Today, personal data have become the resources driving much of current online activity in our global economy. Internet has torn down national borders in many aspects of our daily life. We often think of trade as the transfer of goods between places or services, but much of the world’s trade today is made up of less tangible, but no less real, transfers of data in what is known as cross-border data flows. Transfers of information between servers on a global scale enable people to access the information and services they need, no matter where they are.
Cross-border data flows are playing an increasingly important economic role, which is striking given that these flows were negligible two decades ago. Between 2005 and 2014, for instance, cross-border flows of data grew 45 times and are predicted to grow 45 times every ten years.[1] In the past two years, COVID-19 has accelerated the digitalization of the global economy in an unprecedented way. Between 2020 and 2023, companies are planning to spend $6.8 trillion on digital transformation.[2]
The cross-border nature of the Internet and the speed and sheer volume of communication raise a number of security problems. In response, policymakers worldwide have started to seek methods to regulate and restrict cross-border data flows. They usually justify their actions by referring to privacy, national security, or economic nationalism. Some countries apply a total ban on data transfers to achieve these ends. Others only restrict certain types of data. In all cases, however, the result harms global trade and economic growth.
The rise of data localization policies
The treatment of cross-border flows of personal data stands out as a core difference in the data protection regimes of countries, and reflects the differences in importance given to various public policy goals. In particular, policymakers believe it is their duty to find the satisfactory compromise between promoting economic development and providing adequate protection for citizens’ data.
Some governments use digitalization as a protectionist tool. They implement data localization requirements, restrict cross-border data flows, require businesses operating in a territory to store the data they collect in a computing facility in that very territory. However, physical location does not guarantee much protection, and it turns out to be a burden for the companies involved.
Unfortunately, a growing number of jurisdictions are introducing or strengthening data localization requirements. To name a few:
- China has prohibited foreign companies from providing cloud-computing services directly to customers in China. In addition, if foreign suppliers of services wish to enter the market, they must work with a Chinese company and share all technology, intellectual property, and brands.
- South Korea restricts the cross-border use of cloud computing for financial services, which restricts market access for foreign companies.
- Nigerian laws force businesses to store locally all data concerning Nigerian citizens and require businesses to host any governmental data locally unless exemptions are granted.
- In Indonesia, data localization rules have been expanded, and any provider of a “public service” must establish local data centers and disaster recovery centers.
Policymakers might argue that localizing data is a simple solution that can provide them with greater control. But in reality, this will disconnect them from global information flows, which is destructive and dangerous for security and economic growth.
The economic cost of data protectionism
Data localization requirements present many difficulties for businesses without a physical presence in a nation. The burden associated with obligatory localization requirements is more harmful to small and developing economies because the cost of the investment in infrastructure weighs more heavily. At the same time, the opportunity cost of restricting trade in services may be higher in countries that do not have a large domestic market of their own.
Despite these potentials costs and disruptions, several governments continue to enact measures mandating that data collected within their territory stay within their borders. Many studies have concluded that data protection requirements place disproportionate burdens on businesses and disrupt cross-border data transfers. Limiting international data flows to support the growth of a local data industry is a mistake: costs will increase for small local firms, choices for consumers will be limited, and data security will be threatened (Castro and McQuinn, 2015).[3]
Restrictions on cross-border data flows have had consequences. For example, the cost of General Data Protection Regulation (GDPR) compliance is expected to be around $8 billion per year for Fortune 500 organizations. In a similar vein, a 2016 ECIPE study indicates that data localization lowers productivity. This study focuses on EU data-localization measures and estimates what would happen if these measures were removed or extended into full data-localization between EU members: a full data-localization policy would cost the EU 0.4 percent of GDP each year.[4]
Policymakers ignore the fact that more regulations have adverse effects on trade and GDP and that restricting data flows is a threat to the foundational idea of the Internet. Data flows give individuals, businesses, and organizations more options by increasing consumer choice and reducing operational costs of network operators working across borders.
Policymakers should recognize the enormous societal and economic benefits from innovative technologies and commit themselves to refrain from banning the transfer of data or requiring local storage. They can protect their citizens’ data through other means – for instance, by resorting to encryption protocols. But authorities do not trust technology to play this role, especially after the series of eruptions, data breaches, and misuses of data that have caught peoples’ attention and made them demand more regulation on companies that collect their data.
But is strict regulation really effective in protecting citizens’ data? Or is it just hindering competition?
Photo by Fabian Kurz
[1] Data Beyond Borders 2.0 Laying the foundation for a digital global economy 2021
[2] Data Beyond Borders 2.0 Laying the foundation for a digital global economy 2021
[3] Cross-Border Data Flows Enable Growth in All Industries, By Daniel Castro and Alan McQuinn – Information Technology and Innovation Foundation, February 24, 2015 https://www2.itif.org/2015-cross-border-data-flows.pdf
[4] Matthais Bauer, Fredrik Erixon, Michal Krol, Hosuk Lee-Makiyama, and Bert Verschelde, “The Economic Importance of Getting Data Protection Right: Protecting Privacy, Transmitting Data, Moving Commerce” (The European Centre for International Political Economy, March 2013), https://www.uschamber.com/sites/default/files/documents/files/020508_EconomicImportance_Final_Re vised_lr.pdf.