How data residency laws can harm privacy, commerce and innovation – and do little for national security

data

(Credit: Unsplash)

This article is brought to you thanks to the collaboration of The European Sting with the World Economic Forum.

Author: Lothar Determann, Partner, Baker McKenzie and Adjunct Professor, Free University Berlin; University of California, Hastings College of the Law; Lecturer, Berkeley School of Law


  • In a world disrupted by COVID-19, policies which support international data transactions matter more than ever.
  • Data residency laws can have wide impacts on a range of issues, including personal privacy, national security and even commerce.

The current COVID-19 crisis demonstrates the importance of making informed decisions, but outdated data protection regulations and added data residency laws threaten to impede companies’ ability to do business and, consequently, promote economic security and growth in this new world. Data residency laws can have wide impacts on a range of issues, including personal privacy, national security and even commerce. Encouraging alternatives to these laws can be key to sidestepping their disadvantages to trade and innovation.

Understanding data residency laws

With data residency laws, governments require companies to store data on their national territory. Most commonly, data residency laws focus on personal data, but some jurisdictions also capture geolocation and other data. In other words, the laws cover data likely to be core to business needs.

Under data residency laws, companies must process data primarily on a territory; they can also transfer copies of the data abroad as long as they keep a local copy that is available to the local government for inspection. Data residency laws are designed to protect government interests.

Data protection and privacy laws restrict data transfers and do not usually require retention of data anywhere. According to data protection laws, companies do not have to retain any copies, but companies must not transfer data to another country except if they can assure adequate safeguards for the transferred data abroad; if companies can meet the requirements for an exception, they may transfer the data and are not required to keep a local copy of the data. (In fact, data protection laws would prefer no copies are kept anywhere).

 

Data residency laws are a relatively new phenomenon and sometimes also called “data sovereignty” or “data localization laws”. In the past, limited data residency requirements followed from laws written for the paper record era, whereby companies were compelled to ensure their records did not leave the respective country of origin so as to be accessible by e.g. tax authorities. However, in a world where access to data is essential for the development of a local data economy and concerns emerge around data breaches and cybersecurity, countries are increasingly demonstrating an appetite to secure local access to data and restrict international transfers of data.

Impact to privacy, security, commerce
Data residency laws can have wide impacts on a range of issues, including personal privacy, national security and commerce.

Privacy
Individual privacy protection is often cited by countries as a policy objective, but in reality privacy protections are neither intended nor advanced by data residency requirements. To the contrary: easier country level access to data impedes privacy interests. For instance, police, secret services and other government authorities can compel access to data more easily when documents and storage media containing the data reside on local territory and can be seized in a raid. In other words, data residency laws are anti-privacy laws.

National security
Some countries are trying to ensure geolocation information is stored locally for national security considerations since having access to important information locally can make a difference in a conflict. But companies in countries with rigid data residency and access requirements will acquire less crucial information in times of emergency because they are not trusted by business partners and governments abroad.

Regulatory Control over Critical Businesses
If a government needs to take over a bank, energy company or critical infrastructure provider in an emergency situation (potentially in conflict with other countries or foreign companies), it can be important that all relevant data is locally stored and available without foreign cooperation. But, until such a take-over is necessary, any critical business will be handicapped by data residency requirements, as it will not be able to access cutting-edge cloud computing, machine learning, and other technologies developed and hosted abroad. Businesses restrained by data residency laws end up with higher costs, less efficient technologies, and a greater risk of having to be taken over in a crisis.

Data Security
Some countries seem to believe that crucial information will be safer at home. But, countries with isolated or outdated technology are less able to protect locally stored data against foreign military and criminal threats. Furthermore, and isolationist mentality around cybersecurity can undermine access to state of the art international best in class solutions.

Commerce
Data residency laws fundamentally impact commerce, favoring local companies over foreign competitors. Local companies can comply with data residency requirements more easily than foreign competitors, because they naturally keep data at headquarters. Whilst in the immediate term this may appear to be advantageous for indigenous companies, in the long run, such protectionism tends to harm the protected companies by shielding them from much-needed global competition. Also, foreign countries will eventually reciprocate and foreign business may shy away from entering markets where data residency laws apply to avoid additional costs and taxation. Consequently, indigenous business may find it difficult to scale and succeed internationally. They will ultimately become a local liability. Mandating the use of local data centers or locally-made technology seems less helpful if local facilities end up not being globally competitive and slow down local progress.

Data residence laws could force multinationals to invest in local infrastructure and data centers. But, the opposite, negative effect is more likely: Many multinationals may prefer to operate without local government access to data and the related risks of corruption and compliance deficits associated with establishing local presences.

Alternatives
Most countries prefer open systems with economic freedoms as the default. They implement narrowly framed record retention, secrecy and anti-treason laws sufficient to protect national security interests. But very few countries have enacted broad data residency laws so far and international treaties like the Trans Pacific Partnership Agreement (TPPA) expressly commit member countries to refrain from enacting data residency laws or local data center requirements. International cooperation between intelligence and police forces, for example via Multilateral Assistance treaties, Executive Agreements under the U.S. Cloud Act, Interpol and regional cooperation arrangements, render data residency less relevant, too.

“Countries should refrain from enacting data residency laws, given the overriding disadvantages for local consumers, industries, technological development and job markets.”

—Lothar Determann, Partner, Baker McKenzie

Most personal data that companies collect is not crucial for national security purposes and not accessed by governments out of respect for individual privacy and freedoms. Therefore, it is not necessary or proportionate to mandate that companies must store all personal data locally. Moreover, for purposes of securing government access to data, it would be sufficient to require companies to guarantee remote access to data (wherever it is stored) or keep local back-up copies, which companies could create on a daily or weekly basis at much reduced cost compared to duplicating primary systems locally.

Still, given the impact that data residency laws can have, encouraging alternatives can be key. To support local information technology industries and favor direct foreign investment, countries can do the following: offer robust data protection laws, narrowly tailored to prevent concrete harms to individual privacy (as opposed to omnibus regulation of data processing); prioritize cybersecurity; develop accountability and trust with other countries; limit government access to privately-held data; invest in high-speed connectivity; facilitate technical standards; keep bureaucracy at bay; and keep innovation at the forefront of policymaking.

Countries should refrain from enacting data residency laws, given the overriding disadvantages for local consumers, industries, technological development and job markets. International treaties should prohibit national laws that broadly require organizations to store or process data on a particular territory. Narrow exceptions could be allowed for compelling national security interests, limited to requirements of back-up copies of specific types of records or information, but not of all personal data and not for primary information technology systems to be kept locally.

The Roadmap for Cross-Border Data Flows whitepaper offers progressive solutions which empower governments to adopt policies that allow companies to participate in a globally-facing data economy whilst addressing governments’ most pressing concerns of security, fairness and sovereign interest. By implementing mechanisms to build trust the need to data residency laws is greatly reduced and the benefits of the data economy can be more fully realised.

In the end, countries have a choice to either participate in an open international system which can offer more progressive solutions that address their concerns, or they can retreat and stymie the progress of their local data economies.

the sting Milestone

Featured Stings

Can we feed everyone without unleashing disaster? Read on

These campaigners want to give a quarter of the UK back to nature

How to build a more resilient and inclusive global system

Stopping antimicrobial resistance would cost just USD 2 per person a year

How to maintain mental health in times of pandemic

UN receives ‘Humanium’ wristwatch gift, symbolizing peaceful transformation

A Europe that Protects: Commission calls for more efforts to ensure adoption of security proposals

Greece’s Tsipras: Risking country and Eurozone or securing an extra argument for creditors?

Syrian crisis is ‘clearest example’ of foreign investment in terrorism, Deputy Prime Minister says at UN

‘Eco-shaming’ is on the rise, but does it work?

Belgium eases lockdown with free train tickets for every citizen

The Challenger Within – Mental Health In Romania During Lockdown

Guterres calls for ‘maximum restraint’ following drone assault on key Saudi oil facility

A record number of people will need help worldwide during 2020: Global Humanitarian Overview

The 5 mistakes we’re making in the fight against global energy poverty

The DNA of the future retail CEO

‘Well-being of two million’ in Gaza at stake as emergency fuel runs dry: UN humanitarian coordinator

World must ‘step up’, match Pakistan’s compassion for refugees, says UN chief

Online radio and news broadcasts: Parliament and Council reach deal

Governments urged to put first ever UN global migration pact in motion, post-Marrakech

With the right leadership, sustainable finance can help us shift to a low-carbon economy

Coronavirus: Commission boosts budget for repatriation flights and rescEU stockpile

What is a gender parity accelerator, and how does it work?

Sweden must urgently implement reforms to boost fight against foreign bribery

Mental health and suicide prevention

A Sting Exclusive: “Junior Enterprises themselves carry out projects focusing on the environment”, JADE President Daniela Runchi highlights from Brussels

Trump to run America to the tune of his business affairs

“We need to use the momentum globally to ensure that corporations pay their fare share of taxation”, EU Commissioner Valdis Dombrovskis outlines from the World Economic Forum 2017.

UN rights expert calls for civilian protection as fighting escalates between military and armed group

Everybody for himself in G20 and IMF

Africa-Europe Alliance: Denmark provides €10 million for sustainable development under the EU External Investment Plan

We can save the Earth. Here’s how

Financing the 2030 Agenda: What is it and why is it important?

“InvestEU”: MEPs support new programme to boost financing for jobs and growth

Mental health and suicide prevention – what can be done to increase access to mental health services in my local area?

What if nature became a legal person?

EU finally agrees on target for 40% greenhouse emission cuts ahead of Paris climate talks

European Commission adopted Report on the Impact of Demographic Change in Europe

On their epic journeys, migratory birds connect nations and inspire people, UN says on World Day

What can each individual do to lessen the burden of mental health in times of the pandemic?

ECB will be the catalyst of Eurozone’s reunification

How do we design an inclusive energy transition?

UN chief welcomes agreement by rival leaders in South Sudan, as a step towards ‘inclusive and implementable’ peace

How COVID-19 is throttling vital migration flows

The Prime Minister of Spain on climate change, taxes and more

Commission pledges €100 million to help Mozambique recover from cyclones Idai and Kenneth

Moving from commitment to action on LGBTI equality

New UN Syria envoy pledges to work ‘impartially and diligently’ towards peace

Australia now has 25 million people. Will it choose to keep growing?

Burned in the Amazonian forest: Your health may be in danger

‘Antagonistic gestures and accusations’ drown out Kosovo dialogue hopes, Security Council hears

Who gains when the US and China fight over trade?

Suicide Prevention: Using Graduation as a Transformative Tool

Banks promise easing of credit conditions in support of the real economy

It’s time to move: 5 ways we can upgrade our SDG navigation systems

How the world can gear up for the fight against cancer

UN human rights ruling could boost climate change asylum claims

Health services for Syrian women caught up in war, foster safety and hope: UNFPA

‘Dangerous nationalism’ seriously threatens efforts to tackle statelessness: UNHCR chief

Bring killers of journalists to justice: UN agency seeks media partners for new campaign

Radioactive nuclear waste is a global threat. These scientists may have a new solution

Draghi cuts the Gordian knot of the Banking Union

What if we did everything right? This is what the world could look like in 2050

New Disability Inclusion Strategy is ‘transformative change we need’, says Guterres

More Stings?

Advertising

Speak your Mind Here

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s