Since the beginning of the commercial Internet, the idea that information and access would be free to any and all has been a core principle driving growth. This ethos has allowed companies to create efficiencies in distribution and reach. The internet was a channel that extended, well, pretty much everywhere.
But in recent years, countries have begun layering their physical borders over the Internet, taking particular aim at data stored or consumed within their boundaries. Many countries now demand that companies store data locally if it is to be used locally. Driving these efforts are primarily concerns around data privacy, national security, local economic competitiveness, as well as ensuring law enforcement has access to data. Keeping data within the country gives governments more control — but it’s also an impediment to commerce and business growth.
Data localization is at odds with many companies’ full embrace of the cloud, which distributes data among servers located around the world for efficiencies of cost and performance. But as efforts to curb cross-border data flows continue, the cloud becomes a liability. Some say localizing data will help drive competition, limiting big tech and other global businesses’ unfettered access to any market they want. Others say it will impact global trade. The issue has reached the highest levels of governments around the world, and has become a flashpoint in trade negotiations and geopolitical diplomacy.
“If we don’t build our own champions in all areas — digital, artificial intelligence,” France’s prime minister Emmanuel Macron said during France’s Digitale Day in 2019, “our choices will be dictated by others.”
Politics aside, storing data locally is technically challenging, with real-world outcomes. Localization deprecates speed, and even the slightest delay in loading a web page can mean lost business. A 2016 study by Google found that 40 percent of smartphone users abandoned a page after three seconds, and a 2020 study by Deloitte reported consumers spent up to 10% more money on a site when its pages loaded even .1 second faster than other sites.
From a macro perspective, limiting data flows can slow the expansion of international trade. McKinsey estimated that e-commerce accounted for 12% of international trade in 2016 and raised the global GDP by USD 2.8 trillion. A 2018 OECD report said that “digitalization is linked with greater trade openness, selling more products to more markets and in less concentrated baskets.”
The costs of data localization
Unwinding existing data storage strategies to be compliant with data localization requirements is a costly and extraordinarily complex prospect. Companies spend on average USD 1.2 million per year on cloud storage, and the Leviathan Group says this will increase at least 30-60% to localize across the world.
But it’s not just a company’s own data and servers that must be addressed. Most global enterprises work with thousands of vendors, all of which put a company at risk if they fail to be compliant with local data regulations. What’s more, as the nature of the cloud is to break up data and store it in myriad places around the world, companies may not even know where their data is stored and may inadvertently break laws of some of the countries where they do business. Facebook and Twitter have been fined in Russia for violating data localization requirements, though the penalties were relatively low at roughly USD 50,000.
After years of companies investing in a strategy that distributes data globally, and business expansions predicated on the free flow of information, companies must now reverse course and invest in a strategy — or, more accurately, strategies — that require a tailored approach to each set of laws and regulations. Setting a data localization strategy starts with an understanding of the landscape of rules, and the solutions emerging to help companies navigate this balkanized digital world.
Australia, for example, is focused on health data, Bulgaria is concerned with gambling data, India requires government contractors to localize data, and Russia says that any personal data collected and stored must take place within its borders, while Turkey has data localization rules for social media firms.
China, naturally, has a broader and more detailed set of data localization rules, including storing all personally identifiable information within its borders; excluding foreign tech firms (including cloud services); and “security checks” for companies sending data outside of China (such as e-commerce data). Even so, many of the definitions, such as “network operators” for whom these rules apply, leave room for ambiguity, making it even harder to navigate compliance.
The upshot is a patchwork of regulations motivated by different concerns.
Going local while staying global
Ultimately, companies will have to maintain very robust data flow maps to keep track of where data is hosted and ensure it only flows to places where it is legal, and in a compliant format. What’s more, every time a vendor or applications flow is changed, that information will need to be entered into the data maps, with further adjustments made to stay in line with the laws. It’s a headache in the making, and a severe tax on innovation and agility.
“We will have a never ending task of documenting or logging and setting the requisite controls unless or until regulators can agree to more code- or certification-based controls and data transfer protocols across the globe,” says Susan Shook, general counsel and global privacy officer at P&G.
Cloud providers have the issue on their radar and are rolling out solutions that aim to help companies with localization. The 800-pound gorilla in cloud computing, Amazon Web Services, offers AWS Outposts, which puts a cloud server inside a country’s borders, with compliant transfer of data to servers elsewhere. And CloudFlare is localizing data by giving companies control over where their data is stored.
Microsoft, which boasts about 20% of the cloud market, has been particularly responsive to shifts in the data landscape. Last year, the EU’s Court of Justice struck down as “invalid” the Privacy Shield, an agreement between the US and EU to protect transatlantic data transfers and keep them compliant with the EU’s data rules. The reversal came as a shock and concern for businesses that straddled the continents. Microsoft quickly responded, providing assurance for its customers on the day of the ruling, noting that Standard Contractual Clauses, an agreement governing data transfers, kept their data compliant.
But the best hope for data localization is, as Shook notes, more uniform controls and standards around the world. In the meantime, global business will continue to be global business, and unless companies plan to roll back their markets, they will have to find ways to stay compliant in this newly balkanized landscape.
