Regulators around the world are confronting the challenge of securing our increasingly connected societies and economies. The EU and China will both soon release major cybersecurity regulations and many other governments are either finalizing or drafting similar regulations. A major source of discussion in the development of these regulations involves the security implications of the location of data. Governments, such as China and Russia, are creating broad data protection regimes that include mandates on where data can be stored and processed and where it can be transferred. Companies of all nationalities will experience real world consequences should these policies become popularized, as these regimes would increase operational costs, slow adoption of the best technology, and in some cases, limit the effectiveness of cybersecurity systems.
As we have established, these types of rules can have significant negative economic impacts. We understand that many countries do this because they want to maintain national security, which is rightly a priority for all nations, but it is vital that governments perform cost-benefit analyses in public and transparent regulatory impact assessments to determine the probable security and economic outcomes of proposed laws or regulations before implementing. Companies and entrepreneurs are in the best position to help policy makers understand what these impacts might be. In fact, arguments in favor of localization based on cybersecurity are often based on outdated views of security or incomplete information, meaning that the economic costs are high, while the security gains are nil.
Cybersecurity experts agree that the location of data has no impact on the security of that data; for example, US government data held on domestic servers did not protect the data of the Office of Personnel Management. In an interconnected world, the type of technology used, expertise of users, and institutional good practice determine security, not the geographic location of data. There are existing technological solutions to help governments and companies address their data protection needs, such as using strong encryption to protect data during transmission.
Requiring data localization on the basis of security would, in fact, lead to a false sense of security given location does not impact security. The perception of increased security while using less advanced technology could be extremely dangerous for national security goals, especially since cybercriminals would have a better awareness of where the data is located (as opposed to letting companies decide where to locate their or their customers’ data). Russia’s requirement that companies submit to the ICT regulator the locations of all their data centers or servers effectively creates a very attractive target list because hackers have a focused idea of the location to look for it.
In addition, these restrictive policies hold the potential to inhibit governments from fostering a better domestic cybersecurity environment. By hindering the efficiency of technology and stifling the cross-border flow of information related to cyber threats, governments using data localization requirements for the sake of cybersecurity can deprive organizations of the benefits of real time, global deployment of preventative defenses and security controls.
Some regulators assure that their data localization policies would have minimal impact on business operations, while promoting security. The addition of opaque new licensing regimes in countries where licensing is a top business concern for international companies, however, creates real efficiency and operational concerns for multi-national companies.
The economic costs of pursuing these policies are becoming increasingly clear. More importantly, regulations that restrict the flow of data across borders offer no substantive security benefits, and may even hinder organizations’ abilities to manage cyber threats. Even as governments engage to clarify data sharing agreements for law enforcement purposes, this should not impose economic cost on a whole nation’s economy needlessly. In the face of the daunting challenge of maintaining cybersecurity in the digital age, it is the responsibility of regulators to take measured and reasonable approaches to ensure effective outcomes - not just politically attractive ones.
Forced Localization Blog Series Table of Contents:
- What is Forced Localization?
- Local Content Requirements
- Local Presence Requirements
- Local Standards and Conformity Assessment
- Data Localization Explained
- The Costs of Data Localization
- Development and Data Localization
- Privacy Protection and Data Localization
- Cybersecurity and Data Localization
- Law Enforcement Access to Information and Data Localization
- Using Trade Agreements and other Multilateral Approaches to Address Forced Localization