Recently, a new form of protectionism has arisen that threatens the competitiveness of U.S. businesses in global markets: the demand that any data a firm collects in a country also be stored and maintained in that country as well. The most recent move in this regard has come from the Reserve Bank of India, which recently announced that by today, October 15, all businesses collecting payment data in the country must also maintain that data in the country as well.
This trend towards data localization imposes sharply higher data maintenance costs on U.S. multinationals offering services that involve a modicum of data: while such edicts obviously affect financial services and information technology companies, these days nearly every multinational company collects data from its customers around the globe: Manufacturing companies, for instance, amass a vast trove of data from customers that use their products in order to improve performance and customer service.
There are enormous economies of scale to storing data: Companies with data-intensive operations usually construct data centers in remote areas with inexpensive and reliable power, which they buttress with their own backup energy sources. They also maintain elaborate physical security and invest heavily to create complex protections for their data network to prevent data breaches.
The cost of constructing a data center is essentially the same regardless of the amount of data being stored, so it is much more cost-effective for a company to maintain all of its global data in one place and not duplicate this investment elsewhere.
However, foreign countries increasingly require that companies store any data produced in their country within its borders. One ostensible reason for this is so the government can ensure that the data has sufficient safeguards to prevent it from being accessed and exploited by hackers.
However, there are other, less salutary, reasons for countries to insist upon data localization: For starters, it forces companies to invest and hire in their countries, regardless of whether those jobs are necessary.
But the main (and most problematic) reason for this is that it makes it easier for a government to access that data for its own purposes. While governments justify this requirement by claiming that they need ready access to the data to adjudicate potential legal issues, there is no reason a government could not require that a company provide it access to its data if it were stored elsewhere, and it could certainly impose the same security requirements and penalties for violating any data protection requirements no matter where a company stores its data.
However, keeping the data within the country means that an enterprising government could potentially access the data for its own means and without the company’s knowledge or consent. In a world that seems to be drifting towards greater authoritarianism, this possibility is truly worrisome.
These days governments all over the globe are becoming increasingly insistent that companies locally store all data collected in their country, increasing the chances that customer data will be accessed by nefarious entities--especially given that “government entity” more often than not falls under that heading.
Forcing firms to store data locally does not achieve any of the ostensible reasons for doing so while increasing the costs of U.S. firms doing business globally and threatening the privacy of hundreds of millions of consumers across the globe. It would be beneficial for everyone for the U.S. government to take dead aim at such requirements in future trade agreements and use its political heft to roll them back.