Data Localisation and Cross Border Data Flow:

Economics & Regulation

V. Sridhar
Potluri, Sai Rakshith, Sridhar, V., Rao, Shrisha. (2020). Effects of Data Localization on Digital Trade: An Agent-Based Modeling
Approach. Telecommunications Policy. 44(9). https://doi.org/10.1016/j.telpol.2020.102022

Sridhar, V., Rakshith, Sai., Rao, Shrisha. (2021). Data Localisation and its effects on Cross Border Digital Trade. In Sridhar, V.
(Under Review). Data Centric Living: Algorithms, Digitization and Regulation. Edited Volume. Routledge. 1
ICTPR 3/25/2024 2
 https://itif.org/publications/2021/07/19/how-barriers-cross-border-data-flows-are-spreading-
globally-what-they-cost
ICTPR 3/25/2024 3
EU-Data Localization Regulation
Hard data localization may be coming to the EU —
Here are 5 concerns

In November, the European Data Protection Board

released two important documents with guidance on
when personal data will be allowed to flow to the
United States, India, China and many other non-EU
countries. Expert European commentators have
concluded the draft documents from the EDPB would
apparently have the effect of hard data localization,
limiting many routine data flows from the EU.

As academics at Georgia Tech, we have submitted

comments to the EDPB that highlighted five areas of
concern about the effects of hard data localization:

https://iapp.org/news/a/hard-data-localization-may-be-coming-to-the-eu-here-are-five-concerns/

ICTPR 3/25/2024 4
ICTPR 3/25/2024 5
ICTPR 3/25/2024 6
ICTPR 3/25/2024 7
Data Nationalism?

“Data nationalism is not just a short-term political phenomenon subject to

the ebbs and flows of protectionist sentiments, but the expression of a
profound unease with the last few decades of increasing globalization,
and of a lack of certainty on the part of society as to whether we want
national borders carried over onto the online space.” (Kuner, 2015, p.
2098)

ICTPR 3/25/2024 8
 The Regulations!

ICTPR 3/25/2024 9
Data Localization Regulation and its effect on Cross Border Data Flow

Free/
Unconditional
Transfer

Cross Border
Belgium, Ireland, Iceland, Data Flow Conditional
Japan, Netherlands, New
Flow
Zealand, Philippines,
Data Localization Regulation

Taiwan, USA
No
Restrictions Hungary, India, Mexico, Ban on Flow
Mirrored/ Singapore, Spain,
Less Segmented data to Sweden, Thailand, U.K.
Restrictive be stored within
Data country
Localization
Data Stores only
Highly Restrictive
within Country

China, France,
Indonesia, Russia,
South Korea, Turkey RuNet, Chinese Firewall

ICTPR 3/25/2024 10
Digital Trade Restrictiveness Index (Ferracane, et al. 2018)

High Medium Low while only 19 measures were imposed globally for cross
border data flow restrictions until the year 2000, this
number increased to more than double recently.

Sub indices
Data Policies
Intermediary Liability
Content Access

Ferracane, M. F., Lee-Makiyama, H., & Van Der Marel, E. (2018). Digital trade restrictiveness index. European Centre for International Political Economy, Brussels.

ICTPR 3/25/2024 11
Data Models prevalent around the World (Marel, 2021)

Data Models for Cross-Border Data Flow Data Models for Domestic Data Processing

ICTPR 3/25/2024 12
Quotes from EU GDPR

● When personal data moves across borders outside the Union it may put at
increased risk, the ability of natural persons to exercise data protection
rights in particular to protect themselves from the unlawful use or
disclosure of that information
○ At the same time, supervisory authorities may find that they are
unable to pursue complaints or conduct investigations relating to the
activities outside their borders

ICTPR 3/25/2024 13
Article 45: Adequacy Rules in GDPR

● The Commission may decide with effect for the entire Union that a third
country, a territory or specified sector within a third country, or an
international organisation, offers an adequate level of data protection
○ In such cases, transfers of personal data to that third country or international
organisation may take place without the need to obtain any further authorization

● The European Commission has so far recognised Andorra, Argentina, Canada

(commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man,
Japan, Jersey, New Zealand, Switzerland, Uruguay. South Korea as providing
adequate protection.

ICTPR 3/25/2024 14
What about non-adequate countries

● If there is no adequacy decision for a country, this does not

necessarily foreclose any data transfer to this country.
○ Rather, the controller must ensure in another way that the personal data will be
sufficiently protected by the recipient.

● This can be assured using “standard contractual clauses”, for

data transfers within a Group through so-called “binding
corporate rules,” through the commitment to comply with codes of
conduct

ICTPR 3/25/2024 15
Trade vs. Privacy? EU and the U.S.

● Especially from an economic point of view, data transfers between the United States and the European
Union are of utmost importance
○ In 2013, EU-US cross border trade was about $1 T; 56% of Direct Investment from US was to EU
○ October 2015: Safe Harbour Agreement: to facilitate flow of data between US and Europe
● Maximillian (Max) Schrems, an Austrian national residing in Austria, filed a case against Facebook and
Irish Data Protection Authority
○ On 25 June 2013, Max Schrems lodged a complaint seeking, in essence, to prohibit Facebook
transferring his personal data between servers in Ireland and the U.S. (famously referred to as
Schrems case)
○ Schrems claimed that the law and practices in the US do not offer sufficient protection against
access by public authorities such as the National Security Agency (NSA) and the Federal Bureau of
Investigation (FBI) to the personal data transferred to this country
● Oct 2015: Based on this case, the Safe Harbour Agreement was declared invalid by the European Court of
Justice
ICTPR 3/25/2024 16
Trade vs. Privacy? EU and the U.S.
The Shrems Case

● July 12, 2016: Privacy Shield: By the Department of Commerce, US and

EU to provide a stricter set of ground rules for data transfer from
the EU (Switzerland) to the US
■ While joining the Privacy Shield is voluntary, once an eligible organization makes
the public commitment to comply with the Framework’s requirements, the commitment
will become enforceable under U.S. law

● 16 July 2020: The Court of Justice of EU struck down on Privacy

Shield declaring it to be invalid
○ However, preserved the Standard Contractual Contracts in the framework

● Tit-for-tat game between EU and the U.S.?

ICTPR 3/25/2024 17
India Personal Data Protection Bill

● Requires at least one serving copy of the “personal

sensitive data” on a server or data center located in
India
○ The definition of personal sensitive data is broad and includes:
health data, sexual orientation, passwords, financial data amongst
many.

● The State shall further define a subset of personal data

as “critical personal data” that shall only be processed
in a server located in India
ICTPR 3/25/2024 18
ICTPR 3/25/2024 19
Effects of Data Localization

(Chander & Le, 2014; Corey, 2017; Drake, 2016; Ferracane & Marel, 2019)
ICTPR 3/25/2024 20
Policy Implications

● Economics of digital trade vis-à-vis protection of

national security and privacy
○ Bilateral and multilateral agreements
■ Trans Pacific Partnership Agreement
○ International cyber security information sharing agreements
■ 196 agreements involving 116 different countries!

● State and Firm surveillance

● State and Communication Sovereignty (Calabrese, 1999)

ICTPR 3/25/2024 21
Public Policy Recommendations

United Nations Conference on Trade and Development (UNCTAD) (2021). Digital Economy Report 2021. accessible at
https://unctad.org/webflyer/digital-economy-report-2021 accessed on 3 Nov 2021.

ICTPR 3/25/2024 22
Technical Solutions

Inverse Distributed Databases Distributed Blockchain

ICTPR 3/25/2024 23