Data flowing local stops business going global
Data localisation requirements (DLRs) are on the up according to new data from the OECD. While there may be good reasons for imposing DLRs in certain circumstances, they constitute a barrier to trade and impact businesses across every sector of the economy. DLRs require data to be stored and used within, or routed through, a particular geographical location. In practice, most regimes stipulate conditions for international transfers rather than banning them outright.
1. Data needs to flow for international trade to operate
Digital trade issues are all-pervasive and businesses, including those trading physical goods, rely on data flows throughout the lifecycle of a trade transaction. Many businesses also need access to data to develop their product offerings. If data cannot flow across borders, this potentially deprives companies –particularly SMEs – of the opportunity to grow their business in new markets.
2. Cross-border data flows support overseas investments
Like trade, investment relies on cross-border data flows. This is important for global businesses, which require data to cross borders in order for their internal operations to function. It may also be important to fulfil requirements of establishing in a new market and complying with the relevant regulatory requirements – for example information about company directors may need to be recorded to set up a subsidiary. If countries want to attract inward investment which relies on data flowing in, they must recognise that in return data needs to flow out.
3. Localising data does not automatically make data more secure
DLRs assume that data is safer if it is stored and processed locally, but in cybersecurity terms this is not necessarily true. The biggest threats to data security are likely to be virtual rather than physical so storing data locally does not prevent it from hacking. In fact, it may even be counterproductive to impose DLRs if domestic providers are not able to offer the same level of protection as major global cloud providers, which have the research and development budgets to ensure that protections continually evolve to combat cyberattacks.
Localisation may also limit the practice of sharding data and storing it in multiple locations, which makes it much harder to appropriate. Storing all data in one place is sometimes seen as creating a so-called “honeypot”, making it more attractive to potential data thieves. Businesses are exposed to reputational risk if their customers’ data is lost so this added risk may also disincentivise trade and investment.
How can FTA negotiations help?
Digital chapters in a number of modern FTAs contain provisions restricting the use of DLRs. Although these are heavily caveated and often allow broad exceptions, nevertheless they send an important signal that DLRs should be minimised and can at least help ensure that those DLRs that do exist are necessary and proportionate. FTAs negotiations should be used to focus attention on the regulatory discussions to achieve better understanding about how data protection frameworks function leading to mutual recognition of data protection frameworks.
It is not only the substantive provisions of FTAs but also the very fact of negotiations that can help in reducing the impact of DLRs and ensuring that market access commitments across all sectors can be given full effect.
What does it mean for business?
Businesses must comply with domestic data regulations wherever they do business and ensure they are meeting transfer requirements for any data stored or processed outside that country. Proactive engagement with governments and regulators can also help maximise international trading opportunities: if policymakers understand the challenges businesses face, they can pursue practical mechanisms – both unilateral and bilateral – to remove those barriers.
Authors
Sally Jones
Sally leads the EY Trade Strategy and Brexit team. She is a leading specialist in trade policy from both a global and UK/EU perspective.