internet will soon be segmented into state-based “islands.” This would greatly reduce efficiency and deliver a hit to economic growth.

A report by the Information Technology and Innovation Foundation (ITIF) highlights the impacts in terms of lost trade and investment opportunities, higher IT costs, reduced competitiveness, and lower economic productivity and growth. They claim data barriers will be responsible for “reducing U.S. GDP by 0.1 – 0.36%; causing prices for some cloud services in Brazil and the European Union to increase 10.5 to 54%; and reducing GDP by 0.7 to 1.7% in Brazil, China, the European Union, India, Indonesia, Korea, and Vietnam.”

They’re not the only ones raising a red flag. Data residency has become common enough to make the 2017 trade barriers report. No wonder, considering cross-border data flows are worth at least $2.8 trillion, according to a McKinsey study. Blockages will have consequences— some say disastrous ones.

Undoubtedly, much of the current interest in data localization is inherently protectionist. Barriers ensure that local firms—whether they be data centers, app creators, or accountants—have an advantage over foreign ones. Data residency has the benefit of driving domestic investment and jobs, and advocates for emerging economies argue that protectionism is necessary as a temporary measure until their companies are ready to compete. Whether these nations will ultimately lower data residency requirements down the road remains in doubt.

What Data Localization Means for Business

Companies are already complaining about the costs of large data transfers and local maintenance arrangements, which can reach well into the millions of dollars. There are also significant concerns about intellectual property theft and data security, especially for information kept on servers in Asia where breaches occur at almost twice the global average.

The logistical headaches associated with data localization rules may prove substantial as well. Many enterprises are based on cross-border business models in which data is collected in one country and transferred to another part of the world for processing. It’s unclear how some of these operations can continue.

Especially for small and internet-based companies, a lack of legal and financial expertise will make it difficult to adapt to differing regulations in each nation where they have customers. Imagine a simple e-newsletter needing to maintain email addresses for its subscribers in their own countries. Some, but far from all, regulatory structures have taken into account the challenges of under-resourced enterprises, but there are places where it may be too dangerous from a compliance perspective to contemplate doing business.

The good news about the global marketplace, is that it can find a way around nearly any problem. In the next installment, we’ll look to how companies and vendors are responding to data localization so the international IT show can go on.

Chris Adams is President and COO of Park Place Technologies. Contact him at cadams@parkplacetech.com.