Data localization, or data residency, is the concept of storing certain data collected on a nation’s citizens within the country of origin at all times. It gained steam after whistleblower Edward Snowden revealed the scope of government mass surveillance in 2013[1]. Governments worldwide enacted data localization legislation to protect state secrets and their citizens’ personal information from the watchful eyes of perceived competitors.
Governments expected and hoped these regulations would bring a host of benefits, including domestic IT job growth, more-hardened national cybersecurity, and increased data privacy. The truth is a bit murky, however, as the desired advantages haven’t materialized.
Countries and regions with data localization laws
First, let’s look into some examples of countries with data residency laws on the books. It is not a comprehensive list but illustrates how many nations are concerned about their data security.
The European Union
The EU’s sweeping data privacy law, the GDPR, sets many expectations for handling sensitive information, such as:
- Profile data
- Employment data
- Financial data
- Medical and health information
- Payment data
The GDPR specifies that the above data types stay secured within the EU. If any transfers are required out of the European Union, the countries receiving the information must have similar privacy regulations.
China
Unsurprisingly, China wants to keep a tight grip on its data. Basically, domestic network operators must store all data within China. They can transfer info across borders, but anything deemed “important” by the government must undergo a security clearance beforehand. What the CCP considers important is fairly broad. It includes:
- Anything related to national security
- Information that could identify Chinese citizens
As the country embraces Big Data collection on its citizens[2], you can expect the CCP to strengthen these laws.
Russia
The Russian Federation requires any personal identifying information about its citizens to be stored locally. This could mean:
- Profile data
- Financial information
- Medical and health records
Interestingly, as long as companies initially stored the data in a Russian database, they can send it out of the country for further processing.
Their regulations don’t only apply to domestic organizations. Anyone doing business in the country is subject to the law, so multinational corporations there must have Russia-specific data centers.
These three regions alone account for over a quarter of the world’s population, and there are many more countries with data localization laws. So, it’s pretty widespread. But what’s the United States’ opinion on the matter?
The United States viewpoint
The United States’ general belief is that data residency laws unduly stifle commerce and don’t offer the expected benefits. Analysts estimate half of the services trade depends on cross-border data flows[3]. With the United States being a service-dominant economy, it makes sense the government would oppose such regulation.
And oppose it, they have! In fact, it has been a point of contention in nearly all of its recent trade deal negotiations, though the EU and Korea have pushed back on outright bans. The USMCA, the North American trade agreement replacing NAFTA, formally prohibits the practice as a condition of doing business[4]. There are similar provisions in the U.S.-Japan Digital Trade Agreement[5] and the U.S.-Kenya Trade Agreement of 2020[6].
So, what are the downsides of data localization that countries like the United States want to avoid?
Technical issues
There is a multitude of technical headaches accompanying data localization. For instance, what if tech personnel in other countries access it regularly for debugging or maintenance purposes? Or, a company uses foreign backup databases for redundancy?
It’s challenging to build separate data centers in all applicable territories, even for large companies with sizable revenues. That makes it downright impossible for even the pluckiest startup to consider. But that should open up markets for smaller, domestic companies, right?
Lack of domestic stimulus
Unfortunately, significant job growth does not occur due to data localization. There are short-term construction jobs available if the data center requires a new building. After that, however, jobs are scarce. This is because the modern data center is mostly automated. The CBRE’s Data Center Solutions Group estimates that the average data center results in between 5-30 permanent, full-time positions[7]. Given the investment required for implementing data residency, it hardly seems worth it based on employment opportunities.
Privacy and security
Well, it has to be more secure and offer more data protection, though! That’s the biggest piece of the benefit pie. Not so fast.
In reality, the exact opposite appears to be true. Regarding privacy, you’d hope that housing data in the country of origin would benefit the citizens. But think back to some of the countries passing data localization laws. Is a full data set of personal information housed in a single jurisdiction good for the people in China? Or Russia? Very debatable. These nations are already surveillance states. Any data housed within their borders is at the control of their totalitarian governments.
Cybersecurity is another issue where expectations don’t match up with the real-world. Consider that these implementations aren’t in a vacuum and that they’ll inevitably cost a significant amount of money. That’s money the company will need to divert from other areas of the business. Cybersecurity could be one of those areas.
Additionally, data residency results in server centralization. This provides a larger attack surface for malicious agents and could ultimately mean more data breaches, not less.
So, paradoxically, data localization could make it easier for state-sponsored threat actors to carry out successful attacks. Combined with the economic inefficiencies, privacy concerns, and technical problems, it becomes plain to see that decentralization is a better path forward. Companies can employ other, less-expensive methods such as end-to-end encryption to protect sensitive information.
The AXEL Network
The AXEL Network is a decentralized, distributed system of servers backed by blockchain technology and the InterPlanetary File System. It gives users a secure, private way to share and store files on the internet. With server nodes located throughout the world, the AXEL Network offers both resiliency and performance. AXEL Go a the next-generation file-sharing platform using the AXEL Network. It combines all of the advantages listed above with optional AES 256-bit encryption to provide exceptional privacy and security. Download it today for Windows, Mac, Android, or iOS and receive a free 14-day trial of our unrestricted Premium service. Enjoy the power of a decentralized, distributed network.
[1] Jonah Force Hill, “The Growth of Data Localization Post-Snowden: Analysis and Recommendations for U.S. Policymakers and Business Leaders”, ResearchGate, Jan. 2014, https://www.researchgate.net/publication/272306764_The_Growth_of_Data_Localization_Post-Snowden_Analysis_and_Recommendations_for_US_Policymakers_and_Business_Leaders#:~:text=Abstract,geographies%2C%20jurisdictions%2C%20and%20companies.
[2] Grady McGregor, “The world’s largest surveillance system is growing- and so is the backlash”, Fortune, Nov. 3, 2020, https://fortune.com/2020/11/03/china-surveillance-system-backlash-worlds-largest/
[3] United States International Trade Commission, “Global Digital Trade 1: Market Opportunities and Key Foreign Trade Restrictions”, usitc.gov, Aug. 2017, https://www.usitc.gov/publications/332/pub4716_0.pdf
[4] Agam Shah, Jared Council, “USMCA Formalizes Free Flow of Data, Other Tech Issues”, The Wall Street Journal, Jan. 29, 2020, https://www.wsj.com/articles/cios-businesses-to-benefit-from-new-trade-deal-11580340128
[5] “FACT SHEET ON U.S.-Japan Digital Trade Agreement”, Office of the United States Trade Representative, Oct. 2019, https://ustr.gov/about-us/policy-offices/press-office/fact-sheets/2019/october/fact-sheet-us-japan-digital-trade-agreement
[6] ITI, “ITI: U.S.-Kenya Trade Agreement Can Set New Global Benchmark for Digital Trade”, itic.org, Apr. 28, 2020, https://www.itic.org/news-events/news-releases/iti-u-s-kenya-trade-agreement-can-set-new-global-benchmark-for-digital-trade
[7] John Lenio, “The Mystery Impact of Data Centers on Local Economies Revealed”, areadevelopment.com, 2015, https://www.areadevelopment.com/data-centers/Data-Centers-Q1-2015/impact-of-data-center-development-locally-2262766.shtml