How data residency laws can harm privacy, commerce and innovation – and do little for national security


(Credit: Unsplash)

This article is brought to you thanks to the collaboration of The European Sting with the World Economic Forum.

Author: Lothar Determann, Partner, Baker McKenzie and Adjunct Professor, Free University Berlin; University of California, Hastings College of the Law; Lecturer, Berkeley School of Law

  • In a world disrupted by COVID-19, policies which support international data transactions matter more than ever.
  • Data residency laws can have wide impacts on a range of issues, including personal privacy, national security and even commerce.

The current COVID-19 crisis demonstrates the importance of making informed decisions, but outdated data protection regulations and added data residency laws threaten to impede companies’ ability to do business and, consequently, promote economic security and growth in this new world. Data residency laws can have wide impacts on a range of issues, including personal privacy, national security and even commerce. Encouraging alternatives to these laws can be key to sidestepping their disadvantages to trade and innovation.

Understanding data residency laws

With data residency laws, governments require companies to store data on their national territory. Most commonly, data residency laws focus on personal data, but some jurisdictions also capture geolocation and other data. In other words, the laws cover data likely to be core to business needs.

Under data residency laws, companies must process data primarily on a territory; they can also transfer copies of the data abroad as long as they keep a local copy that is available to the local government for inspection. Data residency laws are designed to protect government interests.

Data protection and privacy laws restrict data transfers and do not usually require retention of data anywhere. According to data protection laws, companies do not have to retain any copies, but companies must not transfer data to another country except if they can assure adequate safeguards for the transferred data abroad; if companies can meet the requirements for an exception, they may transfer the data and are not required to keep a local copy of the data. (In fact, data protection laws would prefer no copies are kept anywhere).


Data residency laws are a relatively new phenomenon and sometimes also called “data sovereignty” or “data localization laws”. In the past, limited data residency requirements followed from laws written for the paper record era, whereby companies were compelled to ensure their records did not leave the respective country of origin so as to be accessible by e.g. tax authorities. However, in a world where access to data is essential for the development of a local data economy and concerns emerge around data breaches and cybersecurity, countries are increasingly demonstrating an appetite to secure local access to data and restrict international transfers of data.

Impact to privacy, security, commerce
Data residency laws can have wide impacts on a range of issues, including personal privacy, national security and commerce.

Individual privacy protection is often cited by countries as a policy objective, but in reality privacy protections are neither intended nor advanced by data residency requirements. To the contrary: easier country level access to data impedes privacy interests. For instance, police, secret services and other government authorities can compel access to data more easily when documents and storage media containing the data reside on local territory and can be seized in a raid. In other words, data residency laws are anti-privacy laws.

National security
Some countries are trying to ensure geolocation information is stored locally for national security considerations since having access to important information locally can make a difference in a conflict. But companies in countries with rigid data residency and access requirements will acquire less crucial information in times of emergency because they are not trusted by business partners and governments abroad.

Regulatory Control over Critical Businesses
If a government needs to take over a bank, energy company or critical infrastructure provider in an emergency situation (potentially in conflict with other countries or foreign companies), it can be important that all relevant data is locally stored and available without foreign cooperation. But, until such a take-over is necessary, any critical business will be handicapped by data residency requirements, as it will not be able to access cutting-edge cloud computing, machine learning, and other technologies developed and hosted abroad. Businesses restrained by data residency laws end up with higher costs, less efficient technologies, and a greater risk of having to be taken over in a crisis.

Data Security
Some countries seem to believe that crucial information will be safer at home. But, countries with isolated or outdated technology are less able to protect locally stored data against foreign military and criminal threats. Furthermore, and isolationist mentality around cybersecurity can undermine access to state of the art international best in class solutions.

Data residency laws fundamentally impact commerce, favoring local companies over foreign competitors. Local companies can comply with data residency requirements more easily than foreign competitors, because they naturally keep data at headquarters. Whilst in the immediate term this may appear to be advantageous for indigenous companies, in the long run, such protectionism tends to harm the protected companies by shielding them from much-needed global competition. Also, foreign countries will eventually reciprocate and foreign business may shy away from entering markets where data residency laws apply to avoid additional costs and taxation. Consequently, indigenous business may find it difficult to scale and succeed internationally. They will ultimately become a local liability. Mandating the use of local data centers or locally-made technology seems less helpful if local facilities end up not being globally competitive and slow down local progress.

Data residence laws could force multinationals to invest in local infrastructure and data centers. But, the opposite, negative effect is more likely: Many multinationals may prefer to operate without local government access to data and the related risks of corruption and compliance deficits associated with establishing local presences.

Most countries prefer open systems with economic freedoms as the default. They implement narrowly framed record retention, secrecy and anti-treason laws sufficient to protect national security interests. But very few countries have enacted broad data residency laws so far and international treaties like the Trans Pacific Partnership Agreement (TPPA) expressly commit member countries to refrain from enacting data residency laws or local data center requirements. International cooperation between intelligence and police forces, for example via Multilateral Assistance treaties, Executive Agreements under the U.S. Cloud Act, Interpol and regional cooperation arrangements, render data residency less relevant, too.

“Countries should refrain from enacting data residency laws, given the overriding disadvantages for local consumers, industries, technological development and job markets.”

—Lothar Determann, Partner, Baker McKenzie

Most personal data that companies collect is not crucial for national security purposes and not accessed by governments out of respect for individual privacy and freedoms. Therefore, it is not necessary or proportionate to mandate that companies must store all personal data locally. Moreover, for purposes of securing government access to data, it would be sufficient to require companies to guarantee remote access to data (wherever it is stored) or keep local back-up copies, which companies could create on a daily or weekly basis at much reduced cost compared to duplicating primary systems locally.

Still, given the impact that data residency laws can have, encouraging alternatives can be key. To support local information technology industries and favor direct foreign investment, countries can do the following: offer robust data protection laws, narrowly tailored to prevent concrete harms to individual privacy (as opposed to omnibus regulation of data processing); prioritize cybersecurity; develop accountability and trust with other countries; limit government access to privately-held data; invest in high-speed connectivity; facilitate technical standards; keep bureaucracy at bay; and keep innovation at the forefront of policymaking.

Countries should refrain from enacting data residency laws, given the overriding disadvantages for local consumers, industries, technological development and job markets. International treaties should prohibit national laws that broadly require organizations to store or process data on a particular territory. Narrow exceptions could be allowed for compelling national security interests, limited to requirements of back-up copies of specific types of records or information, but not of all personal data and not for primary information technology systems to be kept locally.

The Roadmap for Cross-Border Data Flows whitepaper offers progressive solutions which empower governments to adopt policies that allow companies to participate in a globally-facing data economy whilst addressing governments’ most pressing concerns of security, fairness and sovereign interest. By implementing mechanisms to build trust the need to data residency laws is greatly reduced and the benefits of the data economy can be more fully realised.

In the end, countries have a choice to either participate in an open international system which can offer more progressive solutions that address their concerns, or they can retreat and stymie the progress of their local data economies.

the sting Milestone

Featured Stings

Can we feed everyone without unleashing disaster? Read on

These campaigners want to give a quarter of the UK back to nature

How to build a more resilient and inclusive global system

Stopping antimicrobial resistance would cost just USD 2 per person a year

3 ways to stop COVID-19 from drying up start-up talent pools

A win-win strategy for private equity deals

Judges urge Security Council to serve interests of all UN Member States

‘Three-country crisis’ across central Sahel puts whole generation at risk, warns UN food agency

UN food agency appeals for access to key storage facility amid fight for Hudaydah

At UN, Cuba slams US ‘criminal’ practices undermining country’s development

Innovation is the key to the pay-TV industry’s long-term growth

Britain’s poet laureate has created a prize to highlight poetry about the climate crisis

Consumers to be better protected against misleading and unfair practices

Austrian Presidency priorities discussed in committees

The application that encourages us to be heroes

Why COVID-19 is an opportunity to close the connectivity gap for refugees

At UN, youth activists press for bold action on climate emergency, vow to hold leaders accountable at the ballot box

ECB: Monetary policy decisions

Who gains when the US and China fight over trade?

Ebola situation worsening in DR Congo, amidst growing ‘funding gap’ UN health agency warns

A European student just sets the question of the day: What kind of education policies are missing in Europe?

Young translators at EU schools – Commission opens registration for 2020 translation contest

Will the outcome of the UK referendum “calm” the financial markets?

Female directors reached record highs in 2019 Hollywood

Tips for investor engagement in emerging markets

A top economist shares 3 ways leaders can help economies recover

Georgia: EU report highlights importance of maintaining reform momentum and depolarising the political environment

A new leadership agenda for private equity

From cheeseburgers to coral reefs, the science of decision-making can change the world

The Indian case: health policies need to keep pace with public health literacy

A Sting Exclusive: “Technology for all, development for all: the role of ITU”, written by the Secretary General of the United Nations Agency

The US is building a bike trail that runs coast-to-coast across 12 states

Italy’s dilemma after Merkel-Hollande agreed loose banking union

Renewable energy can get India’s returned rural migrants back to work

One Day in Beijing

Global spotlight on world drug problem ‘is personal’ for many families, says UN chief

Consumer product quality: Parliament takes aim at dual standards

We have the tools to beat climate change. Now we need to legislate

Economic growth ‘exceeds expectations’ but trade tensions are rising: UN report

Syria: ‘Violence, displacement’ and cold kill 11 infants ‘in the past two days’

Building a European Health Union: Stronger crisis preparedness and response for Europe

Pakistan has just planted over a billion trees

How COVID-19 revealed 3 critical AI procurement blindspots that could put lives at risk

How climate change exacerbates the refugee crisis – and what can be done about it

‘Catastrophic’ healthcare costs put mothers and newborns at risk

‘We face a global emergency’ over oceans: UN chief sounds the alarm at G7 Summit event

State aid: Commission invites comments on State aid rules for the deployment of broadband networks

Rule of law: MEPs travel to Malta to meet with government, NGOs and journalists

Unlock the value proposition for Connected Insurance

Why the fight against nature loss should be a business priority

Trump-China trade war lingers upsetting global economy and stock markets

New UN book club helps children deal with global issues

What do the economic woes of Turkey, Argentina and Indonesia have in common?

What we’ve learned about mental health from young people

‘I thought I’d never get out alive’ – the Muslim director who interviewed neo-Nazis

‘Protracted crisis’ in Venezuela leads to ‘alarming escalation of tensions’: UN political chief

This chart shows the total number of COVID-19 cases and recoveries so far

Coronavirus (COVID-19): Latest news from Monday’s World Health Organization briefing

Ukraine pays the price for lying between Russia and the EU

COVID-19: Commission creates first ever rescEU stockpile of medical equipment

Lives at risk if wireless technology demands are not held in check: UN weather watchdog

Coronavirus: Commission proposes to extend 2020 European Capitals of Culture into 2021

Bacteria vs. humans: how to fight in this world war?

“There are many converging visions and interests between the One Belt One Road initiative and the Juncker Investment Plan”, Ambassador Yang of the Chinese Mission to EU highlights from Brussels

More Stings?


Speak your Mind Here

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s