Increasing data localisation—governments requiring certain data to be stored within a jurisdiction—threatens internet innovation and makes the development of digital goods and services more difficult, potentially slowing economic growth.
India is thinking of joining the countries that have data localisation requirements: China, Russia, Indonesia, Vietnam, and others. It is a bad idea.
The internet has delivered worldwide benefits, mostly through US technology companies offering services globally. Light regulation has enabled innovation, facilitated rapid development of internet services, and delivered benefits across the planet.
These technologies are also bringing new challenges. Fake news and social media have been blamed for nothing less than the potential destruction of democracy, and leading technology companies warn of the dangers posed by cyberattacks.
One response has been for governments to clamp down and impose tighter regulations. The inherently borderless nature of the internet has presented regulators and lawmakers with challenges, but in recent times governments have taken two different approaches.
The first is to create laws that apply beyond their own borders. The European Union has imposed tight data-protection rules—known as the General Data Protection Regulation (GDPR)―based on the premise that individuals have the fundamental right to control the use of their own data. The justification for the GDPR’s extraterritorial application is that a citizen’s right to control their own personal data is universal and exists regardless of overlapping jurisdictions. According to the GDPR, personal data should be used in a manner ‘designed to serve mankind’ and should ‘whatever [an individual’s] nationality or residence, respect their fundamental rights and freedoms, in particular their right to the protection of personal data’.
The second approach is to compel data localisation and legislate that data—typically personal data—must be stored within a state’s jurisdiction. China and Russia both have laws that impose a data localisation requirement. Both states cite protection of personal information as one of the justifications for these laws, but concerns have been raised that they’re using localisation to enable intrusive government access to private information. Governments have a range of exceptional access powers that are typically relatively easy to exercise within their borders, but difficult to enforce outside their jurisdiction.
To be clear, both approaches are forms of regulation that impose additional costs. Ideally, a harmonised global approach to data protection would be preferable. The European GDPR already imposes relatively high costs on companies doing business in the European Union, or even just conducting business with EU citizens.
Data localisation requirements, however, impose additional new costs above and beyond those of the GDPR.
There are several factors that decide where data should ‘live’—that is, where it is best stored. Many of these factors are technological, and the best place to store data has changed over time as technology has evolved.
Some of the factors involved today are:
- the proliferation of power- and storage-constrained mobile devices—it is better to have much of the world’s data processing and storage take place at data centres that don’t have limits on storage and battery life
- environmental efficiency—cooling is a significant cost in data centre operations, and some climates are better suited for efficient data centres
- the limits of communication technology—some locations can provide more responsive and therefore higher quality services
- physical and political security—it’s no good having a cheap-to-run location with good connectivity to end users if safety and security are compromised by other physical or political instability
- the human geography—where are end users located, and what are their computing requirements?
- financial considerations—where can cost-effective space, power and communications connectivity be found?
Data localisation requirements often mean that some or all of these physical and technical factors are compromised. More broadly applied data localisation requirements result in real additional costs, estimated at over 0.5% of GDP. It is only for relatively sensitive data that this cost can be justified.
For some particularly sensitive data, such as financial, health or telecommunications records, and data with national security implications, it’s not unusual for governments to require the information to be physically stored within their jurisdictions. Australia, for example, has mandated that certain health data be stored locally, and national security and other government data has contractually enforced localisation requirements.
For most data, the risk of compromise is not related to its physical location. Hackers don’t gain access to data because of a server’s location—they gain access because of poor cybersecurity.
On top of the direct additional cost, data localisation makes it much harder for new internet businesses to grow. Protecting personal data involves work to secure and manage where it is being sent, tracking and accounting for these data flows, and being able—in the case of the GDPR—to delete individual records if necessary. Localisation requires that this work be duplicated—potentially across many jurisdictions—so that a business expanding internationally might need to simultaneously comply with myriad data localisation requirements on top of its baseline work to manage personal data. This significantly increases the complexity and cost of expansion without directly addressing the cybersecurity concerns that actually improve data security.
Regulation is required to protect personal data, but it should be carefully constructed to avoid stifling innovation and adding unnecessary costs and complexity that will strangle new businesses and stifle economic growth.