Data Localization—a Hidden Tax on the Poor

Technology facilitates the rapid flow of vast quantities of data across the world. These cross-border flows have the potential to unlock substantial benefits for development and poverty reduction. Yet, many policymakers worry about the issues this raises, such as data protection and security, national security, law enforcement and supervisory data access, and competition. In response, many countries turn to a set of policies known as “data localization”—in an effort to exercise more control over nationally generated data. Data localization restricts the flow of data out of a country or requires copies of data be stored in country. Over 100 countries have some data localization rules, including Australia, Brazil, China, Indonesia, Japan, and Russia.

Some argue that localization policies have benefits; in practice the policies often do not advance their stated goals. Largely missing from the localization debate is a focus on how these policies affect the poor. By imposing technological hurdles and restricting access to cloud services, these polices often increase costs on providers of services to low-income consumers, effectively imposing a “localization tax” on those least able to afford it.

Global data technologies have increased efficiencies and reduced the costs of providing services. It is ever more economical to provide such services, including critical financial services, to consumers who might otherwise have been less profitable customers. Data localization policies cut against this trend by increasing costs, limiting access to cloud computing, and reducing competition. Some countries face acute technological capacity constraints so that localization capacity demands may vastly exceed national data center capacity. Concomitantly, requirements for duplicate copies of data may place undue financial obligations on local companies.

This focus on data localization builds on the two years of research led by Michael Pisa and Ugonma Nwankwo under the Center for Global Development project “Governing Data for Development.” The project team conferred with experts on what are the most significant challenges governments face in using and regulating the use of data to meet their development aims and how multilateral organizations can strengthen global data governance practices. The prior work explored ways governments can use data to support innovation, economic development, and inclusive growth while protecting citizens and communities against harm, with a focus on approaches that best meet the needs, priorities, and capacities of low- and lower-middle-income countries. In the next phase of this work, I will build on the insights from CGD’s prior work and explore what data localization entails, why it can be problematic, the concrete ways it may adversely impact the poor, and alternatives that address legitimate policy concerns without unduly burdening data flow, all with a particular focus on Africa. As with the prior research, these efforts are funded by the Hewlett Foundation.

Why data localization?

Localization comes in many flavors, from allowing data to leave the country so long as a copy is maintained domestically (mirroring) to legal or de facto prohibitions on data export. Rationales for localization include: fear of dependence on foreign countries; neocolonialism (large international companies controlling access to technology); concern that countries will attempt to access data stored within their borders (including surveillance by foreign intelligence services); loss of control over data; protection of domestic companies from foreign competition; promotion of the development of domestic technical capacity and cloud computing; data security (because it is harder to protect data outside the country); data protection (foreign laws may not sufficiently protect data); and, hindrance of law enforcement criminal investigations.

Why not localization?

Localization can be burdensome and counterproductive. For instance, mirroring can be the worst of both worlds—providers must pay for cross-border cloud services but must also invest scarce capital in building domestic data storage facilities where the mirrored copy of data is stored. Costs of such duplicate facilities will likely be passed on to customers.

Localization also has the potential of impeding anti-fraud and counterterrorism efforts. If financial transaction information cannot be shared across borders with law enforcement agencies or financial firms that combat fraud, such as payment processors or credit card issuers that flag suspicious transactions, efforts to protect against economic losses will be impeded making customers more vulnerable to bearing such losses.

The reality is that broad limitations on cross-border data transfer could result in business opportunities lost and reduce the ability of an organization to trade internationally, leading to a reduced geographical footprint and loss of market competitiveness. From a macro perspective, studies have found that data localization can lower national productivity, negatively impact trade output, and increase prices, leading to many job losses.

Why does localization particularly hurt the poor?

Cloud computing, the delivery of computing services, including data storage, over the internet, is a use case that highlights the negative impact of localization laws on the poor. A central benefit of cloud computing is that financial service providers typically pay only for the services they need. As a result, cloud computing offers efficiencies and flexible data storage sizing that allows providers to invest their capital in new products and hire additional personnel instead of building computer server farms that at any given time will be either too large or too small for their needs. Ironically, the data centers domestic firms would be required to build, use very little human capital, meaning the increase in data costs would not even be offset by the benefit of a significant increase in employment.

Inability to access cloud services due to localization means increased data handling expenses that are passed along to consumers. In the absence of a localization requirement, a virtual bank, with its operations almost entirely in the cloud, could economically offer basic financial services to the very poor at a relatively low cost per customer, which can open vast markets of underserved or unserved consumers. Localization, by contrast, could make access to such markets impracticable, resulting in exclusion of the poor because they are insufficiently profitable. The implications of this policy are not limited to financial firms. The greatest negative impact may be on data-intensive industries, such as firms that use the internet for business operations including delivery of products and payments for services.

The need to build data centers also would impose barriers to entry on potential market entrants, thus stifling the creation of innovative startups. Furthermore, domestic data centers may be more vulnerable to natural disasters, military conflicts, and political strife, whereas international cloud centers are typically located with the goal of minimizing these impacts. Reducing these risks of data compromise and loss can make it even more economical to provide services, including critical financial services, to low-income consumers. Cloud providers have a much greater ability and incentive to invest in data security than most domestic companies, thus further putting poor people’s data at greater risk if kept out of the cloud. A recent real world example of this risk was Ukraine’s decision last year to change its laws to permit backing-up computer servers and data centers to the cloud. Soon after the conflict with Russia began, many of those server farms were destroyed. However, with cloud backups enabled, the Ukrainian government was able to continue operations.

The hidden costs of localization go beyond cloud computing. For example, a key component of cybersecurity is sharing threat information so that countries and firms are alerted to, and better prepared, to fend off cyberattacks. Hindering the ability to share threat information across borders can result in providers suffering more attacks which, in turn, means that the poor will have to bear yet added costs for goods and services. SMEs that serve and employ low-income people are often ill-prepared to develop their own capability to defend again cyber criminals and thus would benefit from cross-border data sharing of risk information. This could mean that more sophisticated international firms will develop stronger defenses, making less well defended SMEs more attractive targets of ransomware and denial of service attacks.

One of the sometimes unstated goals of localization is to protect domestic firms from competition. However, denial of access to cloud computing may result in domestic firms being less competitive. If the domestic market is large enough, foreign firms may establish data centers in country which meet the requirements of localization but still put domestic firms at a disadvantage because they lack the international infrastructure to compete against such firms.  This lack of competition can mean higher prices and fewer product choices.

Why is the African experience particularly relevant?

Africa is wrestling with how countries on the continent can maximize the benefits of cross-border data flows. How this challenge is addressed is important for African countries as well as being a model for other regions around the world. The broad effort at harmonizing data protection and facilitating the flow of data across Africa, the African Union’s Convention on Cybersecurity and Personal Data Protection (“Malabo Convention”), adopted in 2014, has not yet been ratified by enough countries. In the meantime, the African Union’s Data Policy Framework, dated February 2022, has been endorsed by the African Union’s Executive Council.  The Framework’s goal is to “ensure that data can flow across borders as freely as possible while achieving an equitable distribution of benefits and addressing risks related to human rights and national security.” The Framework notes localization laws “limit the cross-border flow of information necessary for local value creation and establishment of the single market.” Another opportunity to address these issues can be found in the context of the Africa Continental Free Trade Area (AfCFTA), covering the world’s largest free trade area by bringing together the 55 countries of the African Union. While the AfCFTA digital trade protocol does not currently include provisions addressing cross-border data flows, they are the subject of ongoing discussions. This could be a forum for harmonizing data protection frameworks which would facilitate the free flow of data in the region. 

In addition, there are two organizations that could play a constructive role in harmonizing laws and practices throughout Africa. Smart Africa is an alliance of 32 African countries, international organizations, and global private sector players tasked with developing Africa’s digital agenda with a vision to create a single digital market in Africa by 2030. The NADPA/RAPDP (Network of African Data Protection Authorities/Réseau Africain des Autorités de Protection des Données Personnelles) brings together 19 African national authorities whose mission is to promote the protection of personal data and privacy as a fundamental human right. They can play a role in promoting cross-border data flows to ensure that data localization requirements do not unduly interfere with cross-border communications.

Aside from continent-wide efforts, individual countries have been enacting national legislation.  Senegal, for example, has adopted a data protection law that restricts cross border data transfers to countries that do not provide sufficient protection for the data, subject to some exceptions including consumer consent. These national laws could facilitate the cross-border flow of data, especially if trust for such transfers is developed.

What can be done to mitigate the impact of localization on the poor?

Developing countries, in fact all countries, can challenge data protectionism efforts. A careful review of the goals of localization laws and the reality of their potential negative impact is reason enough to temper future legislative efforts.

One response could be groups of countries uniting to create free data transfer zones, akin to zones promoting free trade, that would enable uninhibited, productive data flow among countries, such as what is contemplated by the AU Data Policy Framework. In fact, there are two recent examples of free trade agreements containing provisions that restrict localization efforts: United States-Mexico-Canada Agreement (USMCA), and the 2019 US-Japan Digital Trade Agreement. Free data zones could be very empowering for regional countries. By banding together, countries could mutually benefit, perhaps even creating their own cloud platforms.

Developing data regulation that is synchronous with regulations in other jurisdictions can contribute to mutual trust and lay a foundation for a trusted exchange of data, enabling and improving the cross-border movement of data, persons, goods, and services. Legitimate concerns regarding localization can be pursued using policy tools that are less draconian, such as the December 2022 OECD Declaration regarding when it is appropriate for governments to access private sector data. The goal should be creating an environment in which data can flow as freely as possible—with both permission and trust. This will provide important economic benefits and opportunities, particularly for the poor.

My work over next six months will entail conferring with stakeholders, exploring concrete ways data localization is a hidden tax on the poor, and considering alternative policy tools that advance legitimate policy goals without the downsides. Stay tuned.