How data residency laws can harm privacy, commerce and innovation – and do little for national security


(Credit: Unsplash)

This article is brought to you thanks to the collaboration of The European Sting with the World Economic Forum.

Author: Lothar Determann, Partner, Baker McKenzie and Adjunct Professor, Free University Berlin; University of California, Hastings College of the Law; Lecturer, Berkeley School of Law

  • In a world disrupted by COVID-19, policies which support international data transactions matter more than ever.
  • Data residency laws can have wide impacts on a range of issues, including personal privacy, national security and even commerce.

The current COVID-19 crisis demonstrates the importance of making informed decisions, but outdated data protection regulations and added data residency laws threaten to impede companies’ ability to do business and, consequently, promote economic security and growth in this new world. Data residency laws can have wide impacts on a range of issues, including personal privacy, national security and even commerce. Encouraging alternatives to these laws can be key to sidestepping their disadvantages to trade and innovation.

Understanding data residency laws

With data residency laws, governments require companies to store data on their national territory. Most commonly, data residency laws focus on personal data, but some jurisdictions also capture geolocation and other data. In other words, the laws cover data likely to be core to business needs.

Under data residency laws, companies must process data primarily on a territory; they can also transfer copies of the data abroad as long as they keep a local copy that is available to the local government for inspection. Data residency laws are designed to protect government interests.

Data protection and privacy laws restrict data transfers and do not usually require retention of data anywhere. According to data protection laws, companies do not have to retain any copies, but companies must not transfer data to another country except if they can assure adequate safeguards for the transferred data abroad; if companies can meet the requirements for an exception, they may transfer the data and are not required to keep a local copy of the data. (In fact, data protection laws would prefer no copies are kept anywhere).


Data residency laws are a relatively new phenomenon and sometimes also called “data sovereignty” or “data localization laws”. In the past, limited data residency requirements followed from laws written for the paper record era, whereby companies were compelled to ensure their records did not leave the respective country of origin so as to be accessible by e.g. tax authorities. However, in a world where access to data is essential for the development of a local data economy and concerns emerge around data breaches and cybersecurity, countries are increasingly demonstrating an appetite to secure local access to data and restrict international transfers of data.

Impact to privacy, security, commerce
Data residency laws can have wide impacts on a range of issues, including personal privacy, national security and commerce.

Individual privacy protection is often cited by countries as a policy objective, but in reality privacy protections are neither intended nor advanced by data residency requirements. To the contrary: easier country level access to data impedes privacy interests. For instance, police, secret services and other government authorities can compel access to data more easily when documents and storage media containing the data reside on local territory and can be seized in a raid. In other words, data residency laws are anti-privacy laws.

National security
Some countries are trying to ensure geolocation information is stored locally for national security considerations since having access to important information locally can make a difference in a conflict. But companies in countries with rigid data residency and access requirements will acquire less crucial information in times of emergency because they are not trusted by business partners and governments abroad.

Regulatory Control over Critical Businesses
If a government needs to take over a bank, energy company or critical infrastructure provider in an emergency situation (potentially in conflict with other countries or foreign companies), it can be important that all relevant data is locally stored and available without foreign cooperation. But, until such a take-over is necessary, any critical business will be handicapped by data residency requirements, as it will not be able to access cutting-edge cloud computing, machine learning, and other technologies developed and hosted abroad. Businesses restrained by data residency laws end up with higher costs, less efficient technologies, and a greater risk of having to be taken over in a crisis.

Data Security
Some countries seem to believe that crucial information will be safer at home. But, countries with isolated or outdated technology are less able to protect locally stored data against foreign military and criminal threats. Furthermore, and isolationist mentality around cybersecurity can undermine access to state of the art international best in class solutions.

Data residency laws fundamentally impact commerce, favoring local companies over foreign competitors. Local companies can comply with data residency requirements more easily than foreign competitors, because they naturally keep data at headquarters. Whilst in the immediate term this may appear to be advantageous for indigenous companies, in the long run, such protectionism tends to harm the protected companies by shielding them from much-needed global competition. Also, foreign countries will eventually reciprocate and foreign business may shy away from entering markets where data residency laws apply to avoid additional costs and taxation. Consequently, indigenous business may find it difficult to scale and succeed internationally. They will ultimately become a local liability. Mandating the use of local data centers or locally-made technology seems less helpful if local facilities end up not being globally competitive and slow down local progress.

Data residence laws could force multinationals to invest in local infrastructure and data centers. But, the opposite, negative effect is more likely: Many multinationals may prefer to operate without local government access to data and the related risks of corruption and compliance deficits associated with establishing local presences.

Most countries prefer open systems with economic freedoms as the default. They implement narrowly framed record retention, secrecy and anti-treason laws sufficient to protect national security interests. But very few countries have enacted broad data residency laws so far and international treaties like the Trans Pacific Partnership Agreement (TPPA) expressly commit member countries to refrain from enacting data residency laws or local data center requirements. International cooperation between intelligence and police forces, for example via Multilateral Assistance treaties, Executive Agreements under the U.S. Cloud Act, Interpol and regional cooperation arrangements, render data residency less relevant, too.

“Countries should refrain from enacting data residency laws, given the overriding disadvantages for local consumers, industries, technological development and job markets.”

—Lothar Determann, Partner, Baker McKenzie

Most personal data that companies collect is not crucial for national security purposes and not accessed by governments out of respect for individual privacy and freedoms. Therefore, it is not necessary or proportionate to mandate that companies must store all personal data locally. Moreover, for purposes of securing government access to data, it would be sufficient to require companies to guarantee remote access to data (wherever it is stored) or keep local back-up copies, which companies could create on a daily or weekly basis at much reduced cost compared to duplicating primary systems locally.

Still, given the impact that data residency laws can have, encouraging alternatives can be key. To support local information technology industries and favor direct foreign investment, countries can do the following: offer robust data protection laws, narrowly tailored to prevent concrete harms to individual privacy (as opposed to omnibus regulation of data processing); prioritize cybersecurity; develop accountability and trust with other countries; limit government access to privately-held data; invest in high-speed connectivity; facilitate technical standards; keep bureaucracy at bay; and keep innovation at the forefront of policymaking.

Countries should refrain from enacting data residency laws, given the overriding disadvantages for local consumers, industries, technological development and job markets. International treaties should prohibit national laws that broadly require organizations to store or process data on a particular territory. Narrow exceptions could be allowed for compelling national security interests, limited to requirements of back-up copies of specific types of records or information, but not of all personal data and not for primary information technology systems to be kept locally.

The Roadmap for Cross-Border Data Flows whitepaper offers progressive solutions which empower governments to adopt policies that allow companies to participate in a globally-facing data economy whilst addressing governments’ most pressing concerns of security, fairness and sovereign interest. By implementing mechanisms to build trust the need to data residency laws is greatly reduced and the benefits of the data economy can be more fully realised.

In the end, countries have a choice to either participate in an open international system which can offer more progressive solutions that address their concerns, or they can retreat and stymie the progress of their local data economies.

the sting Milestones

Featured Stings

Can we feed everyone without unleashing disaster? Read on

These campaigners want to give a quarter of the UK back to nature

How to build a more resilient and inclusive global system

Stopping antimicrobial resistance would cost just USD 2 per person a year

African cooperation on peace ‘increasingly strong’, Security Council told

4 ways Africa can prepare its youth for the digital economy

Mobile technology saving lives: Changing healthcare systems with simple technology solutions

A Sting Exclusive: “Technology for all, development for all: the role of ITU”, written by the Secretary General of the United Nations Agency

The historical performance of women in human health

Mental health in times of a pandemic: what can each individual do to lessen the burden?

Why the way of loving closes doors of health?

MEPs agree on future regional and cohesion funding

Sakharov Prize 2021: Parliament to announce candidates

‘More time’ agreed for buffer zone, to spare three million Syrian civilians in Idlib

Lockdown is the world’s biggest psychological experiment – and we will pay the price

5 ways cities can use emerging technologies to fight climate change

COVID-19: Commission steps up research funding and selects 17 projects in vaccine development, treatment and diagnostics

Coronavirus: new procedure to facilitate and speed up approval of adapted vaccines against COVID-19 variants

These are the most innovative cities in the world

How COVID-19 revealed 3 critical AI procurement blindspots that could put lives at risk

Indonesian tsunami death toll climbs over 400 as Government-led relief efforts are stepped up

Coronavirus: Macro-financial assistance agreement provides for €80 million disbursement to North Macedonia

Digital Finance Package: Commission sets out new, ambitious approach to encourage responsible innovation to benefit consumers and businesses

Should trade continue to be global after the pandemic?

UN chief applauds Bangladesh for ‘opening borders’ to Rohingya refugees in need

The European Commission and Austria secure COVID-19 vaccines for the Western Balkans

Violent disorder is on the rise. Is inequality to blame?

Storms and snow in Lebanon worsen plight for Syrian refugees

Ditching plastic straws isn’t enough. Here’s how to achieve zero waste.

A call for a new crop of innovators

Planet’s Health is Our Health and the Reverse is True

NextGenerationEU: European Commission disburses €24.9 billion in pre-financing to Italy

EU Digital COVID Certificate enters into application in the EU

EU to pay a dear price if the next crisis catches Eurozone stagnant and deflationary; dire statistics from Eurostat

The results of Finland’s basic income experiment are in. Is it working?

Growing a new coral reef in a fraction of the time with a fragment of the coral

EU elections update: Can the EU voters vote unaffected from fake news and online disinformation?

This plastic-free bag dissolves in water

Canada has high levels of well-being and solid growth but trade tensions and housing market pose risks while inclusiveness could be improved

Global leaders adopt agenda to overcome COVID-19 crisis and avoid future pandemics

Safer roads: More life-saving technology to be mandatory in vehicles

The cuts on 2014 Budget will divide deeply the EU

FROM THE FIELD: Weather reports come to aid of Uganda’s farmers

EU leaders let tax-evaders untouched

What does reimagining our energy system look like?

Unprecedented humanitarian crisis in Mali revealed in new report

UN Envoy urges Burundi leaders to ‘seize opportunities for national unity and peace’

Tuesday’s Daily Brief: funding for Palestine refugees, families today, tech surveillance

Meeting the crypto regulatory challenge

Business models inspired by nature are the future

Business is a crucial partner in solving the mental health challenge

3 important lessons from 20 years of working with social entrepreneurs

3 ways to ensure the internet’s future is creative, collaborative and fair

UN must bring more women police officers into the fold to be effective – UN peacekeeping official

Getting vaccinated should just be considered a human right?

It’s time for the circular economy to go global – and you can help

Prospect of lasting peace ‘fading by the day’ in Gaza and West Bank, senior UN envoy warns

Does the “climate change” require ombudsman services for environment?

Not a single child spared the ‘mind-boggling violence’ of Yemen’s war

Stakeholder capitalism is urgently needed – and the COVID-19 crisis shows us why

Here’s how we get businesses to harmonize on climate change

Climate change and health: a much needed multidisciplinary approach

Desires for national independence in Europe bound by economic realities

Brazil must immediately end threats to independence and capacity of law enforcement to fight corruption

More Stings?

Speak your Mind Here

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: