Back in the 1990s, people thought the internet would abolish borders. “Cyberspace does not lie within your [governments’] borders,” wrote author and internet activist John Perry Barlow in 1996.
The idea of a borderless network has held on. “One of the great things about the internet is that it does not have national borders. When a company in Tokyo sends a digital file to a company in New York, the data does not have to clear customs,” wrote the New York Times in a 2015 op-ed.
While that may hold for Japan and the US, files going from Beijing to Brussels now often do have to pass digital customs inspections.
China’s model of data localization, and the associated 2017 Cybersecurity Law, has been the subject of criticism and confusion. But now it seems that Beijing was on the cutting edge of a trend.
Bottom line: China is continuing to develop a system that limits where companies keep data, and what they can send abroad. Many multinational companies—and Washington—don’t like it, but they’d better get used to it: this idea is catching on around the world.
What is data localization? Data localization regulations require that data be stored and processed on computers in a particular place, usually within a country’s borders, as opposed to letting them flow freely through data centers around the world.
- This might not mean all data and always. Laws often specify particular types or data that must be kept domestically, and leave room for regulators to grant exceptions.
- Security: Data localization schemes often cite “security” or “privacy.” But experts say that localizing data alone doesn’t mean enhanced security or privacy. Whitehat hackers contacted by TechNode said that domestic adoption of security and privacy best practices is a bigger issue.
- Jurisdiction: Data localization does help governments regulate data, and proponents often cite the risk that companies will move data to less-regulated environments.
- Protectionism: Data is a valuable resource—so countries hope keeping it in country will give homegrown tech companies a competitive edge.
Regional styles: There are three main approaches to regulating cross-border data flows, said Nigel Cory, who studies cross-border data flows as Associate Director of Trade Policy at the Information Technology and Innovation Foundation, a think tank based in Washington DC.
- The US has little to no regulation on data flows. It also advocates against data localization in other countries.
- EU regulates cross-border flows based on privacy and security assessments.
- Chinese law treats data both as a valuable resource and a national security priority. The Chinese model asks: “What does data localization give the government from an economic perspective, but also a social and political perspective?” Cory said.
- Legal models vary widely around the world, from bans on cross-border flows of locally harvested data (Russia) to requiring domestic storage of backups (Indonesia).
China’s approach: The landmark 2017 cybersecurity law set the scene for data localization in China, but elements of data localization date back to 2006, Cory said.
- Under the 2017 law, “critical information infrastructure” providers, such as telecoms, utilities, energy, e-government, finance, must get permission from public security officials before transferring data overseas.
- Information on the military, finance, energy, transportation infrastructure, and medical services, are among the law deems “critical.”
- Personal data related to over 500,000 people must also be stored within China.
Slow roll-out: Details on how the law will be implemented on different sectors are still being hammered out in accompanying laws and regulations.
- The key term “critical information infrastructure” is not clearly defined in the law.
- In the absence of clear guidance, many multinationals assume their data will be included.
- Figuring out the details takes time:, in 2018, University of Hong Kong and McGill law researchers found that cross-border transfers of genomic data were subject to ten different regulations and guidelines, enacted from 1998 to 2017. Another one has been rolled out since.
READ MORE: Dust has yet to settle two years after China’s landmark cybersecurity law
Opening up: China is experimenting with relaxed localization rules in new free trade zones, said Xiaomeng Lu, an internet policy analyst at political risk consultancy Eurasia Group.
- “There’s always internal debate about how to regulate new technology. When the internet first came about there was discussion about ‘how do we maintain party control of the country whilst also leveraging this for GDP growth?’,” Lu said. Now, the government is trying to strike a similar balance with data.
- The plan (in Chinese) for an FTZ in Hainan, revealed in January, talks about making outbound flows of personal data “more convenient.”
- A Shanghai FTZ plan released in April spoke of experimenting with cross-border data flows and governance—including a mention of providing access to the “international internet.”
- One of the reasons why the central government is letting such experiments run is the digital yuan, Lu said.
Assessing the impact
Additional costs: Data localization costs international companies money. They have to build several local data centers to ensure data is backed up, Lu told TechNode. These costs are adding up as more countries adopt data localization schemes, meaning ever more local data centers.
AI headaches: Compliance becomes more complicated for global firms who use AI-empowered analytics in their products.
- A financial firm, for example, that uses AI to detect and block suspicious transactions relies on the fact that data from different countries can be combined. A resident of Shanghai whose bank card is used in Nairobi, the system that looks over data globally will trigger some sort of alert.
- There are ways to get around this problem, “firms may be able to find some imperfect work-arounds in terms of replicating the analytics services locally and indirectly feeding non-specific data through to their global analytics platform,” Cory said.
- But these solutions are “hugely complicated and costly.” For some firms localization workarounds are the “biggest cost in terms of how they manage their architecture,” he said.
Competitive advantage: Chinese companies are more comfortable with data localization abroad, seeing their experience with it at home as an advantage.
- “Chinese companies take the cost and complexity of setting up an ex-China infrastructure as the cost of doing business,” sometimes even viewing it as a competitive advantage in other countries that also enact data localization, given the reluctance of some foreign firms to do the same, Cory said.
Local champions: Data localization requirements have helped China’s domestic data center industry flourish, as large multinationals work with local firms in joint ventures to run data centers in China.
- In the cloud space, AWS has partnered with two companies in Beijing and Ningxia. Chinese users of Apple Icloud servers will find their data stored on a Guizhou company’s servers. Microsoft Azure cloud services are hosted on Beijing-based 21Vianet’s data centers.
The opposition: In China, lobbying against data localization is a top priority for multinationals, Lu said.
- “Security and privacy often are cited as justification for data localization but, as we’ve seen time and again, hackers and cyber criminals are not limited by lines on a map,” a spokesperson for IBM told TechNode, adding that “forced data localization does nothing to make data more secure.”
- US big tech has lobbied hard against data localization. Google’s Sundar Pichai sent a letter to the Indian ministry of IT while India’s cybersecurity bill was undergoing public consultation. Facebook joined Google’s anti-data localization push in Vietnam. Mastercard and Visa convinced Indonesia to water down data localization requirements.
- When China’s Cybersecurity Law was announced in 2016, the EU Chamber of Commerce in China cautioned that it could“hinder foreign investment and businesses operating in and with China.”
More than data: There is no evidence that big multinationals have pulled out of China due to increased cloud costs. But data localization has other consequences that could make doing business in China less appealing.
- When Apple moved its Chinese user data to Guizhou, it was criticized for moving the encryption keys that crack them open.
- “Storing data locally might also mean storing or using locally mandated encryption keys, which undermines their global cybersecurity architecture. This potentially exposes communication on their platform and undermines their global products,” Cory said.
- This was not enough for the California giant to abandon one of its biggest markets, but other companies might be not be willing to expose their encryption keys and security architecture to Chinese authorities, one expert said.
Loco for localization: China is not alone in pursuing data localization. Regulations started popping up around the world before China’s 2017 cybersecurity law, and the trend has accelerated since.
- A 2018 study endorsed by the Center for Economic Policy Research, a European think tank, found that between 2006 and 2017, restrictions on cross-border data flows doubled around the globe.
- India first implemented data localization requirements in 2014. Regulators proposed new data localization laws in a 2019 personal data protection bill, but revised it to only pertain to “critical” personal data. Financial, biometric, genetic, and religious data can be transferred overseas for processing under the revised law.
- Indonesia and Rwanda enacted localization laws in 2012, Nigeria in 2013, and Russia in 2015.
- The European Union’s General Data Protection Regulation, enacted in 2016, regulates cross-border data transfers on privacy and security grounds.
- In June, the European Court of Justice ordered restrictions on data flows to the US, saying that US privacy protections are “inadequate.”
Washington: More than Silicon Valley’s tech giants, Washington has lobbied hard against data localization around the world, with some results.
- The free trade agreement between the US, Mexico, and Canada prohibits parties from restricting cross-border data flows with each other.
- Similar requirements are part of the US’s free trade deal with Japan.
- The 2016 Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP), a free trade agreement between 11 Asia-Pacific nations, also known as TPP-11, also talks of maintaining free data flows. Donald Trump pulled the US out of the agreement as soon as he came into office.
READ MORE: INSIGHTS | China’s digital currency has a long way to go
But Tiktok! But when it comes to China, even the US is starting to talk about data localization. When Washington moved to ban two Chinese apps—Tiktok and Wechat—from US phones, it cited the risk of sensitive personal data being sent to China.American authorities appeared ready to accept a deal that would see Tiktok’s US user data kept on local servers run by Oracle.
A future of data corridors? The rest of the world doesn’t need signaling or support from the two superpowers to set its own course when it comes to data localization. While China, India, Russia, and others, are pursuing data localization within one country’s borders, new free trade agreements are creating free data flow bubbles between trading partners.
CPTPP signatories have moved to liberalize data flows among themselves. A January agreement between Singapore, New Zealand, and Chile enshrined free data flows between the three countries.
As data becomes a regular part of trade talks, bubbles like these, rather than a global network, could be the future.