The internet was conceptualized as an open distributed network without borders.
However, the reality has become far more complex as governments ponder their national interests and the value of internet infrastructure and data. Where data physically resides and is processed has become a highly political issue. The measures considered and/or implemented by governments regarding these matters are usually referred to as Data Localization Mandates (DLM).
One of the key questions is who owns and has control over the access to information (aka data)? Is it individuals, companies or governments? The answer usually depends on your philosophical and/or ideological perspective and there is a wide spectrum of differences in beliefs.
Much debate has ensued with respect to DLMs, specifically due to the often-opposing interests of Big Tech companies versus governments, individuals, and businesses. Some of the largest countries in the world have mandated the storage and/or processing of data within their borders. While there are a host of reasons why governments might mandate localization of data, one of the most important is to protect the country’s data from being colonized by large global technology firms, whose power and profits are derived from the use of data.
DLM policies can take a variety of forms, including, but not limited to, requiring that copies of data are stored locally, calling for local content production, or restricting cross border data transfers. So, in stark contrast to the initial objective of the internet as an open distributed network, DLMs have the potential to fragment data and distribution based on differences in politics, culture, special interests and economics.
The Great Debate
There are a wide group of stakeholders in the DLM discussion. Those that are pro-DLM include governments, large domestic corporations, academics and civic activism organizations. The rationale put forward for DLMs typically involves issues associated with enabling innovation, improving cyber security, protecting privacy, enhancing national security, and safeguarding against foreign surveillance and interference.
At the July 2019 G-20 summit in Osaka, Japan, Brazil, Russia, India, China and South Africa took a strong stance on the sovereign right of nations to use data for improving citizen welfare.
Those opposed to DLMs include Big Tech (e.g. Apple, Facebook, Google, Microsoft among others), credit card network players (Visa, Mastercard etc.), as well as governments, academics and civic activism organizations. Furthermore, Big Tech employs industry-wide lobbying efforts to help influence governments to moderate the effect of DLMs. The Trump administration is against DLMs and President Trump made a statement explicitly opposing data localization at the Osaka G-20 summit.
Those opposed to DLMs also argue that in a world increasingly underpinned and powered by AI, those looking to develop globally competitive AI systems will need access to data. The rules that governments put into place regarding such access will therefore influence AI competition.
Privacy legislation also plays a role in the way that governments use the legislation to restrict market access for foreign-controlled tech firms by requiring them to store their user’s data within the country, or to not collect it at all. Many governments In Asia, India and around Europe are highly suspicious of the global Big Tech firms and believe that they cannot be trusted to handle data on individuals without exploitation. If the Big Tech firms want to continue to have access to the data of global markets and the attendant competitiveness in AI, they are going to have to enact measures for transparent and independent privacy checks.
Some DLMs From Around the Globe
Various countries around the world have begun to implement DLMs. China and India have been particularly active in data localization issues given that their 2020 population is over 1.44B and 1.35B respectively, making up approximately 36% of the world’s 7.8B population.
DLM models differ in strength. Some countries have extraordinarily strong restrictions on the flow of data outside their borders. For example, China and Russia have DLMs designed so that there is no ability for restricted data to flow out of the country. Compounding this in China’s case is the fact that the government also wants certain kinds of data to be stored on local servers. The law in China also explicitly states that the government has a right to demand that companies turn over data for unspecified national-security reasons. U.S., European, and Japanese policy makers and industry groups have lobbied Beijing to change these provisions, because they could mean steep costs for foreign companies that would be required to build local data centers to store and analyze all company data.
Other countries have strict DLMs, but they only apply to specific areas. For instance, tax records in New Zealand and sensitive and personal health data in Australia are protected. The final group of countries have a conditional localization mandate. Some Latin American countries such as Argentina and Colombia, allow for the transfer of data only if the recipient country has an ‘adequate data protection framework’ in place.
The type of mandate also varies from country to country. In Russia, companies are required to maintain a mirror copy of their data in Russia. In Indonesia, data needs to be stored on a physical server located in the country. In countries such as Turkey and Venezuela, data on payment processing must be carried out within the country’s borders.
DMLs and the Global Data Protection Regulation (GDPR) GDPR
GDPR is a set of rules designed to give European Union (EU) citizens more control over their personal information. GDPR applies to any organization operating within the EU, as well as any organizations outside of the EU which offer goods or services to customers or businesses in the EU. That ultimately means that almost every major corporation in the world needs to comply with GDPR. Personal data can be moved outside the EU, but only if the jurisdiction in which the recipient is located provides an adequate level of data protection. However, outside the EU, multiple global data localization laws do exist, including laws in Canada, China, Australia, and Russia.
This means that multinational organizations operating in the EU and elsewhere may have to be simultaneously compliant to both GDPR and any data localization laws specific to the countries in which they do business.
DMLs and the California Consumer Protection Act
CCPA, which came into effect on 1 January 2020, introduces a range of new rights, obligations and enforcement measures to facilitate greater protection of consumers’ personal information. The CCPA isn’t just a state law, it will likely become the DeFacto national standard for the foreseeable future. Given the large population in California, it is likely that most businesses in the US will have to comply with the CCPA.
Businesses need not only be aware of their privacy obligations with the likes of GDPR, CCPA and other legislation, they also need to understand how those regulations relate to DLMs.
Trying to Make Sense of it All
Balancing a country’s need for sovereignty, security and innovation against the desire by Big Tech, credit card companies and others who embrace the notion that the internet is an open and distributed system is not a simple matter. Privacy legislation adds to that complexity. This article has really just scratched the surface of the issue and certainly does not address the depth and detail associated with the DLM’s in individual countries.
For those who own and operate data centers in various regions of the world, the implications are complicated. Equally, where a company’s information is processed and stored in a hosted scenario is equally complex. Cushman & Wakefield’s Global Data Center Advisory Group has a distinguished reputation for handling critical environment projects for some of the world’s most discerning clients. We would be please to discuss your projects at any time.
For more information on Cushman & Wakefield’s Global Data Center Advisory Group, contact us.