John Miller photo
The Myth of Data Localization in the Name of Privacy Protection

Today, companies, individuals, governments, and institutions can instantaneously transfer information from one end of the globe to the other. Indeed, data transfers underpin the global economy, drive communications and social interaction, and form the foundation of a seemingly limitless number of data-driven technologies and services we take for granted and depend on.

Unfortunately, regulators in both developed and developing countries are increasingly erecting virtual barriers around their physical borders, preventing the transfer of their citizens’ data outside of the country.

A primary objective these regulators often cite in adopting data localization measures is protecting citizens’ privacy. However, these measures cannot usually strengthen privacy and instead have adverse, unintended consequences.

Protecting privacy is an increasingly difficult task in a world where cross-border data transfers happen every moment of the day and where questions of jurisdictional reach are unsettled. This environment leaves national regulators with the daunting task of implementing national laws to protect the privacy of data that is often located beyond their borders, and which they themselves can’t readily access.

In addition, policymakers find themselves facing calls from their citizens to strengthen protections of their data, particularly as sensitive personal information becomes increasingly shared and stored online. Data localization policies have consequently gained traction across the world, for example in the European Union, Russia, China, and Indonesia.

While often well intentioned, data localization measures are shortsighted, difficult to implement and hardly a foolproof way to address modern privacy concerns. A more effective approach is to adopt regulatory measures that directly respond to the specific problem of protecting privacy.

Since preventing any data whatsoever from leaving and entering a country is neither desirable, proportionate, nor possible, countries that enforce data localization measures out of privacy concerns are actually usually seeking to prevent transfers to countries with privacy regimes that they deem to be inadequate.

Prohibiting data transfers based on geography by default requires an assessment of the ‘adequacy’ of the privacy protections of the countries where the data is transferred. Given that international privacy regulations constantly evolve, determinations of adequate privacy protections that are tied to an evaluation of national regulations are inevitably fraught with the risk.

Additionally, assessing a country’s privacy protections as “guaranteed” by law and treaty often presents an incomplete picture of the privacy ecosystem of that country. Such analyses are unlikely to take into account other idiosyncratic dimensions of privacy regimes, such as enforcement mechanisms and self-regulation. The process of determining adequacy for each jurisdiction that data is transferred to is therefore inefficient and inevitably arbitrary.

Bilateral data transfer mechanisms, like the recently approved EU-U.S. Privacy Shield, demonstrate that countries with differently structured privacy regimes can nonetheless ensure an adequately high level of protection for personal data that is exchanged across their borders. However, bilateral agreements are not a viable or scalable solution in a world in which data transfers play such a critical, multinational role.

A superior alternative is to explore mechanisms which are easier to implement, have greater potential for widespread adoption, and also offer a high level of privacy protections.

The Asia-Pacific Economic Cooperation (APEC) forum’s Cross-Border Privacy Rules (CBPRs) are one such example. International certification mechanisms like CBPRs allow cross-border data transfers between organizations who meet a basic standard of accountability. CBPRs supplement—but do not interfere—with the wide variety of domestic privacy regimes of the countries that adopt them. This interoperability allows for a high level of privacy protection across borders without excessive national implementation costs.

Such a multilateral approach serves to improve global privacy protections without unnecessarily hampering global digital trade and technology innovation, which should be the end goal in our increasingly connected world.

Forced Localization Blog Series Table of Contents:

Public Policy Tags: Forced Localization