FREEDOM AND SAFETY
The current COVID-19 crisis demonstrates the importance of making informed decisions, but outdated data protection regulations and added data residency laws threaten to impede companies’ ability to do business and, consequently, promote economic security and growth in this new world. Data residency laws can have wide impacts on a range of issues, including personal privacy, national security and even commerce. Encouraging alternatives to these laws can be key to sidestepping their disadvantages to trade and innovation.
With data residency laws, governments require companies to store data on their national territory. Most commonly, data residency laws focus on personal data, but some jurisdictions also capture geolocation and other data. In other words, the laws cover data likely to be core to business needs.
Under data residency laws, companies must process data primarily on a territory; they can also transfer copies of the data abroad as long as they keep a local copy that is available to the local government for inspection. Data residency laws are designed to protect government interests.
Data protection and privacy laws restrict data transfers and do not usually require retention of data anywhere. According to data protection laws, companies do not have to retain any copies, but companies must not transfer data to another country except if they can assure adequate safeguards for the transferred data abroad; if companies can meet the requirements for an exception, they may transfer the data and are not required to keep a local copy of the data. (In fact, data protection laws would prefer no copies are kept anywhere).
Data residency laws are a relatively new phenomenon and sometimes also called "data sovereignty" or "data localization laws". In the past, limited data residency requirements followed from laws written for the paper record era, whereby companies were compelled to ensure their records did not leave the respective country of origin so as to be accessible by e.g. tax authorities. However, in a world where access to data is essential for the development of a local data economy and concerns emerge around data breaches and cybersecurity, countries are increasingly demonstrating an appetite to secure local access to data and restrict international transfers of data.
Data residency laws can have wide impacts on a range of issues, including personal privacy, national security and commerce.
Individual privacy protection is often cited by countries as a policy objective, but in reality privacy protections are neither intended nor advanced by data residency requirements. To the contrary: easier country level access to data impedes privacy interests. For instance, police, secret services and other government authorities can compel access to data more easily when documents and storage media containing the data reside on local territory and can be seized in a raid. In other words, data residency laws are anti-privacy laws.
Some countries are trying to ensure geolocation information is stored locally for national security considerations since having access to important information locally can make a difference in a conflict. But companies in countries with rigid data residency and access requirements will acquire less crucial information in times of emergency because they are not trusted by business partners and governments abroad.
Regulatory Control over Critical Businesses
If a government needs to take over a bank, energy company or critical infrastructure provider in an emergency situation (potentially in conflict with other countries or foreign companies), it can be important that all relevant data is locally stored and available without foreign cooperation. But, until such a take-over is necessary, any critical business will be handicapped by data residency requirements, as it will not be able to access cutting-edge cloud computing, machine learning, and other technologies developed and hosted abroad. Businesses restrained by data residency laws end up with higher costs, less efficient technologies, and a greater risk of having to be taken over in a crisis.
Some countries seem to believe that crucial information will be safer at home. But, countries with isolated or outdated technology are less able to protect locally stored data against foreign military and criminal threats. Furthermore, and isolationist mentality around cybersecurity can undermine access to state of the art international best in class solutions.
Data residency laws fundamentally impact commerce, favoring local companies over foreign competitors. Local companies can comply with data residency requirements more easily than foreign competitors, because they naturally keep data at headquarters. Whilst in the immediate term this may appear to be advantageous for indigenous companies, in the long run, such protectionism tends to harm the protected companies by shielding them from much-needed global competition. Also, foreign countries will eventually reciprocate and foreign business may shy away from entering markets where data residency laws apply to avoid additional costs and taxation. Consequently, indigenous business may find it difficult to scale and succeed internationally. They will ultimately become a local liability. Mandating the use of local data centers or locally-made technology seems less helpful if local facilities end up not being globally competitive and slow down local progress.
Data residence laws could force multinationals to invest in local infrastructure and data centers. But, the opposite, negative effect is more likely: Many multinationals may prefer to operate without local government access to data and the related risks of corruption and compliance deficits associated with establishing local presences.
Most countries prefer open systems with economic freedoms as the default. They implement narrowly framed record retention, secrecy and anti-treason laws sufficient to protect national security interests. But very few countries have enacted broad data residency laws so far and international treaties like the Trans Pacific Partnership Agreement (TPPA) expressly commit member countries to refrain from enacting data residency laws or local data center requirements. International cooperation between intelligence and police forces, for example via Multilateral Assistance treaties, Executive Agreements under the U.S. Cloud Act, Interpol and regional cooperation arrangements, render data residency less relevant, too.
"Countries should refrain from enacting data residency laws, given the overriding disadvantages for local consumers, industries, technological development and job markets."
—Lothar Determann, Partner, Baker McKenzie
Most personal data that companies collect is not crucial for national security purposes and not accessed by governments out of respect for individual privacy and freedoms. Therefore, it is not necessary or proportionate to mandate that companies must store all personal data locally. Moreover, for purposes of securing government access to data, it would be sufficient to require companies to guarantee remote access to data (wherever it is stored) or keep local back-up copies, which companies could create on a daily or weekly basis at much reduced cost compared to duplicating primary systems locally.
Still, given the impact that data residency laws can have, encouraging alternatives can be key. To support local information technology industries and favor direct foreign investment, countries can do the following: offer robust data protection laws, narrowly tailored to prevent concrete harms to individual privacy (as opposed to omnibus regulation of data processing); prioritize cybersecurity; develop accountability and trust with other countries; limit government access to privately-held data; invest in high-speed connectivity; facilitate technical standards; keep bureaucracy at bay; and keep innovation at the forefront of policymaking.
Countries should refrain from enacting data residency laws, given the overriding disadvantages for local consumers, industries, technological development and job markets. International treaties should prohibit national laws that broadly require organizations to store or process data on a particular territory. Narrow exceptions could be allowed for compelling national security interests, limited to requirements of back-up copies of specific types of records or information, but not of all personal data and not for primary information technology systems to be kept locally.
The Roadmap for Cross-Border Data Flows whitepaper offers progressive solutions which empower governments to adopt policies that allow companies to participate in a globally-facing data economy whilst addressing governments’ most pressing concerns of security, fairness and sovereign interest. By implementing mechanisms to build trust the need to data residency laws is greatly reduced and the benefits of the data economy can be more fully realised.
In the end, countries have a choice to either participate in an open international system which can offer more progressive solutions that address their concerns, or they can retreat and stymie the progress of their local data economies.
Lothar Determann, Partner, Baker McKenzie and Adjunct Professor, Free University Berlin; University of California, Hastings College of the Law; Lecturer, Berkeley School of Law