Is the Clock "Tik Toking" on Global Data Localisation?
Could de facto localisation become a reality?
20 August 2020
In addition to new global privacy regimes, data localisation is fast emerging as another area of regulatory focus with further layers of legal requirements, causing headaches for businesses who are increasingly engaging in cross border data sharing as part of their participation in an increasingly globalised and interconnected world.
The forced sale of the US branch of TikTok has been partially justified by a desire to keep data within US borders. WhatsApp's mobile payment app launch in India has been delayed for months due to a failure to comply with data localisation rules.
In the broader context of legitimising international transfers of data, the European Union Court of Justice recently invalidated the primary legal treaty for transfer of data between the US and the EU in the Schrems II case.
Whilst from a technical perspective data may be viewed as a virtual, intangible substance, the emerging legal reality is that, even beyond specific privacy legislation, where data is sourced can in and of itself materially limit businesses ability to share, utilise and monetise that data.
Data Localisation and Data Sovereignty: What's the Difference?
Although the terms are often used interchangeably, it is useful to understand how the terminology in this area can be differentiated.
Data localisation typically refers to the legal requirement for data to be stored or processed within specific national or regional borders. If a country has implemented strict data localisation laws, multi-national companies must establish local data storage facilities in respect of all data sourced from that country.
Data sovereignty is the concept that a country has control over personal data that was either created or collected in that country. The origins of this concept are contained in the US Patriot Act which enabled US officials access to any information physically found within a server in the United States regardless of where the information had originated.
Following the case of Microsoft Corp v. United States in 2018, Congress passed the Clarifying Lawful Overseas Use of Data Act (CLOUD Act), which in certain circumstances, has allowed US law enforcement agencies to access data stored by cloud providers even if held outside the US.
Unlike data localisation, data sovereignty doesn't dictate where data must be stored. Instead it determines who governs and who can access the data once it is created, stored, processed or collected within a certain region.
From a practical point of view, both of these concepts amount to digital barriers to cross-border data transfers.
Justifications and Challenges
There are considered to be two broad primary justifications for data localisation and sovereignty policies: (a) increased security; and (b) economic benefits.
Interestingly, data sovereignty has also been seen by indigenous peoples as an important form of self-governance. New Zealand has a Maori data sovereignty charter in place with Canada also advocating for similar. However, the typical focus of data localisation laws continues to be economically driven.
For one, data localisation laws may give better protection against malicious foreign businesses and governments by housing in the safe and known home country. However simply locating that data in a "safe" jurisdiction will not afford meaningful protection if appropriate technical and organisational measures are not implemented in parallel with respect to the systems holding the data or if the government in that "safe" jurisdiction is equally motivated to access the data. Data sovereignty laws may also give regulators a broader reach to access information that they consider relevant.
The economic argument for data localisation and sovereignty policies are similar to those made for trade restrictions generally. Data localisation laws are presented as a means of ringfencing the value in and profits derived from relevant data in the domestic market. This is increasingly relevant as data becomes gradually more commodified; the big data and data analytics market alone is estimated at USD 139 billion in 2020.
One particular business cost is that strict localisation will prevent businesses from taking advantage of cheaper storage solutions outside the particular country. For example this limits the ability to use "data sharding" which splits a piece of data will be split into smaller "shards" and stored across multiple systems in order to minimize costs and improve redundancy mechanisms.
More significantly, a patchwork of data localisation regimes can create complex compliance problems for global organisations with associated increased costs, particularly it may result in circumstances where organisations face conflicting legal regimes and requirements.
Increased Regulatory Scrutiny
Data localisation and sovereignty laws are not new but the last year has seen a sharp rise in regulatory focus on the issue and increased discussion from legislators worldwide.
China, Indonesia, Nigeria, Russia, Vietnam and Brunei have all had strict data localisation laws for a number of years.
In 2019 Russia fined Facebook and Twitter a nominal amount, being approximately 50 USD each for storing user data outside of the country. Despite this minimal financial sanction, this is an indication of increased scrutiny and willingness to monitor, enforce and penalise data localisation requirements.
The General Data Protection Regulation (EU) 2016/679 (the "GDPR") allows the free-flow of personal data within the EEA but limits transfers outside the EEA unless appropriate protections are deployed.
The Schrems II decision (Data Protection Commissioner v Facebook Ireland and Maximillian Schrems, Case C-311/18) is the most recent significant development concerning international transfer of data in which the European Union Court of Justice invalidated the EU-US Privacy Shield, one of the key legal mechanisms for transferring data between the two regions. (You can read our summary of US and EU regulatory responses to the Schrems II decision here and also our analysis of the EDPB's responses).
Whilst strictly there are no technical data localisation requirements under the GDPR, some critics have argued that the Schrems decisions are tantamount to de facto data localisation requirements.
In the context of non-personal data, the European Commission has specifically introduced a regulation (EU) 2018/1807, effective from May 2019, which has the purpose of generally removing restrictions on the geographical limitations on the storage of data by restricting Member States from retaining or introducing new data localisation rules.
As a region, there have been significant implementation of data localisation in APAC, with Russia, China and India especially making significant changes.
Following the nominal fines Russia has passed a new law that has substantially increased the amount of fines which can be levied for data localisation failures; up to nearly USD 100,000.
China and India, which are economically significant markets in the tech space have also implemented new data localisation laws.
Since 2016, China imposed data localisation requirements on certain onshore operators under the Cybersecurity Law.
In June 2020, China released a first draft of its Data Security Law which will further strengthen China's data localisation requirements by restricting data sharing with foreign agencies. The law is also expected to impose strict regulation and monitoring on data brokers who trade and sell data, impacting international data transfers. Although it has not yet been announced when the law will be implemented or how it will be enforced, local participants should be cognisant of new data localisation requirements as they develop.
Meanwhile, India is in the process of implementing its own data localization laws, prompting the EU in particular to raise concerns. The Indian government tabled a revised version of the personal data protection bill in December 2019 which requires that "critical" personal data is processed only in India.
Additionally the Reserve Bank of India (RBI) mandates that payment data can only be stored locally. This has prompted over two years of negotiation and remediation for WhatsApp as it tries to launch WhatsApp Pay, its new mobile money application.
WhatsApp Pay is currently awaiting the final stage of approval to offer its services to over 400 million users in the country, although RBI has now confirmed its compliance with the mandatory data localisation parameters.
Both the Chinese and Indian approaches are very different to those in Australia. One of the earlier countries to impose data localisation restrictions, Australia has only imposed limits in certain sectors. In 2012 Australia passed a bill banning data transfer outside of the country in the context of healthcare data. This approach is less invasive and prioritizes the protection of highly sensitive data. In July 2020, the Australian Cyber Security Centre also published new cloud security guidelines, highlighting the importance of data sovereignty and the continued regulatory focus in this area.
In the US, Senator Josh Hawley attempted to introduce a bill that would force Chinese and Russian companies with data on American citizens to store that information within the US.
Despite the bill failing to pass, similar sentiments have been paralleled in the US government's plans in respect of TikTok. The Trump administration, on purported grounds of national security, is aiming to ban TikTok's US operations by 11 November unless the US branch is sold to an American company.
The US Secretary of State, Mike Pompeo, has also stated that the government plans to take similar action against other Chinese software companies. It remains to be seen the extent to which this type of approach will be deployed or formalised in law in the future.
India has taken a similar approach and banned 59 of China's biggest mobile phone apps, including TikTok and WeChat on similar arguments of data security.
Looking to the Future
The internet and technology are emerging as the latest venue for trade, security and international disputes more generally. It is clear that in the coming years emerging data localisation and data sovereignty regimes will create further complex problems for organisations, particularly for the cloud computing industry and its customers.
Companies are already reacting to data localisation requirements. TikTok discussing the terms of the $50bn sale of its US operations with the likes of Microsoft, Oracle and Twitter is likely to be the first of many similar negotiations.
It remains to be seen how permissively general international data transfer requirements and restrictions will be interpreted and implemented by regulators and whether these could develop into de facto localisation requirements.
Furthermore, the creation of local data centres is on the rise. On 6 August 2020, TikTok announced that it is investing EUR 420 million in its first European data centre to be built in Ireland with operations commencing in early 2022. India has also reported announced an increase in development of data storage facilities within India ahead of the implementation of the new law.
In order to manage upcoming data localisation compliance risks, businesses will need to have clearly mapped ongoing data streams with a clear and up to date understanding of what data they use, the origin of the data and how it is stored.
Ioana Burtea, Trainee, contributed to the writing of this article.