Data Localization Policy as Industrial Policy
Investigating the policy motivations behind data localization policies by EU and China
On January 10th, 2022, the Economist magazine ran a special report titled “Many countries are seeing a revival of industrial policy” and argued that states are in a renewed “industrial-policy arms race”. On the one hand, the fact that different states and regional organizations are crafting their industrial policies with renewed enthusiasm is not a secret. On the other hand, the renewed focus on data privacy and localization policies is also apparent from the recent conversations in the policymaking spaces; see for example another February 2020 special report from the Economist titled “Governments are erecting borders for data”. But much less talked about is the connection between the two phenomena, or how governments often create data localization requirements for companies, as part of their overall industrial policy package.
In this article, I argue that countries use data localization policies as tools to impede the ability of large foreign cloud service providers to capture the domestic market, and to force them to cooperate with local companies or invest in local economies, as part of their industrial policy goals. I also argue that these data localization policies only act as a positive catalyst for domestic industrial policy if the country has an existing large cloud services provider who can take advantage of such data localization requirements established by law.
The following is the roadmap for the article: first, I define the key concepts that will be used throughout the paper; then I specifically investigate the case of European Union (EU) and China, describe their principal data location policies and the explicit motivations behind these policies. Then, I explore how large cloud service providers have responded to such policies. Finally, I explore how these policies advance industrial policy interests and whether they can succeed or not.
Definition of Key Concepts
We can define data localization policy as measures that constrain cross-border transfer of data by creating variety of policies, such as rules requiring data to be stored and processed within the national border, or rules mandating prior consent of the data subject before transmitting information across the border. In most cases, these measures necessarily require cloud services to build costly local infrastructure in every jurisdiction it operates and thus, renders global scale of these services impossible.
Cloud services are the on-demand availability of computer systems and data storage resources, without active management by the user. This technology enables users, and big and small businesses alike, to get low-cost computing power, data storage and transmission capabilities. The cloud can be thought of as the modern equivalent of rail roads for transportation as the basic infrastructure service of the internet.
‘Data sovereignty’ is extending the concept of sovereignty to the virtual space, which means that data collected within a national jurisdiction are subject to the laws and governance structures of that nation. In contrast, ‘internet sovereignty’ is a much stricter control of the virtual space, whereby the national government controls the boundaries of the network, controlling what information is kept in and what information is let in.
What are Data Localization policies?
In contrast to the first generation of internet border control when states sought to restrict outside information entering the country by using technologies such as filters or firewalls, the new generation of internet border control seeks to keep data in, especially all data related to the citizens of that state. At this moment, most states have some kind of data localization regulation.
European Union
The primary measure in EU requiring data localization is via the General Data Protection Regulation (the GDPR). Specifically, Chapter 5 (Article 44–50) of GDPR, titled “Transfers of personal data to third countries or international organisations” list data localization regulations (as shown below).
The GDPR allows companies to transfer data outside the EU if appropriate safeguards (such as binding corporate rules) are in place, a valid “European Data Protection Seal” for both controller and recipient, standard data protection clauses, or contractual clauses with prior authorization from the member state’s data protection authority (Chander, 2014, pg. 11). These measures mandate cloud services to follow strict data protection rules and only allow transfer of data to so-called “safe harbors”. More recently, the EU has updated its policy to the so-called “Privacy shield”. Under the new framework, there will be increased oversight and enforcement, moving away from a self-regulatory approach for companies, and an increased role of national data protection authorities within the EU. Thus, this new legislation creates strong obligations for companies to protect EU citizens’ rights related to data protection and further mandates cloud operators creating data center locations within EU to store data.
China
China has one of the most restrictive data localization policies in the world. The Cybersecurity law was issued in 2016 that aimed to ensure cybersecurity and internet sovereignty for China. More specifically, one of the principal regulations is the Information Security Technology Guidelines for Personal Information Protection (PIP) within Public and Commercial Services Information Systems (the Guidelines). The Guidelines prohibit the transfer of personal data abroad without explicit consent of the data subject or explicit regulatory approval. Article 5.4.5 of the Guidelines says:
“Absent express consent of the subject of the personal information, or explicit legal or regulatory permission, or absent the consent of the competent authorities, the administrator of personal information shall not transfer the personal information to any overseas receiver of personal information, including any individuals located overseas or any organizations and institutions registered overseas.”
Overall, China requires data collected from Chinese citizens within China to be stored and processed within China, as well as data related to critical information infrastructure. According to Chander (2014, pg. 8), these vague terms allow the Chinese government to impose strict data localization requirements on large foreign cloud providers by mandating that they work with local partners to use Chinese data centers. More recently, China released the final version of a new national standard on personal information protection, broadly termed as “China Cybersecurity Law”. It contains important cross border data transfer security measures. China’s aim is much more expansive than data localization, as it wants to have ‘internet sovereignty’.
What are the motivations behind these policies?
European Union
The EU’s primary motivation for its data localization measures can be broadly termed as ‘data sovereignty’ measures aimed to ensure privacy and security of citizens and protect EU governments and citizens from foreign surveillance risks. Following are EU’s motivations:
1. Ensure privacy for citizens and governments: The GDPR was a pioneer in ensuring data privacy and personal data rights for citizens. It requires internet companies to get explicit consent from EU citizens regarding collection of their data, and protection of data against non-governmental criminal activities.
2. Protection from foreign surveillance: Another related concern that motivated the EU was the scandals related to foreign surveillance, especially the 2013 disclosure of NSA surveillance of EU governments and citizens, revealed by Edward Snowden. As a response to such US surveillance, many EU countries started taking a stricter approach regarding data localization requirements. In reality, many of the data localization measures in fact make it easier for governments and non-governmental actors to collect data without consent and make data protection more difficult. By compelling companies to use local cloud infrastructure, often EU companies are forced to avail cloud services from much smaller providers, who have less secure cloud services. Many of the large providers like AWS are increasingly building local cloud storage services to serve the EU market.
3. Data sovereignty and data as a personal right: The EU aims to achieve data sovereignty, which is often necessary to ensure data as a personal right for EU citizens. When cloud infrastructure is physically located in jurisdictions outside the EU, it is often impossible for EU governments to mandate or safeguard citizen and government data. There are other security concerns over the loss of ownership of the physical storage facilities and other data assets outside the EU. EU laws also might not be enforceable if the cloud physically resides in a country that doesn’t comply with EU government requests. As such, data localization is the best way forward for the EU to make sure that EU is on path to achieve data sovereignty.
4. Economic interests: EU commission released three important papers in February 2020 that outlines EU’s goals, papers being called: “Shaping Europe’s Digital Future”, “A European Strategy for Data”, and “Artificial Intelligence: A European Approach to Excellence and Trust”. In these papers, the main EU goal as stated is to develop the infrastructure, knowledge and technologies to make EU a leading player in global digital economy. EU also wants European based companies to compete with US and Chinese firms in the cloud services industry and wants to establish level-playing fields. How all of these policies, including data localization requirements can act as an industrial policy tool, will be elaborated later in this article.
China
China’s primary motivations for data localization measures can be broadly categorized in its aim to become ‘internet sovereign’. Internet sovereignty can be summarized as the approach where the internet is broken up by national boundaries and whereby each country governs each of the splintered internet separately, according to their own rules. China’s policy has both a domestic and an international component. Domestically, China has enacted laws and regulations that censor, surveil, localize data, and criminalize online activity that it deems harmful or subversive. Internationally, China has promoted its concept of internet sovereignty through diplomatic initiatives, multilateral forums, and infrastructure projects such as the Belt and Road Initiative (BRI). Following are China’s motivations in enacting data localization policies:
1. Internet sovereignty: The main motivation is to ensure the security of the state. Before cloud services were widely adopted by the Chinese companies and the government, the Chinese government did not require data localization policies to ensure that data from Chinese citizens and organizations were not transmitted, stored or analyzed outside China. But with the increasing adoption of cloud services, data localization became necessary to ensure that only Chinese government controls what kind of data is transmitted in or out of China, as foreign cloud providers without local infrastructure would require data from China to be transmitted and stored outside China in nearby cloud storage facilities.
2. Holistic national security and protection from foreign surveillance: Cybersecurity is increasingly a domain where state backed or state-owned actors engage in activities such as cyber-attacks to collect information and disrupt online systems of rival countries. With increasing tensions between the US and China (and their allies), cybersecurity including data security are critical parts of the national security interests. This can seem similar to the EU’s motivation for protection from foreign surveillance. While they are similar, China goes even further as it wants to ensure ‘holistic national security’ which means that data is categorized into two vaguely defined terms: ‘important’ data and everything else. ‘Important’ is defined very vaguely including any data of government affairs, citizen affairs, economic operations from companies, etc. By covering such wide variety of data as ‘national security concern’, Chinese government effectively wants to create high obstacle for any storage or transmission of data from inside to outside China.
3. Personal data security: While the GDPR applies to specific types of data, “sensitive personal information” under the Chinese standard is far-reaching. It extends to any personal data that would cause harm to persons, property, reputation, and mental and physical health if lost or abused. Moreover, GDPR doesn’t strictly require explicit consent from data subjects; while such requirements are much stricter in Chinese cybersecurity law. For example- Chinese standard contains more rigorous requirements on what kinds of information must be included in privacy notices.
4. Economic interests: Unlike EU, China has some large domestic cloud services providers such as Alibaba Cloud, Tencent Cloud, Huawei Cloud. Hence, Chinese companies can be incentivized to take on services of Chinese cloud providers, instead of foreign cloud service providers, given the data localization requirements (unless the foreign companies provide additional value via their services). This will be further explored in the next part of the essay.
How do data localization policies advance industrial policy interests?
Industrial policy can be generally defined as measures by the government such as policies directed towards targeted industries or domestic firms, to guide higher investment in those industries and promote more domestic firm involvement. Cloud services industry has been identified by both EU and China as strategically important industries. Below, I explain how EU and China’s data localization policies advance their industrial policy interests in the cloud services sector, and then discuss the impact of these policies so far.
European Union
EU’s GDPR is generally seen as an overarching policy that establishes requirements for data protection and storage. GDPR rules are applicable for any cloud service provider that stores and transmits EU citizens’ data, regardless of their physical location. As GDPR generally has stricter data privacy and storage rules, this means that EU based cloud services providers can now be on level-playing field with foreign cloud services provider. The data localization or ‘privacy shield’ policies also favor companies which are based in EU or allied countries such as the US, who have comparatively stronger data protection rules. Hence, via GDPR, EU is also incentivizing EU based cloud providers to provide cloud services to EU countries, and foreign providers from US to set up local storage centers inside the EU. When foreign companies establish data centers and employ local engineers, it not only creates employment, but also has other spillover effects of faster data transmission speeds and other downstream business benefits from such local data centers. In fact, the EU has created a specific roadmap to create EU based cloud industry. The European Alliance for Industrial Data, Edge and Cloud builds on the European data strategy from 19 February 2020. In terms of the goal, it says: “The Alliance will contribute to shaping the next generation of secure, low-carbon and interoperable cloud and edge services and infrastructure for Europe as envisaged in the European Data Strategy.”
This is aimed towards promoting a European cloud computing industry and reducing reliance on non-European cloud providers. This also promotes the interests of European companies in the internet services value chain by creating opportunities for them to provide cloud computing services to other European companies and governments.
However, this aim towards having a European cloud industry has not come to fruition so far. To truly judge whether the EU industrial policy via data localization policies succeeded or not, we may need to wait 5–10 years, as cloud services require huge capital investments and long time horizons to reach economies of scale. So far, the EU cloud services market is still dominated by foreign companies (there is no EU based company in the top 10 cloud services provider by market share within EU). Data from Synergy Research Group (SRG) shows that the European cloud market is now over five times as big as it was in early 2017, reaching $10.9 billion in the second quarter of 2022. Over that same period, the data showed that European cloud service providers had grown their cloud revenues by 167%, but their market share dropped from 27% to 13%. On the contrary, many US based cloud providers such as Amazon Web Services (AWS), Google cloud and Microsoft Azure, continue to invest billions of dollars in building local data centers within the EU. According to SRG, these three account for 72% of the EU market share. So, on this regard of encouraging more foreign companies to build local data storage centers within EU, the data localization requirements have succeeded. The cloud services industry is essentially about scale, which means that only large companies with large capitals to invest in building infrastructure and long time horizons to make profits can succeed in the industry. This makes it hard for EU based cloud services providers Deutsche Telekom and SAP to compete with behemoths like Amazon and Google. Consequently, European cloud providers have mostly settled into positions of serving local groups of customers that have some specific local needs, sometimes working as partners to the big U.S. cloud providers. It is unlikely that EU based cloud providers will ever reach the scale required to compete with US based giants.
China
The Cybersecurity law issued in 2016, and the subsequent regulations enacted by the Chinese government, imposes strict regulations on foreign cloud services providers that makes it difficult for them to operate in China. For example, it mandates that “Network operators must store select data within China and cooperate with authorities for security checks” and “Authorities have the power to monitor, block, or delete any information that is deemed illegal or harmful”. These requirements increase the data protection concerns for foreign firms and also increase the compliance costs. Contrary to the EU regulations, China’s data localization and related policies go further in scope. For instance, foreign companies cannot directly set up data centers in mainland China and must instead contract with local Chinese companies and provide services through them. Azure was the first to develop such a partnership, with a firm called 21Vianet. AWS followed shortly thereafter, partnering with Beijing Sinnet. This can also be seen as a part of the larger ‘Made in China 2025’ industrial policy. It is China’s industrial policy to become global hi-tech manufacturing super-power. It was initiated in 2015 to reduce China’s dependence on foreign technology and promote Chinese technological manufacturers in the global marketplace.
One of the aims of “Made in China 2025” industrial policy was to boost domestic innovation and self-reliance in key industries such as cloud computing, artificial intelligence, and big data. Data localization policies can be seen as advancing this industrial policy interest of supporting the local cloud computing industry. By requiring foreign companies to store data within China’s borders, the policy can create a barrier to entry for foreign companies that may not have the resources to comply with China’s data protection regulations. This can make it more difficult for foreign companies to compete with domestic companies that have already complied with the data localization requirements. China’s data localization related laws can be presented in a timeline, prepared in 2019 in a research paper by Liu (2020):
China’s data localization policies have helped Chinese cloud providers to get increasingly dominant within the Chinese domestic market, as foreign cloud providers have remained niche players and hesitant to invest more capital in building local data storage centers and compete with Chinese firms. The ongoing US-China tensions have further worsened the situation for US based cloud providers. China has a large and fast-growing domestic cloud services market, which can provide the necessary scale to the Chinese cloud providers. According to China Internet Watch data, China’s cloud services market grew by 45% to US$27.4 billion in 2021. The top cloud service provider in China was Alibaba Cloud with a 46.4% share in Q4 2019. Tencent Cloud and Baidu AI Cloud followed with 18.0% and 8.8% respectively. The market size of China’s public cloud services reached US$19.38 billion in 2020, with a year-on-year growth of 49.7%, which was the highest growth rate in all regions of the world. These shows the rapid adoption of cloud services in China, but also the relative success of Chinese cloud providers capitalizing on the growing market within China.
Can Data Localization Policies Succeed in Promoting Local Cloud Industry Development?
Data localization policies can succeed in promoting local cloud industry development, but only if there are existing local alternatives that can provide similar levels of services and security, which is often only possible by companies who have achieved some level of economies of scale. This is where EU and China differ the most in terms of their policy implications, as China already had competing cloud services providers when they introduced data localization policies, but EU did not have any viable alternative to foreign cloud providers. In a recent McKinsey survey, business leaders were asked how they choose a cloud provider for their businesses. ‘Cyber-security and data compliance’ were the most common buying factor, which indicates that data localization policies can succeed in forcing foreign cloud providers to build local cloud storage systems, if they deem the market important to hold onto. Some other impacts of data localization policies have been:
1. Data localization policies favor existing large cloud providers: Existing large cloud providers have the capabilities and capital to comply with regulatory requirements and have the resources to build local infrastructure if they need to. Smaller companies lack the personnel, financial and legal resources to develop compliance strategies and to build massive data storage centers to reach scale.
2. Data localization raises costs for domestic businesses: Cloud providers make most of their profit by reaching huge economies of scale, and thus, they can also lower the cost of their services once they have scale. This is why it is difficult to compete with existing large cloud providers in terms of the services and cost they can offer. However, data localization policies can increase the costs for cloud providers as they can no longer utilize the scale from global harmonization. Instead, by increasing their capital costs of building local data centers, they can pass on that extra cost to local businesses who avail their services. Hence, the domestic benefits of data localization go to the few owners and employees of data centers, and the few companies servicing these centers locally; while local businesses and startups can face higher costs and may not be able to use latest cloud technologies only offered by foreign based cloud providers.
3. Data localization policies do not create lots of local jobs: Contrary to what policymakers may want, cloud services may not require large pools of local engineers to be employed in their local data centers. Data server farms are hardly significant generators of employment, populated instead by thousands of computers and few human beings. The significant initial outlay they require is largely in capital goods, the bulk of which are often imported into a country. The diesel generators, cooling systems, servers and power supply devices tend to be imported from a few global suppliers (Chander 2014, pg. 36–37).
4. Local data storage facilities can increase local energy costs: Finally, one unintended impact of data localization policies can be the energy crowd out effect. Large data storage facilities can be huge consumers of energy and thus, they may require reliable energy sources. Moreover, they can also overburden the already overtaxed energy grid. They thereby harm other industries that must now compete for this energy, paying higher prices while potentially suffering limitations in supply of already scarce power (Chander 2014, pg. 37).
Conclusion
Many states have embraced data localization policies to achieve ‘data sovereignty’ and to safeguard data privacy of their citizens. However, one underemphasized goal may be the industrial policy interests of these states. In this article, I investigated the data localization policies, and motivations behind these policies, in EU and China. I also discussed the impacts of these policies and argued that the differential impact of the data localization policies in EU and China has been mainly due to the existence of large cloud service providers in China, that EU lacks. I also argued how data localization policies may not be the most effective tool to advance industrial policy interests. As the world increasingly uses technologies such as Artificial Intelligence (AI) which requires massive computation power and cloud computing, the negative consequences of data localization will become increasingly obvious. It is very likely that in the future, the states (outside US and China) with least data localization requirements, and the most open flow of information will be the most successful in benefiting from new data-intensive embedded, networked technologies.
Reference: Chander, Anupam, and Uyen P. Le. “Breaking the Web: data localization vs. the global internet.” Emory Law Journal, Forthcoming, UC Davis Legal Studies Research Paper 378 (2014). Accessed at: <https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2577969>
