By Arshiya Bhayana '22
With the advent of the internet and technology, where and how data is stored, and who has access to it, are growing concerns for citizens, companies, and governments. The way data is collected, stored, used, and transferred can have a massive impact on national security, industry growth, geopolitical relationships, and civil society. Stakeholders advocate that data should be secure and data storage and processing practices should give customers comfort and protection. This concern about ensuring access to data that is secure and is stored in a safe manner is motivating countries to implement data protection laws that aim to balance security and domestic control with economic innovation and globalization.
The most common and widely accepted definition of “data localization” is policies or mandates requiring certain data related to citizens or residents of a country—whether personal, health, business, or financial—to be physically stored on infrastructure within that country’s borders. Data localization mandates vary greatly from country to country, depending on the intent of the governing body adopting them. While several studies have analyzed the economic impact of restrictions on cross-border data flows, there has not been an in-depth analysis of the real national security implications of global data-flow restrictions.
The adoption of data localization laws has been increasing with the advent of technology and digitization, catalyzed by the fear that a nation’s sovereignty is threatened if it is unable to exert full control over data stored outside their borders. These laws are driven by concerns about foreign government interference and their objective is to curb foreign governments’ access rights to data stored outside of their jurisdiction. However, the fundamental principle of data localization risks the global interconnectedness that followed World War II. Democratic governments have argued both for and against such policies as policymakers seek to balance the business, human rights, and data privacy concerns of stakeholder communities. More authoritarian governments (and some democracies) officially cite security priorities such as counterterrorism and curtailing foreign influence as reasons to tighten control of their national digital infrastructure, ultimately enabling increased surveillance and censorship of their populations.
There are national security cases both for and against localizing data. The basic case made for data localization is that free flow of data to hostile or authoritarian regimes could threaten the national security of their geopolitical adversaries. This could be demonstrated by India and the US having legitimate concerns about Chinese-owned companies having access to their citizens’ data because of their strained political relations with China. Second, due to a lack of an agreed-upon definition of data localization-related national security concerns, some countries could argue for stronger data localization mandates. Scholars argue that there is no guarantee that data localization protects personal privacy any more than cross-border data-flows do, and in some cases, it also undermines privacy. Oftentimes, data localization practices can be used to target minority communities, activists, and journalists, all under the pretense of protecting their privacy. In this manner, control over data flows enables governments to assert control over citizens more than it addresses legitimate cybersecurity and other national security concerns.
Some cases against localizing data focus on three broad categories: (1) authoritarian threats to democracy; (2) limits on security actors’ collaboration and capabilities; (3) cybersecurity threats. The first concern is that data localization can be used as a tool of digital authoritarianism that threatens democracy and human rights. When citizens’ data is forced to be stored on local servers, governments have greater opportunities to use these data to gain greater control over the population, which strengthens the digital surveillance and censorship state. Second concern is that data localization can limit collaboration between military, law enforcement, intelligence, and other security actors by creating obstacles to accessing information across borders. It does so by creating an environment where actors can conduct information operations via social media and also conduct illicit financial activities which are not subject to localization mandates of targeted countries, and hence not subject to investigation and prosecution by those countries. Lastly, scholars argue that data localization mandates introduce risk and complexity to companies’ cybersecurity operations by increasing the number and locations of data centers, which is not only a financial drain but also increases the country’s digital footprint. In addition to the added costs of running data centers, entities must have reliable infrastructure to support their operations. Lastly, the increased digital footprint creates new avenues of attack—both through hardware and software entryways into data systems and the number of workers who are vulnerable to phishing or other targeted methods of exploitation.
It is because of these reasons that data localization policies are now said to cause more harm than good. They are seen as ineffective in improving security, increasing regulatory complexity, and causing economic harms to the markets where they are imposed. The way forward could involve determining specific instances where it might be appropriate to control or limit cross-border data flows—especially on issues of real national security—and how to navigate the accompanying commercial concerns. There also needs to be a commonly agreed-upon definition of data localization practices so stronger mandates are not adopted under the false pretense of securing citizens’ privacy or national security. A common understanding of what data protection practices could be adopted to provide a safe and secure digital environment is critical so that various countries adopt a consistent approach to improve national security without infringing on privacy or causing economic harm.
