Clifford Chance

In addition to new global privacy regimes, data localisation is fast emerging as another area of regulatory focus with further layers of legal requirements, causing headaches for businesses who are increasingly engaging in cross border data sharing as part of their participation in an increasingly globalised and interconnected world.

Introduction

The forced sale of the US branch of TikTok has been partially justified by a desire to keep data within US borders. WhatsApp's mobile payment app launch in India has been delayed for months due to a failure to comply with data localisation rules.

In the broader context of legitimising international transfers of data, the European Union Court of Justice recently invalidated the primary legal treaty for transfer of data between the US and the EU in the Schrems II case.

Whilst from a technical perspective data may be viewed as a virtual, intangible substance, the emerging legal reality is that, even beyond specific privacy legislation, where data is sourced can in and of itself materially limit businesses ability to share, utilise and monetise that data.

Data Localisation and Data Sovereignty: What's the Difference?

Although the terms are often used interchangeably, it is useful to understand how the terminology in this area can be differentiated.

Data localisation typically refers to the legal requirement for data to be stored or processed within specific national or regional borders. If a country has implemented strict data localisation laws, multi-national companies must establish local data storage facilities in respect of all data sourced from that country.

Data sovereignty is the concept that a country has control over personal data that was either created or collected in that country.  The origins of this concept are contained in the US Patriot Act which enabled US officials access to any information physically found within a server in the United States regardless of where the information had originated.

Following the case of Microsoft Corp v. United States in 2018, Congress passed the Clarifying Lawful Overseas Use of Data Act (CLOUD Act), which in certain circumstances, has allowed US law enforcement agencies to access data stored by cloud providers even if held outside the US.

Unlike data localisation, data sovereignty doesn't dictate where data must be stored. Instead it determines who governs and who can access the data once it is created, stored, processed or collected within a certain region.

From a practical point of view, both of these concepts amount to digital barriers to cross-border data transfers.

Justifications and Challenges

There are considered to be two broad primary justifications for data localisation and sovereignty policies: (a) increased security; and (b) economic benefits.

Interestingly, data sovereignty has also been seen by indigenous peoples as an important form of self-governance. New Zealand has a Maori data sovereignty charter in place with Canada also advocating for similar. However, the typical focus of data localisation laws continues to be economically driven.

For one, data localisation laws may give better protection against malicious foreign businesses and governments by housing in the safe and known home country. However simply locating that data in a "safe" jurisdiction will not afford meaningful protection if appropriate technical and organisational measures are not implemented in parallel with respect to the systems holding the data or if the government in that "safe" jurisdiction is equally motivated to access the data. Data sovereignty laws may also give regulators a broader reach to access information that they consider relevant.

The economic argument for data localisation and sovereignty policies are similar to those made for trade restrictions generally. Data localisation laws are presented as a means of ringfencing the value in and profits derived from relevant data in the domestic market. This is increasingly relevant as data becomes gradually more commodified; the big data and data analytics market alone is estimated at USD 139 billion in 2020.

One particular business cost is that strict localisation will prevent businesses from taking advantage of cheaper storage solutions outside the particular country. For example this limits the ability to use "data sharding" which splits a piece of data will be split into smaller "shards" and stored across multiple systems in order to minimize costs and improve redundancy mechanisms.

More significantly, a patchwork of data localisation regimes can create complex compliance problems for global organisations with associated increased costs, particularly it may result in circumstances where organisations face conflicting legal regimes and requirements. 

Increased Regulatory Scrutiny

Data localisation and sovereignty laws are not new but the last year has seen a sharp rise in regulatory focus on the issue and increased discussion from legislators worldwide.

China, Indonesia, Nigeria, Russia, Vietnam and Brunei have all had strict data localisation laws for a number of years.