Data Localization Requirements: What They Are and Why They Matter

Many US companies need to move data across borders, and it’s not just the ones you think. In addition to social media and tech firms, traditional companies like payment processors, logistics companies, and physical manufacturers also provide digital services across countries.

This makes them subject to data localization requirements, one of the key emerging issues in trade and trade agreements. Getting these requirements right will position countries to benefit from the increasingly vital benefits of the digital economy. Get them wrong, and countries will be shut out of this growth.

In the case of data localization, the rules of the road are being written as we're driving on it. Thankfully our panel had some ideas to keep us on the right path, with the US keeping to a principled approach that favors openness while safeguarding security and privacy.

Guests:

• Christine McDaniel, a Mercatus scholar specializing in trade issues.
• Joshua Meltzer, senior fellow at the Brookings Institution 
• Brian Larkin, the Internet Association's Director for Cloud Policy

Download this episode and subscribe to the Mercatus Policy Download on iTunes or wherever you listen to your favorite podcasts.

Looking to connect with a scholar you heard on the Download? Email Kate De Lanoy of our Media team at [email protected].

Note: While transcripts are lightly edited, they are not rigorously proofed for accuracy. If you notice an error, please reach out to [email protected].

REESE: Welcome to the Mercatus Center Policy Download. I'm your host, Chad Reese. International trade has been in the news a lot lately, particularly given the proposed introduction of new tariffs on steel and aluminum imports.

Today's topic has less to do with physical goods being shipped between countries. We're talking about data localization requirements as an emerging digital trade issue.

We have a great panel here to explain exactly what data localization requirements are, why they matter, and how policymakers should approach the issue.

First up, we're joined by Christine McDaniel, scholar here at Mercatus and an economist specializing in trade issues. Thank you for joining us, Christine.

MCDANIEL: Thank you.

REESE: Next we have Joshua Meltzer, senior fellow at the Brookings Institution where he co‑leads the Digital Economy and Trade Project. Josh, thanks for coming all the way out to Arlington.

MELTZER: A pleasure to be here.

REESE: Rounding out the cast, we have Brian Larkin, the Internet Association's Director for Cloud Policy and Philadelphia native. Though as I promised him earlier, I'll try not to hold that against him. Thanks for being here, Brian.

LARKIN: Thank you for having me. Go Eagles.

[laughter]

REESE: I want to start by making sure we're all in the same page, our listeners are on the same page. I mentioned that it was an emerging issue. Can someone explain to me what data localization requirements are?

MELTZER: It's probably worth clarifying that there are a variety of data localization requirements. This is often a catchall phrase for various types of measures that countries are implementing globally.

On the one extreme it can be a requirement that all data is being held in‑country and it's not allowed to flow across borders at all. Another form of data localization is when you might require to have a copy in‑country, but you can still move other data offshore.

A very common form of data localization is when lots of requirements are placed around the ability to move data across borders. A very common example there is, for example, in the European context when it comes to personal data.

For instance, you're not allowed to move personal data outside of the EU to a third country, either in the absence of a finding of adequacy ‑‑ namely, that the third country has got privacy protection, which the commission deems to be essentially equivalent to the EU privacy standards ‑‑ or under various other mechanisms, but essentially requires steps to be followed in order for data to flow.

You get a host of these requirements that in their totality limit and are frictions on the ability for the free flow of data across borders.

LARKIN: There's a very strong trade connections to this. There's a whole host of exporters from the United States and elsewhere that rely on the ability to move data to provide services across the world.

That includes some companies you might think about, like social media firms, but it also includes payment processors, logistics companies, physical manufacturers who are embedding digital services within their goods.

There's such a strong impact that the USITC has estimated that if we were to be able to eliminate digital trade restrictions like data localization barriers, it would increase US GDP by as much as $41 billion.

MCDANIEL: In the past, we've all taken this view of the Internet, so this borderless notion of the Internet. Now, a lot of countries and a lot of people are starting to worry about privacy and security. These are real, legitimate personal privacy issues.

Then there are countries that are trying to find ways to fuel innovation or attract foreign direct investment and so trying to use these data localization requirements to do that. Sometimes, it works and sometimes, it has unintended consequences.

Is it a natural progression of trade policy issues now as data has become so valuable that your countries see data as something that they should really try to keep inside their borders or control the flow of? Or is it just a natural progression of, "Yesterday, it was goods and today, it's data,"? So all the same kind of real economic issues, but now just applied to what's out there in the Cloud.

LARKIN: You hit on a really important point, which is that governments pursue data localization policies for a very wide variety of reasons. Sometimes, it's to control flows of information within their markets. Sometimes, it is for protectionist reasons.

Other times it's because they perceive a legitimate public policy interest or are hearing from domestic stakeholders about the kind of need for data localization, which is, basically, in my view, always flawed policy. Essentially, there are a wide variety of reasons.

MCDANIEL: What do you think, Josh?

MELTZER: No, I think that's right. Both of you pick up on the right points in that we, at some level, have been working under a fairly free flow of information environment. Increasingly we're seeing the intervention by governments for a whole variety of reasons into the free flow of data.

In a sense it's somewhat the reverse of a traditional trade situation where you're trying to actually dismantle barriers. Here we're trying to prevent too many of them going up.

There is the difficult question of sometimes these barriers are going to be driven by what seem to be legitimate policy concerns, for instance, around privacy or maybe around national security. Other times it's going to be for more obviously protectionist reasons.

The deeper question, Brian, which you also raised is this notion of [inaudible] policy, which is that there still is a very open question around, even if you have a legitimate policy purpose, are you actually achieving it most effectively by requiring data localization.

I think that there's a lot of work going on at the moment which suggests that, in fact, you are going to be better off, for instance, on economic or trade grounds, even on national security grounds, if you actually minimize, and in some cases do not pursue data localization, and instead pursue other policy alternatives.

LARKIN: That's absolutely right. One thing that's often lost in this debate is that when a government imposes a forced data localization mandate it quite often cuts off its entire domestic economy from the most innovative, cutting edge services out there that help improve productivity and drive benefits across the economy.

For example, I'm thinking of cloud computing services, which, as of 2014 one out of every five companies in OECD member countries employed. It's probably grown since then.

There was a study a few years ago that found that of all the countries that were considering or imposing data localization mandates, if those had gone through it would increase the cost for local companies to use services like that by 30 to 60 percent, if there are alternatives at all in the domestic market. There's a very broad ripple effect, in terms of damage to local economies here.

REESE: What does that look like for me as a consumer? Let's say that I do business with some company that, for whatever reason, it has to deal with data localization requirements. Do I see that, or does that all happen behind the scenes?

LARKIN: It can be very visible. Russia is a country that enacted a data localization policy in the last few years. I'll use the example of LinkedIn, which we all know is a service we use to find new jobs, to make professional connections. It's something that really adds value in all of our professional lives.

Overnight that was turned off in Russia. There were six million people who no longer had the ability to use that to do those things.

It's often seen as a behind the scenes issue, but it can have very real impacts for real people.

MELTZER: On the cost side of it, as well, a lot of what is going to be economically important here is also going to be on the business‑to‑business side. UNCTAD has done estimates most recently, and these are consistent with what's come out in the past, which shows that 80, 90 percent of the benefits of broadly the Internet and data flow's really on the business‑to‑business side.

To understand the costs, the opportunities, particularly, say, for instance, when you pick up cloud computing, which is a really important development here, and you increasingly see, as Brian was saying, the growth of cloud computing.

Most cross‑border data flows are going through cloud data centers now. The opportunities it presents, particularly for small businesses, to essentially get access to the type of computing power, whether it's in terms of software or infrastructure, is largely now similar to what large companies have.

This opportunity's almost a bit like what mobile telecommunication's revolution was for small businesses decades ago and continues to be.

One of the implications of data localizing, again, depending on what we're talking about and how it gets implemented, is that you essentially raise the cost of this very important business imports for businesses.

Large businesses will be able to absorb that or work around it, but for small businesses that are getting access to these crucial business imports the costs are potentially very significant. This is not just an IT sector issue any more. These are businesses across the economy who are accessing the digital imports.

Economies broadly are going digital. You have small manufacturers, the services industries, even agriculture, mining, and the like, are all using these technologies. The implications of these policies often direct a very specific policy goals, and often have very broad economic implications.

REESE: I was wrong from the start when I said this is less about actual goods moving across borders. This impacts the things we typically think of as traditional trade as well, it sounds like.

LARKIN: Absolutely. McKinsey did a study and found that about three‑quarters of the economic value added by data flows on the Internet accrues to traditional industries, not the typical tech startup situation.

MCDANIEL: I like to put this in an example that people on the street could get. I think of Sephora, this store of beauty products. They're all over the world. They keep a lot of information on their clientele all over the world.

They know your skin type. They know what you like to buy in every season, what you like to buy for people's gifts.

The question is, then, when Sephora has your information and then they want to do business in China, are they going to bring that information to China, or when they go to China, will the Chinese government force them to keep all of that information that they're going to gating on their new Chinese clients and customers to keep that in China?

I think it's helpful to think about our traditional stores, as well as the more cloud logistics service providers. To pick up on Josh's point of the policy objectives, I wanted to talk to you guys about this. We hear about policy objectives that countries have when they start to promote and pass these new laws.

China's cyber security regulations, India's national data sharing and accessibility policy. South Korea's land survey acts. The EU, Australia, Canada, even the US, we all have our own versions of rules and regulations around movement of data, storage of data.

MELTZER: I think what we sort of see in a lot of situations is that many of these policies are being driven by multiple objectives, and as what happens with regulation, they're sometimes special‑interest driven.

I think the importance and the newness of this issue is a challenge for regulators. I think particularly for regulators who are traditionally in areas where they don't have to think about the cross‑border nature of the regulation.

For instance, if you're in the consumer safety environment, or if you're in health, or if you're in education, the implications around the international aspects are often minimal.

Now, because the data issue is so economy wide, the way you regulate that can have an international implication. I don't think these are understood and well thought through on what the costs might be.

Another wrinkle to this which I think we need to recognize is that while this is an economy‑wide issue, a lot of these key digital services at the moment are being delivered by large US corporations.

That creates a political dynamic in third countries, which they are also grappling with, which is namely the idea that to improve the understanding that, yes, this is a US services export in many respects, but it's a crucial import that has economy‑wide benefits, rather than seeing it as simply providing better market access to a US company.

This gets played, then, off against, how do you build domestic digital industries themselves? We end up in forms of what look like protectionism when you say, for instance, require the building of data centers in a domestic country in the hope that you're going to stimulate a domestic cloud industry.

Where what you're probably going to do is decrease security and increase costs, and you're going to try to build something domestically at a broader economic cost, so there's a lot of these issues intertwined, which make it challenging.

A lot of the work, I think, underway at the moment now is trying to help regulators sort through and work through a lot of these implications.

LARKIN: I think that's spot on. This is an area that didn't necessarily exist 20 years ago, and in some parts of the world, hasn't existed until much more recently. Policy makers and regulators, I think, often find themselves reacting.

While the goal of wanting to have your own Silicon Valley is understandable, it's often a much more nuanced discussion in terms of these underlying issues and the impact on traditional industries, SME‑enablement, and things of that nature.

REESE: I want to circle back quickly, if we can, to one of those underlying issues. I think it's come up a couple of times, and that's the security and the privacy aspects.

I think a number of you have mentioned that. Does anybody want to give me the version of the argument that says ‑‑ which probably makes sense for a lot of people ‑‑ that this stuff is sensitive.

This is personal data. We need to be careful about where it is, both whether it's national security issues, or whether it's just taking care of your own country's consumer privacy.

MELTZER: Let me have a go at that quickly, because I think the broader regulatory challenge is as follows, which is that if you're trying to achieve a domestic regulatory goal, and we have large quantities of data could be seamlessly moved across borders, there's this notion that achievement of that [inaudible] regulatory goal can be undermined by that process.

The immediate incentive for regulators is to restrict cross‑border data flows, and that's basically, for instance, what we've seen in the privacy context, where it's understandable from an EU perspective, where they've got very stringent top down privacy laws, which are based around, essentially, these notions of it as a fundamental right, and it's written into the constitution.

The ability, then, to transfer that data to a third jurisdiction, which the EU deems has lower levels of privacy protection means that the initial response is you can't do that unless under certain conditions. I think this is the outcome which plays out across a whole range of regulatory agendas now.

On the other hand, the US has taken a very different approach to privacy. I think the argument in the US is that the privacy outcomes are just as good if not better than in the EU, but it essentially relies on businesses to publish privacy policies and comply with them with oversight from the FTC.

That provides a lot more flexibility for businesses to utilize data flows without having any stringent, one size fits all regulatory approach to how they manage data flows. To some extent, the US has obviously developed a very successful digital economy. In part, some of these regulatory structures are seen as being key to have enabled that.

The US does not have a privacy protection explicitly in the Constitution. The common laws develop that based on other constitutional principles. It's balancing against very strong right to free speech.

You just get a different path dependency in the US in terms of the way privacy gets dealt with and balanced off against other rights. You get to some very fundamental difference of normative questions around how different jurisdictions in countries weigh and balance these objectives.

LARKIN: That's right. I think the goal in terms of international privacy protection should be less about harmonization, less about saying everyone has to do things in exactly the same way, and more about interoperability, recognizing that outcomes are the important thing.

We may have different ways of achieving those goals based on our unique histories, our social and political values. If we're achieving that outcome of strong privacy protection, as we do in the United States, then that's positive.

This also hits on one of the bigger challenges related to both privacy, data flows, and the international digital economy more broadly, which is that we're still in a place where there's a fundamental lack of consensus among global powers on the ideal model forward.

You see some countries pursuing much more restrictive visions on privacy and other areas, other countries with a free market approach, but a whole slew of countries sort of in the middle. That's why it's important for the US and others to promote interoperability approaches and positive shared norms around things like e‑commerce and data flows, as they're trying to do.

MCDANIEL: That makes me think of the differences you point out, Brian. Different countries approach this differently. We're starting to see data localization requirements as a mainstay at least at the negotiating table in free trade agreement negotiations.

I wanted to hear what you guys had to say about, for example, the TPP language, CPTPP language, on data localization requirements and just in general. Is that a good idea? Should they be in trade agreements?

You look at the TPP, the CPTPP language, it's very general. It doesn't really commit countries to anything per se except the general principles. Is that far enough?

LARKIN: I do think they are important elements of trade agreements. Data flows have become foundational to all sorts of economic activity. Yet they're an area where there really aren't as clear‑cut, binding commitments as you would expect given that importance. I would say it's important.

As I understand it, the CPTPP language on data flows mirrors the language that the US had negotiated in TPP. That represented, up to that point, the most comprehensive, strong language on that issue.

In that context in particular, I thought it was extremely important because it bound together economies of very different sizes and levels of economic development in a strategically important region and put forward a really positive model at a time when, as I said, there are a number of countries pursuing visions that we wouldn't agree with and a number of countries looking to them.

I think the more we can put forward those alternative models and the more we get buy‑in from other developing countries on those model, as was the case with TPP and CPTPP-

MCDANIEL: Say it fast.

LARKIN: -the more positive it'll be.

MCDANIEL: On CPTPP, do you think that the language in CPTPP would be in alignment with China's cybersecurity laws? Josh, do you want to weigh in?

MELTZER: Before I answer that, here's the challenge because in many respects, the way the CPTPP...Let's just call it the TPP.

REESE: Which is Trans‑Pacific Partnership so we're all on the same page.

MELTZER: Now the CP being Comprehensive and Progressive which is highly problematic considering that they want the US to join.

[laughter]

MELTZER: The way the TPP's structured is essentially that there's a variety of comprehensive provisions. The one on cross‑border data flows is actually firm commitment to the free flow of data across borders but subject to exceptions.

On the cross‑border data flow, there's a very specific bid in the actual same article in the TPP which says essentially, for any legitimate public policy, you can place restrictions if they're necessary subject to making sure that they're non‑discriminatory and not a disguised restriction on international trade, in many respects reflecting the types of GATS chapeau language that we're familiar with in Article 14.

That's fine in terms of a setup. What is going to happen is that underlying those rules is how countries and regulators are thinking about this at the moment. The way they're thinking about this at the moment is that they've made a commitment to the free flow of data but they've got actually pretty substantial exceptions for restrictions.

Unless regulators see cross‑border data flows as something they should be as a matter of first principle allowing, then I would expect that you're going to see heavy reliance on the exceptions provision, more so than we normally see, say, in a GAT or a GATS context.

Really to make that bit of the provision helpful is you also need to build other countries' understanding about why it's actually important and beneficial for them.

The innovative part also to the TPP ‑‑ this is part of a paper that I'm coauthoring with [inaudible] , so I want to give him adequate credit here ‑‑ is the notion that the TPP also includes commitments on each party to do a couple of things.

One is actually to have in place privacy laws which apply essentially to other TPP parties as well and to also have consumer protection laws which also apply to all users of e‑commerce. Essentially there's a bit of a regulatory development and bargain embedded in the TPP which is that there are obligations on both the data exporters and the data importers.

The data exporters are committed to allowing that to happen with scope for exception. The data importers are also taking on a responsibility to actually have in place certain regulations around privacy and consumer protection which essentially will provide some regulatory certainty to the data exporters that they're not just going to lose out in terms of undermining their domestic regulatory goals.

I think beginning of a framework which is actually potentially exportable and globalizable, but what's got to happen in that context? What's missing in the TPP environment is a better sense of what those standards for consumer protection and privacy might be. That's where some of the other work going on, on those standards matters.

For instance, the TPP's amongst APEC economies. There's an APEC privacy framework and cross‑border privacy rules. We're just trying to set a common standard around privacy.

You marry that with the actual TPP commitments. You actually start building a structure which provides a common basis of privacy protection and commitments on both sides of the bargain to actually allow cross‑border data flows to move.

MCDANIEL: That would restrain countries' tendencies or abilities to lean too heavily on that exception clause.

MELTZER: Exactly. This sort minimizes the need for that to be an enormous carveout. It creates an alternative pathway for providing that, certainty for domestic regulators about what's going to happen to data once it leaves their country.

LARKIN: That APEC framework is a really important tool because it gets back to the interoperability issues I had mentioned earlier. It doesn't explicitly say, "You must do this one thing in this one way," but targets outcomes and thereby enables free flows of data within the APEC economies that have signed up to it while ensuring strong privacy protections.

REESE: The answer to this question I think has been embedded in this conversation. But as we draw to a close here, one of the things that I want to do is just get you guys to explicitly offer some recommendations for our listeners.

Imagine you were at a policymaker meeting. Could be a Congressional staffer, could be a regulatory staffer, someone's about to walk into a TPP negotiation meeting on data localization. They come to you. They say, "Brian, Josh, Christine, what do I do?" What's your response to them? What's your policy recommendation? What advice would you give them?

MELTZER: I assume you're from the perspective of a US negotiator.

[laughter]

REESE: That's actually a good point. We talked a lot about the fact that different countries had different outcomes here. We'll probably have a little bit of international audience. I'll let you all choose your audience here if you think there's another country of interest.

MELTZER: I think there's a couple of things here. One's in the weeds and one's a bigger picture one. The bigger picture one I want to pick up because we occasionally mentioned China.

We are seeing China potentially heading down a path in terms of the way it thinks about data, manages data, and provides access to data which is significantly different to really the way the US thinks about it and even the way the EU thinks about.

While there are certainly important divergences, say for instance, between the US and EU, particularly on the privacy issue, I think the divergences ultimately with China are much more significant.

In this context, commitments around data flows, avoiding forced data localizations, avoiding requiring giving up a source code as an investment requirement, all the type of stuff that's in the TPP is important not only for those very specific economic reasons but also, we are in a phase at the moment where building norms and globalizing them around how data should move and be managed is particularly important.

Getting the US into agreements which have these type of commitments is particularly significant because obviously the US will continue to be a leader on this. Where this has been developed, whether it's rejoining the TPP or in the NAFTA context or in other future trade agreements, this matters in terms of that meta picture.

The other element is of course, certainly I think from a US perspective but I think this is going to be increasingly true for really economies globally. Brian, you made the excellent point about the TPP's got developing countries and have all ultimately signed onto these provisions.

I think significantly they have continued to sign on to them even in the absence of the US which really pushed them initially which is that economies are all going digital. The opportunities are going to be there for developing developing countries.

It's important to think about this as an economy‑wide issue, as an enabling technology, and that, with the right parallel regulatory approaches in place in addition to commitments to these rules, potentially over the next 10, 15, 20 years, you could imagine much more inclusive international economic system. These will underpin that.

LARKIN: I would say that this area is one where truly the rules of the road are being written as we're driving on it. The most important thing policymakers can do is work with allies in international fora, through bilateral and multilateral agreements to really promote those norms of openness.

I think it's really encouraging that the United States and 69 other countries in the context of the WTO agreed to explore some sort of positive statement on e‑commerce.

We need to continue those sorts of engagements really at all levels to promote those norms and candidly to promote an alternative to the models being advanced by China and some other economies because there are a lot of countries still in the middle that haven't determined their approaches to this yet.

They're looking for models, to the United States, to China, to others. It's important that we're out there with a strong, cohesive vision that promotes those norms of openness.

MCDANIEL: Exactly. Just to pick up on what Brian and Josh said, I would tell them to focus on a principled approach, policy objectives.

Security, privacy, market access, competition, and the least trade‑distorting approach. Stick to our principles that we've had all along. It now is just a different topic. Sticking to the same principles, competition, least trade distortive, market access.

Then of course with security and privacy, every human is entitled to their privacy. Nations have security needs. What we're seeing right now in trade discussions using national security, under Section 232 with steel and aluminum tariffs, is that really national security argument?

You could think of China, India, many other countries using a national security argument to do the same thing and data localization, a number of other issues. I think a principled approach like countries have done for the last 80 years would be helpful here as well.

REESE: I think that should wrap us up for now. I want to thank our guests for helping unravel this issue and our listeners for tuning in. As I mentioned, this is an emerging issue, so let's give our listeners some ideas on where to go and what to read next. Josh, where can they go online to find more of your work on trade in the digital economy?

MELTZER: If you go to the Brookings website, we have a tab for experts. You look up my name, Joshua Meltzer. All my work is online there.

REESE: Great. Brian, where's the best place for folks to go for the Internet Association's latest on this and related issues?

LARKIN: I'd advise folks to check out internetassociation.org. We have a team page that has all of our emails listed. You can always feel free to reach out to me as well. I'm [email protected].

REESE: Christine, for our listeners who want to follow more of your research and commentary, where's the easiest place to find it?

MCDANIEL: The Mercatus website.

REESE: Sounds good. As always, I'm eager to hear to from you, our listeners. Please feel free to email me your questions, comments, and especially complaints or episode ideas at [email protected] or find me on Twitter @ChadMReese. Thank you all.

LARKIN: Thank you.

MCDANIEL: Thank you.