Cross-border data flows lie at the heart of the global digital economy and are a key driver of international trade. The term “data flows” refers to the transfer of data packets from one point or end device to another using the network of the Internet. However, as the digital economy expands, countries have expressed four key concerns over the free flow of data. These are:
“(1) storage of data on foreign servers, which has impeded data access for law enforcement agencies, (2) the loss of economic benefits due to exploitation of data by foreign firms, (3) concerns about foreign surveillance, and (4) misuse of personal data in violation of privacy rights”.
These risks have led many countries to conclude that cross-border data flows must be regulated. Data localization is one of the most commonly used data-restrictive measures. It can be understood as any measure «that specifically encumber(s) the transfer of data across national borders», thus including both de jure and de facto measures.
Types of data localization policies: from least to most restrictive
The first category of data localization « refers to measures that require local storage of data, without prohibiting the processing or storage in other countries ». This category targets financial data, telecommunications information, or business records, such as accounting data, and is often associated with data retention policies.
The second category of data localization «refers to measures that require local processing and storage but permit international access or transfers under precisely defined conditions». An example is Australia’s electronic health records act, which mandates that health record data be stored within Australia but allows for access from abroad when users (the data subjects) or licensed healthcare professionals require it.
The third category refers «to measures that mandate local storage and processing of data while also prohibiting transfers to other countries (or only on the basis of ad hoc authorizations) ». This approach is also known as de facto localization because it makes data transfers so complicated, costly, and uncertain that companies effectively have no choice but to store the data locally, especially when facing the risk of substantial fines.
Additionally, a new approach to data localization is emerging that focuses on access to data rather than its location. These measures do not mandate local data storage but require firms to ensure that relevant authorities have access to the data. A key example is Denmark’s Bookkeeping Act. From 2006 to 2015, the Act required data to be stored in Denmark with specific conditions for transferring and storing data abroad. However, in 2015, the Act shifted from requiring local storage to imposing access conditions, ensuring that Danish public authorities have access when justified.
The impact of data localization
- Cybersecurity: Data localization will hinder the effectiveness of cybersecurity tools and services, such as threat detection systems. For instance, Cloud Service Providers (CSPs) generate trillions of signals from diverse global data sets, which help them identify malicious actors and threats, such as botnets and malware. CSPs monitor various personal data, including IP addresses and user activities (e.g., password resets and account privilege changes). To effectively detect and address cyber threats, CSPs must be able to collect, analyze, and share this information within their organizations, with clients, other CSPs, and occasionally law enforcement across multiple jurisdictions.
- Fraud Prevention: Data localization measures undermine the tools and services used by financial institutions to detect and prevent payment fraud, money laundering, and other financial crimes. The effectiveness of anti-money laundering, counter-terrorism financing, anti-bribery and corruption measures, and know-your-customer protocols relies on access to comprehensive personal data across multiple jurisdictions. Restricting these services from global data flows will reduce their accuracy and reliability, potentially jeopardizing the safety and security of individuals relying on financial services.
- Human Resources Data: Data localization disrupts the operations of multinational companies that rely on the ability to transfer human resources (HR) data across borders to their central HR departments, centralized IT systems, and both internal and external payroll and service providers. These data transfers are essential for the recruitment and management of a global workforce—without the ability to share data, companies would struggle to operate across multiple jurisdictions, preventing them from delivering economic and societal value in various countries.
- Manufacturing: Data localization requirements can restrict manufacturers from using end-to-end lifecycle management solutions by limiting the exchange of information, including personal data of employees, among globally dispersed project teams. For instance, an automobile manufacturer might be unable to utilize comprehensive customer usage data, such as personal details like location and biometric information, to coordinate vehicle maintenance and development. As a result, manufacturers could encounter production delays, and their customers might face decreased quality and longer wait times.
- Customer Service: Customers across various sectors—such as banking, insurance, travel, online retail, and healthcare—expect customer and tech support to be available 24/7. Data flows allow organizations to set up customer service facilities in multiple locations around the world, ensuring support is provided at times that best suit both customers and service employees in different time zones.
Sources: