Don't Trust Data Localization Exceptions in Trade Agreements to Guarantee Protection of Personal Data

The digital economy relies on cross-border provision of services and goods, and in the past government trade regulators have embraced the borderless nature of the Internet and adopted light-touch regulation. But with the growing perception of data as the new oil, governments around the world are now flexing their muscles and stepping up efforts to limit or tax cross-border data flows. Multiple countries have enacted laws localizing storage and processing of data within their territory or subjecting cross-border transfers to to strict conditions.

The wave of data localisation policies suggest that a marked regulatory shift is underway. National localization is creating tension within trade negotiations such as RCEP, NAFTA, and TiSA in which countries like the United States, Singapore, Thailand and Japan, along with tech companies, are seeking to prohibit data localization practices.

Although governments push for data localization to achieve diverse policy goals, there is an inherent conflict between the logic of most data localization efforts and the policy objectives that countries pursue by participating in free trade agreements. Resolving localization demands and reconciling conflicting ideologies and interests may be difficult to achieve through trade agreements.

As in the case of copyright rules in trade agreements, developing trade solutions to data localization are sure to get caught up in the wider socio-politics of trade and Internet governance. Negotiating on data localization for the protection of personal information creates the risk of compromise on protections that should be a minimum guarantee, as countries could lay down localization conditions as a trade-off for respecting privacy rights.

Policy Objectives for Pursuing Data Localisation

Government demands for localization are driven by diverse rationales, one of which is security or surveillance concerns. Consider China's National Security Law which limits operations and maintenance of "critical Internet infrastructure" to mainland China as matter of national and cyber security. Similarly, Vietnam and Indonesia mandate maintaining in-country servers for access by law enforcement agencies.

The desire to attract investment, fuel innovation and create competitive advantage for local companies is another important logic driving localization efforts. When framed from the narrative of economic and employment gains, localization is politically appealing and enjoys support of local business constituencies. This approach seems to be at working for some countries. Google and Amazon Web Services (AMS) have announced data centers in Singapore, Taiwan (province of China)* and Japan. Alibaba Cloud, the computing arm of the Chinese company, announced that it would be setting up data centers in India and Indonesia.

Protection of national autonomy or efforts to reign in the hegemony of US firms is also used to drum-up support for introducing rules for transfers of data. Last week, India's telecom regulator issued a consultation paper exploring measures to address cross-border flow of information and jurisdictional challenges in the digital ecosystem. The regulator's move appears to be triggered by its displeasure with Apple's refusal to list an app developed by the regulator that tracks user's messages and call logs to identify spam.

Beyond the economic rationale, there is a growing perception that nations able to control data flows will fare better in the Internet governance order. For developing and developed countries alike, leadership with regard to digital economy is linked to establishing their claims of sovereignty in cyberspace. Therefore, nations mandate storage and processing of data within their jurisdiction. In a similar vein, governments may also lay down conditions for allowing transfer of data such as the company’s nation of incorporation or principal sites of operations and management. The new Chinese cybersecurity regulation defines the notion of territory not only based on the location of operations, but also of ownership.

Not all localization demands are blanket bans on data transfers or on the use of foreign servers. Establishing local facilities can also be incentivized by raising the costs of the data transfer to other jurisdictions either through tedious procedures or through strict compliance obligations. A recent example would be the security review procedure for transfer of personal information laid down under the Chinese cybersecurity law. Other localization laws are narrow in scope. Think of South Korea’s Land Survey Act banning exporting local mapping data to foreign companies that do not operate domestic data servers. India's National Data Sharing and Accessibility Policy requires all data collected using public funds to be stored within the borders of India.

Balancing Data Protection and Data Localization in Trade

Another important issue driving localization demands is privacy and protection of personal information. The inclusion of commitments prohibiting localisation mandates in treaties is promoted by industry groups [PDF] as a victory for user rights, security and openness of the Internet... but it’s not quite as simple as that. Some countries argue that limiting how personal data can be transferred across borders is one of the only practical ways they have to protect the privacy of their citizens, in the absence of a more comprehensive shared data protection regime between the countries concerned.

Thus concerns about the lack of control over user data and its transfer, processing and storage in jurisdictions with autocratic governments, a weak rule of law, or surveillance programs, have led governments to recognise data protection as a legitimate reason to limit transfer of data. For example, without such exceptions, sensitive health information from Canada and Australia could be processed in jurisdictions with weaker privacy protections. The European Union also maintains that data protection and privacy are legitimate reasons to place limits cross-border transfer of data, and its Privacy Shield agreement with the United States is its attempt at doing exactly this.

Not surprisingly, there has been strong pushback from the US and large tech firms on this stance. Last week, the Information Technology Industry Council (ITIC) a US-based technology group has alleged that several countries, including India, China, South Korea, Russia, Vietnam, Canada, Mexico and Indonesia have turned to discriminatory policies and forced localisation that unfairly disadvantage American companies. The group has submitted a report to the Trump Administration and is urging for an intervention from the Trump administration to remove barriers to trade.

There is no agreement on where to draw the line between data protection based restrictions on data flows that are protectionist and against trade and liberalisation, and those that are necessary to guarantee the rights of citizens. Privacy experts have argued that data protection is qualitatively different from forced localization and the issue of data localization for data protection would disappear if nations implement stronger privacy laws or adopted baseline best practices. Nevertheless countries continue to pursue carving exemptions for data protection in trade agreements.

Several regional trade agreements under discussion include provisions addressing the cross-border transfer of personal information. Texts and analysis of TTIP, TPP, TISA and NAFTA seems to suggest an emerging strategy on data localization linked to transfer of personal information. Participating nations commit to general obligations to not restrict data flows or to require localization of infrastructure, facilities or restriction on transfer of ICT goods and services. For the RCEP, which includes countries with strong national localization strategies or ambitions such as China and India, and countries like Australia and Japan that oppose localization, it is as yet unclear how data localization will be treated.

A strategy to harmonize national approaches followed in the TPP which may see adoption in other trade agreements such as NAFTA and RCEP would be to create exceptions for countries to the general obligations against data localisations. Exceptions allowing restrictions have to based on “legitimate public policy concerns” and are expected to provide the flexibility to accommodate national approaches in regional agreements. Not including such exceptions could require certain countries to roll-back data protections guaranteed to citizens in order to allow cross-border transfer. Global trade bodies recognise the need for flexibility and the World Trade Organization provides such exceptions under Article XIV of its General Agreement on Trade in Services (GATS).

Yet the problem with this is it exposes data protection rules to the possibility of trade complaints about whether these rules are legitimate and proportionate—and these complaints would be heard by a panel of trade lawyers, who have no particular expertise in privacy law or human rights. A lot depends on the implementation of restrictions crafted under these exceptions. When specifying exceptions it is important that governments lay down conditions to facilitate transfer of data where privacy concerns have been adequately addressed. Thinking through and being critical of effectiveness of de-identification measures or thresholds for meaningful informed consent will go a long way in understanding if restricting data to a jurisdiction is a long-term solution for protecting personal data.

EFF’s Recommendation

We believe that countries should consider other measures apart from data localization for strengthening data protection in trade agreements. While there is no global framework for data protection, there are regional initiatives such as the Asia Pacific Economic Cooperation (APEC) Privacy Principles and APEC's Cross Border Privacy Rules (CBPR) system. Such mechanisms could be a starting point for harmonising national approaches and gaining consensus on data protection.

The CBPR features principles and guidelines for the development of a system of voluntary cross-border transfer of personal information in the region. In addition to Canada, Japan, Mexico, and the US, nearly two dozen private companies are also participatory members in the CBPR framework. Earlier this year, South Korea became the fifth member and Singapore and the Philippines are expected to join in the near future. The incentives for integration of such a template will depend on how far countries can accommodate domestic strategies to be harmonious with global rules. By themselves, Australia, India, China, Japan and South Korea are large economies and their role in regional structures and ambitions will influence their role in trade negotiations.

Since the APEC privacy principles do not impose obligations on its member organisations with respect to privacy, but merely confirm a baseline level of protection, Mexico has asked for more in the NAFTA negotiations which begin this week. It is pushing for a Privacy Shield style agreement that would require U.S. companies to abide by Mexico's stronger data protection rules if they wish to gain access to the benefits of liberalized trade within the NAFTA region. The response from the United States remains to be seen, but we can expect some pushback against this suggestion.

Calls to regulate data localization laws in trade agreements aren't going to go away while the factors driving these laws remain, and weak cross-border data protection is one such factor. But data localization isn't a comprehensive solution to this problem, as it doesn't guarantee that data will be secure or adequately protect it against misuse. Pushing localization for short-term social, political and economic gains could ultimately harm users and innovators.

Given the complex political and cultural contexts driving data localization, reconciliation of the multitude of interests and ideologies will not be easy.  Ideally, the privacy and personal data of users would be protected through measures that support a free and open Internet, and that would not be vulnerable to being overturned by trade tribunals who place the free flow of data above the human rights of users. Threading this needle is a challenge in the best of conditions, but doing so under the closed, opaque, and lobbyist-dominated conditions of trade negotiations makes it even harder.

(*) As part of EFF's application to become an accredited NGO at the United Nations, we have been requested to use that organization's official terminology: Taiwan, province of China.