The Misconception of Data Localization in Privacy Protection

These days organizations, people, governments and institutions have quick and easy access to transfer information from one end of the world to the other. Truly, data transfers support and enhances the global economy, drives communications and social interaction and creates a foundation that allows seemingly limitless amounts of data-driven technologies and services that we now take for granted and rely upon in our daily lives.

Unfortunately, data regulators in developed and developing countries are increasing their efforts in creating virtual barriers that surround their physical borders in order to prevent the transfer of their citizens’ data outside of their country.

One of the key objectives that regulators often claim in adopting data localization measures is protecting their citizens’ privacy. But, these efforts do not usually lead to the strengthening of privacy and instead have adverse and intended consequences.

Protecting privacy has become a monumentally difficult task as we live in a world where cross-border data transfers occur every second of the day and where the jurisdictional reach is not clearly defined. This environment has left national data regulators with the challenging task of implementing national laws which protect the privacy of data that have crossed their borders and which they cannot themselves readily access.

Additionally, policymakers regularly receive calls and letters from their citizens to improve their data protection, in particular the sensitive personal information that is increasingly shared and stored online. As a result, data localization policies have been growing in popularity across the globe, in countries like Russia, China and Indonesia.

Although it is developed with good intentions, data localization measures are short-term, difficult to implement and are rarely foolproof methods to address modern privacy concerns. A better and more effective approach would be to adopt regulatory measures that directly address the specific problem of protecting privacy.

As preventing any data from leaving and entering a country is neither proportionate, desirable or possible, countries that implement data localization measures due to privacy concerns are in fact, looking to prevent data transfers to countries that they believe have inadequate privacy regimes.

Disallowing data transfers due to a country’s geography needs an assessment of the ‘adequacy’ of the data privacy protections implemented in the countries the data is transferred to. As we know, international privacy regulations are constantly evolving. Hence, claims made of adequate privacy protections are based on an evaluation of national regulations and are inevitably full of risk.

Moreover, assessing a country’s privacy protections as ‘guaranteed’ by law and treaty often results in an incomplete picture of the entire privacy ecosystem of that country. Analysis such as these is unconvincing as they do not consider other idiosyncratic dimensions of privacy regimes including enforcement mechanisms and self-regulation. The process of assessing adequacy for each jurisdiction that data is shared with is, as a result, inefficient and inevitably inconsistent.

Bilateral data transfer mechanisms indicate that countries with different structured privacy regimes can still ensure an adequately high level of protection for personal data that is sent and received across their borders. But, bilateral agreements are not a viable or scalable solution in a world where data has a huge, critical and multinational role.

A better option is to delve into mechanisms that are easier to implement and have a higher potential for widespread adoption and provides a high privacy protection level.

The Asia-Pacific Economic Cooperation (APEC) forum’s Cross Border Privacy Rules (CBPRs) are a great example. International certification mechanisms like these facilitate cross-border data transfers between companies that adhere to a basic standard of accountability.

CBPRs enhance, but not interfere, with a large variety of domestic privacy regimes of the countries that adopt them. This cross-border operability enables a high level of privacy protection across borders without exorbitant nationwide implementation costs.

A multilateral approach like this aims to improve data privacy protection globally without unnecessarily harming global digital trade and technology innovation — an aspect that should be the main goal in creating a truly connected world.