Data localization rules existed before the 2013 Snowden revelations. However, they really took off afterwards. Whether they are motivated by a genuine desire to protect privacy or because of industrial policy rationales, they are harmful to consumers and often do not enhance security. For example, proposed Chinese “secure and controllable” regulations for the insurance sector would impose a data localization requirement. In effect, this would raise costs for insurance customers in China and do nothing to enhance the security of their data. SIIA is working with other trade associations to make this and other points with the Chinese government and the World Trade Organization. See this June 2, 2016 letter from the United States Information Technology Office (USITO) on this topic.
There have been a variety of studies, which look into the costs of data localization. In their paper on the costs of data localization, ECIPE examines the economic impact and security implications of data localization laws in seven countries. See below for the ECIPE estimates.
· Total impact on GDP: Brazil (-0.2%), China (-1.1%), EU (-0.4%), India (-0.1%), Indonesia (-0.5%), Korea (-0.4%) and Vietnam (-1.7%).
· Effect on overall domestic investments: Brazil (-4.2%), China (-1.8%), the EU (-3.9%), India (-1.4%), Indonesia (-2.3%), Korea (-0.5%) and Vietnam (-3.1).
ECIPE also notes correctly: “information security is not a function of where data is physically stored or processed.” Security concerns from hacking to widespread violence are often domestic. As a result, storing information in one physical location could increase vulnerability to domestic threats rather than prevent them.
We have collected several real world examples on how data localization laws directly impact businesses. These examples are drawn from the press. This effort is important because often the impacts of data localization are seen in purely monetary or macroeconomic terms. The analyses can be portrayed (erroneously but nonetheless effectively sometimes) as divorced from reality and/or perhaps methodologically suspect. The reality is that data localization has real world impacts for consumers and companies. And those consequences are negative.
Government Regulation 82 and Draft Regulations in July 2015 from the Ministry of Communications and Information Technology (MCIT) include provisions that require every electronic system provider for public services to locate a data center and disaster recovery center within Indonesia.
Companies like Facebook, Google, Yahoo and Mulitpolar Technology are all obligated to abide by this new regulation. In fact, Multipolar Technology, a listed IT company, is spending $100 million to build a data center in West Java. In some cases, it could completely erode business activity. For example, Google Indonesia told local media that regulations on data centers for foreign content providers are not feasible
Citing the PRC Telecommunications Regulation passed in September 2000, which in essence requires data collected in the country to be stored on Chinese servers, Chinese officials have pushed businesses like Hewlett Packard (HP), Qualcomm and Uber to give up more than 50% of their business in China to Chinese companies or pay antitrust fines that top $1 billion.
The Banking Regulation and Supervising Industry (BDDK), Turkey’s financial regulator, instituted a policy in June 2016 that requires companies to establish a local IT center in the country. As a result, PayPal was forced to shut down service in Turkey, affecting “tens of thousands of businesses and hundreds of thousands of consumers.”
Referencing the National Security Act passed in 1948, Korean officials now prohibit mapping data from being taken out of the country. As a result, Alphabet Inc. has been unable to build mapping services in Korea, where the majority of their 50 million people regularly use local mapping services instead of Google Maps’ more advanced and convenient services.
In July 2014, Russia adopted the Federal Law No. 242-FZ, which requires that information a company holds pertaining to Russian citizens to be stored on servers physically located within the country. As a result, Google had to hire data centers’ space and racks, and other companies like eBay face difficult choices on whether the cost of hiring data center space outweighs the benefits of business in Russia.
SIIA strongly supports data privacy and security. And it is natural that countries sometimes take different approaches on how to promote data privacy and security. To take the most obvious example, the United States has a sectoral privacy system and the EU has a “whole-of-economy” constitutionally-based system. Candidly, we do not think that every element of the EU system promotes innovation (we do not necessarily endorse every element of the American system either). However, SIIA’s member companies comply with the law in the countries in which they conduct business. The important thing is for there to be interoperability mechanisms – such as the hopefully soon approved EU-US Privacy Shield – that allow companies to transfer data from one jurisdiction to another as long as the firms comply with the data transfer legal arrangement they are part of. Those mechanisms can be rigorous. The EU-US Privacy Shield, for example, imposes new obligations on companies that the predecessor arrangement – the U.S.-EU Safe Harbor Framework – did not include. The important thing is that the interoperability mechanism not be discriminatory or a disguised means of restricting trade. We took this message to Trade in Services Agreement negotiators in Geneva on October 9, 2015. Our message is reflected in the Transpacific Partnership’s excellent provisions on digital trade. SIIA would like to see this approach realized in future trade agreements such as the Transatlantic Trade and Investment Partnership and the Trade in Services Agreement. It should also serve as a template for our bilateral relationships, especially with China.