Why data localization hurts implementing economies
By Kati Suominen, Founder and CEO, Nextrade Group and Techical Director, eTrade Alliance
MSMEs that use ecommerce need access to data on their operations, customers, and markets. Great many developing country MSMEs have dramatically improved their operations and sales after systematizing data collection and analysis from domestic and foreign customers. For example, using real-time data streams of its 1.5 million bookings across Southeast Asia to predict future demand and fix operational problems in real-time, ride hailing platform Grab has realized up to 40 percent savings in operations, improved customer service, and lowered the cost to customers.
However, for governments, access to personal data and its transfer across borders are among the most contentious and complex policy issues. Several countries such as China, Indonesia, India, Vietnam, Nigeria, and Turkey have recently introduced laws to localize individuals’ data entirely or in a specific sector, such as in payments, financial services, or healthcare. In April 2019, the Reserve Bank of India issued one of the most restrictive data localization measures yet, requiring foreign payment companies store all transaction data involving Indian customers on servers located within India, and delete Indian citizens’ data on their global servers.
For the providers of payment, ecommerce, financial, and other services, data localization rules can create immense costs – for example, setting up in-country servers to process data can cost tens of millions of dollars. Data localization mandates also create data security challenges as data will now have to be stored and secured locally and anomalous and fraudulent patterns cannot be as easily identified as in global datasets.
Governments have made many justifications for limiting the transfer of data across borders, such as that localization would better enable law enforcement to access data, create new jobs in digital industries, and broaden their tax base. Localization mandates are also often reported to result from lobbying by domestic or foreign companies that already have data processing facilities in-country, and that call for localization in order to raise costs to foreign rivals that process their data abroad. Data localization policies are in some markets worried to be used to squash dissent – as law enforcement can in principle access data in-country more easily than data from servers in a foreign country.
In 2019, the G20 sought to establish the “Osaka Track”, a broad-based international agreement to fuel cross-border transfer of data. However, reportedly India, South Africa, and Indonesia rejected the agreement. These and some other developing countries argue data issues need to be discussed at the WTO and that these countries need “policy space” for building their own digital economies – though data localization does nothing to build up a robust domestic digital economy.
Granted, India, Indonesia and Vietnam have relaxed some provisions of their data laws recently in the face of criticism by businesses and trading partners. But data localization and residency policies are quite widespread: some three dozen governments and the European Union have imposed some types of limits to the transfer of individuals’ data across borders, such as tax, transaction, payment, health, or employee data. Some countries require data to be physically stored on servers within their countries; others allow the data to leave their borders but insist on a copy remaining domestically and/or allowing data to move in an encrypted format; still others specify a time frame for the data to be stored locally. In the eTrade Alliance’s policy mapping of the 45 countries out of 50 that have some data transfer law in place, almost three-quarters or 32 countries require the receiving country to have “adequate” data protections in place, and/or that the data controller asks the data subject to consent to the data transfer.
As a result, there is by now a checkerboard of divergent and overlapping national digital regulations, which can be challenging for a business to comply with in even one market, let alone across several markets. This in turn stunts businesses’ global scalability.
The costs of data localization are very real on businesses, consumers, and economies. Numerous simulations and empirical studies suggest that data localization mandates increase the cost of world-class digital services to local companies; arrest the competitiveness of firms’ exports; dampen foreign direct investment and economic growth; and undermine firms and governments’ utilization of 5G connections and technologies such as AI and blockchain. For example, localization mandates are found to:
Undermine exports, FDI, and GDP growth and increase costs to local companies and consumers. In a simulation, European think-tank ECIPE finds that localization could result in a 1.3 percent drop in European Union GDP and 11 percent drop in EU manufacturing exports to the United States. In general, data localization requirements would lower GDP growth across a diverse range of countries like Brazil, Korea, and India. In another study, CIGI and Gotham House find localization would lower GDP by 0.1 percent in Brazil, 0.6 percent in China, and 0.5 percent in the EU. These results are not surprising: after all, data localization policies are much like local content requirements: they impose a tax on the user of data and digital services, such as small businesses and consumers, and thus disincentivize the diffusion of digital technologies and services. By localizing data, governments curtail companies and workforces’ access to cutting-edge digital services and technologies, and the development of digital skills among their citizens.
Undermine sectors intense in the use of data, such as a range of ecommerce, IT and financial services, and smart farming, manufacturing, and transport. In a study of five African countries, data localization increases costs especially to financial services and undermines productivity growth in manufacturing. In their study, CIGI and Gotham House find that data localization would undermine production especially in manufacturing, water, communications services, and financial services, among others. Indeed, limits to cross-border data flows are widely found to limit trade in services, in particular.
Discriminate against foreign providers. Data localization policies can shield uncompetitive local companies from foreign competitors. As such, they are much like discriminatory trade barriers. One simulation found that the EU’s data privacy and residency policies have a discriminatory impact on Korean companies. Another simulation found that while free cross-border data flows enable intense competition amongst producers, data localization restrictions force certain clustering of consumers around local firms, and limit consumer choice due to its effect on price and quality of service. In a survey, the U.S. International Trade Commission identified foreign data localization requirements as a barrier to 52 percent of U.S. small- and medium-sized enterprises in the digital communications sector.
NASSCOM, a trade association for the Indian information technology and business process outsourcing industry, has raised concerns about other countries’ data regulations as possible discriminatory barriers on Indian companies expanding into new markets. Indeed, paradoxically, firms in countries that have promoted data localization and “data sovereignty” such as India and Indonesia can upon growing and internationalizing face the same discriminatory data localization policies their own countries today champion.
Undermine startup formation and SMEs’ trade and growth. Governments around the world are seeking to enable entrepreneurship, startups, and SME exports. Data localization policies do the opposite: they impose new costs on startups that could otherwise access low-cost and secure digital services such as hyperscale global cloud computing services. This is a problem especially for MSMEs that rely on low-cost services to get their data processed and analyzed. Data privacy and localization policies are typically among the top-20 concerns of developing country MSMEs seeking to engage in ecommerce, out of nearly 70 challenges.
Conflict with other policy objectives. Data localization requirements increasingly conflict with public policy goals to enable data transfer for development, health, or public safety purposes. For example, data localization rules directly conflict with anti-money laundering and counter-terrorism (AML/CFT) requirements around international remittances, making it impossible for providers to comply with both regulatory frameworks. Initiatives that seek to share data on a blockchain across public and private sectors across borders – say, health data to respond to Covid-19 – are also increasingly worried to conflict with data privacy and transfer rules.
Create new cybersecurity vulnerabilities. Many governments have argued that data localization improves data available to law enforcement and national security. Yet study after study shows that localization does not guarantee data security, quite the opposite. Data security has little to do where data is stored – it has everything to do with how data are stored and governed. The negative impacts of data localization on data security are arguably especially grave if a country lacks the underpinnings to manage and secure data, such as low political risk, excellent IT networks and facilities, strong cybersecurity protections, and so on.
Undermine gains from 5G, internet of things, artificial intelligence, and blockchain. 5G connections and AI, machine learning, IoT, and blockchain are improving companies’ operations across countless industries, from manufacturing to mining. The usefulness of these technologies turns largely on data. For example, in smart farming, data collected through smart devices, IoT-enabled sensors, and even satellites are transmitted instantaneously and analyzed through sophisticated cloud computing services, to offer farmers real-time capabilities to improve their productivity. Data localization policies raise costs of such productivity-enhancing services. Countries that limit data flows will also limit data-driven improvements in public services such as medical services or emergency responses.
There is by now substantial evidence across studies on the negative effects of data localization on various economies, sectors, and firms of different sizes. There exist to our knowledge no studies that would find positive economic effects resulting from data localization. In light of these findings, it is hardly surprising that most business leaders and economists oppose data localization. For example, in India, the Centre for Internet and Society finds that 90 percent of Indian think-tanks and associations oppose data localization policies.