By: Jonathan McGruer

Data privacy laws have seen significant recent change after the European Parliament and Council of the European Union brought the (the “GDPR”) into effect on May 25, 2018. Enacting the GDPR signified a tremendous step further clarifying the EU’s stance on data privacy and consumer rights. However, as a wave of countries scramble to update data privacy laws, data localization requirements introduced in conjunction with new regulations undermine today’s increasingly data-driven global economy that is so reliant on the free flow of data across borders.

To date, newly-introduced privacy legislation is reminiscent of the GDPR.  Many nations’ GDPR-like laws contain additions not present in the original EU regulations. For example, Brazil recently passed the Brazil General Data Protection Law (the “LGPD”), including provisions similar to the GDPR. Brazil’s LGPD expands on the GDPR right to data portability, requiring personal data to be stored in a “format favoring the exercise of the holder’s right of access, and by extension enabling holder’s request for a full electronic copy of their personal data in a format allowing its further processing.” India and Vietnam have both introduced data localization requirements under new data privacy regulations.

States have also proposed draft legislation that closely tracks expectations promulgated under the GDPR. On June 28, 2018 California passed the California Consumer Privacy Act of 2018 (the “CCPA”), which requires businesses to make new disclosures to consumers covering how to opt out of certain data processes, and to better educate consumers about their rights under data protection laws. California’s Privacy Act also requires companies to include on business’ Internet homepages a “do not sell my personal information” link. The link directs consumers to a page allowing users to opt-out of the sale of personal information. The CCPA will be in force beginning January 1, 2020.

GDPR-like laws have not been drafted consistently, as countries differ with regards to expectations of privacy. Though common themes remain, such as the right of access, and the right to be forgotten, some new jurisdictions have suggested taking a step further and requiring data localization.

What is Data Localization?

These laws commonly require nationals’ data to be stored, collected, and processed in data centers within a particular country’s borders. China, Russia, and Iran currently enforce data localization laws. At the firm level, Leviathan Security Group shows that data localization regulations increase the local companies would need to pay by 30-60%. The same study notes that “many countries considering data localization have no publicly-available cloud computing providers.” This could potentially lead to businesses being forced to use non-public cloud computing resources, or to purchase and maintain their own expensive infrastructure.

Data localization laws are typically associated with governments’ interest in civilian monitoring. India, for example, has required that all payment data of Indian nationals be stored within borders, to provide “unfettered access” to regulators.

Jurisdictions introducing data localization laws cite misguided privacy and security concerns as part of several justifications for restricting data. Despite potential justifications, data localization laws present barriers to innovation, privacy, and security.

Data localization laws potentially harm the digital economy and impose burdens on technology companies by drastically increasing operating costs. Foreign jurisdictions justify data localization regulations by assuring that the regulations will create jobs, and promote domestic security by “ensuring quick access to… security establishments.” are backed by foreign governments’ justifications of “creating jobs,” and “ensur[ing] quick access to… security establishments.” Scholars note that having data localization requirements will make companies “more vulnerable to censorship and surveillance demands.”

Cross-Border Data Flows After the CLOUD Act

The United States recently introduce the CLOUD Act requiring that U.S. data and communication companies must provide stored data for U.S. citizens when requested by warrant. The CLOUD Act also functions as a mechanism to ease foreign jurisdictions’ security concerns justifying data localization, by providing data access procedures for legitimate requests. Further, the Act, in theory, removes much of the “red tape” federal investigators previously faced when seeking private citizen data stored in foreign nations but controlled by U.S. companies.

Leaders in the information technology sector, including Microsoft, Google, Apple, and Facebook, strongly support the CLOUD Act, crediting it as a much-needed clarification providing guidance on navigating cross-border data sharing issues.

The CLOUD Act creates an avenue for the U.S. and like-minded jurisdictions to provide a solution for cross-border data transfers in the wake of new data localization regulations. Apple, Facebook, Google, Microsoft, and Oath support the CLOUD Act, stating that “the CLOUD Act [is] notable progress to protect consumers’ rights and… reduc[es] conflicts of law.”

Conflicts with foreign data protection laws post-GDPR is sure to cause significant confusion for global technology companies. Major American technology companies’ continued support for the CLOUD Act, as well as for the free flow of data across borders, could pressure foreign jurisdictions to rescind laws that could negatively impact the global digital market by introducing avoidable costs and marginal benefits.