Continuing to browse our website indicates your consent to our use of cookies. For more information, see our Privacy policy.

How to use it

The nature, evolution, and potential implications of data localization measures

Published 11 June 2024

With the increasing importance of data to the development of advanced technologies, more economies than ever are considering the rules they have in place governing and protecting data. In particular, economies are evaluating how best to regulate flows of data across borders, balancing public policy priorities like data and privacy protection with the need for stable and productive trade and investment flows. The Organisation for Economic Co-operation and Development (OECD) provides a concise primer to get policymakers up to speed on this important issue.

Here’s how to use the OECD Trade Policy Paper entitled The Nature, Evolution, and Potential Implications of Data Localization Measures.

Why is the paper important?

In late 2023, US trade policymakers put the brakes on years of advocacy for free flows of data, reconsidering the status quo US position on digital trade. Though a new policy has not yet been fully articulated, the decision put conventional notions about digital trade rules among developed OECD economies under a new spotlight, and data localization requirements are an increasingly important part of those rules. This report provides the baseline information that policymakers and other interested parties need to engage in a thoughtful and informed discussion about data localization as new rules and policies are formulated. It also provides useful and concrete examples of rules currently in place around the world and their potential impact on specific businesses and industries.

What’s in the paper?

The report includes three principal sections:

Page index

The nature, evolution and potential implications of data localization measures

Download Report

How to find the key insights

Introduction; Identifying the nature and evolution of data localization

  1. Though policy issues raised by data flows are diverse, a common challenge is the need to ensure that data crossing borders receives oversight and/or protection; the combination of enabling cross-border data transfers and ensuring transfers take place in the context of trusted relationships is known as data free flows with trust (DFFT); data localization is one important aspect of the regulatory environment impacting DFFT. (p. 4)
  2. There is no single, widely accepted, definition of data localization; there is wide agreement that the consequence of data localization is more local storage or processing but there are different views as to what types of measures fall under the category of data localization; this paper defines data localization as an explicit requirement that data be stored and/or processed within the domestic territory. (pp. 5-6; Box 1)
  3. Governments adopt data localization measures citing the need a) to protect privacy and data, b) to ensure access to information for regulatory purposes, c) to protect sensitive national security information, d) to ensure data security and integrity and continuity of critical systems, and e) to help develop domestic capacity in digitally intensive sectors. (pp. 6-7)
  4. For data localization measures, the underlying objective is important for determining whether it is part of a justified public policy objective and whether the actual objective corresponds to the stated objective; it is important to assess whether the policy objective could be achieved in a less trade restrictive way; it is often difficult to assess the ultimate objective of a data localization measure. (p. 7)
  5. Data localization measures vary widely but can be grouped into three broad categories (pp. 8-9, Figure 1):
    • Measures that require local storage of data without prohibiting storage or processing in other countries, to allow regulators jurisdictional reach (p. 8);
    • Measures that require local storage and processing but allow international access or transfers on the basis of clearly defined conditions (pp. 8-9, Box 2);
    • Measures that mandate local storage and processing of data while also prohibiting transfers to other countries (or only on the basis of ad hoc authorizations), these can apply to a range of data and are often less transparent and more ambiguous in scope of application (pp. 9-11, Box 3).
  1. A fourth category about access rather than location is emerging, including measures where there is no requirement for data to be stored locally, but with requirements to guarantee access to data; emerging legislation covers non-sensitive data; conditions for access include notices of where the data might be stored; requirements for an agreement to exchange information to be in place; or requirements that records be kept according to domestic guidelines irrespective of where these are stored; this approach has been growing in recent years and these measures are largely applied by OECD countries. (pp. 11-12 and 15, Box 4, Figure 5)
    Figure 5 - Measures that mandate access rather than imposing location requirements are on the rise
  2. The number of explicit data localization measures has increased: by early 2023 there were 96 measures across 40 countries in place and 4 draft regulations; nearly half of these measures have emerged after 2015; the measures are becoming more restrictive and by early 2023 more than two-thirds involved a storage requirement with a flow prohibition. (pp. 12-13, Figure 2)
  3. Data localization measures are more prevalent across non-OECD countries, accounting for 70% of all measures; non-OECD countries are also more restrictive with 91% of measures in non-OECD countries involve storage requirements with flow prohibitions; the measure affect a diverse range of data and sectors, with 32% of measures having implications across all sectors of the economy; there are stark differences in how OECD and non-OECD countries approach regulation of certain types of data, with non-OECD countries taking a more restrictive approach even for non-sensitive data. (pp. 13-15, Figures 3-4, Table 1)
  1. As of November 2022, 27 regional trade agreements involving 32 countries had provisions prohibiting data localization as a condition for doing business; these provisions have emerged since 2014; most agreements have public policy exceptions but vary as to what exceptions exist. (p. 16, Figure 6; see Annex A for list of trade agreements with ban on local storage requirements)
  2. The three key messages of this analysis are 1) data localization is on the rise, 2) data localization is becoming increasingly restrictive, and 3) trade agreements provide language curtailing some forms of data localization, but with exceptions. (p. 17)

How to apply the insights

  • This section provides the essentials of data localization – what the measures are, what they are meant to address, and the trends describing their adoption.

  • This section is helpful for quickly understanding what data localization measures are, how widely they are adopted and by what countries, and how they are evolving.

Identifying some of the implications of data localization for businesses

  1. Businesses perceive that local storage measures with no flow restrictions can lead to increases in data management costs of around 16%; local storage requirements combined with flow restrictions lead to considerably higher costs of around 55%; 8% of businesses surveyed said that prohibitive data localization measures would stop their ability to operate internationally; around 70% of businesses did not think that data localization measures helped deliver other legitimate public policy objectives. (pp. 17-18, Figures 7-8)
  2. Cross-border e-payments are payments conducted electronically where merchants and consumers are located in different countries; domestic payment systems are not directly connected internationally, so e-payments set in motion a complex system of interbank credits and debits relying on the movement of different types of data across borders. (p. 19)
  3. The financial, banking or payment sectors face the highest number of data localization measures after cross-cutting measures, with a clear divide in approaches across OECD and non-OECD countries, with 12 of 17 specific measures identified arise in non-OECD countries, taking the most restrictive form. (p. 19)
  4. The proliferation of data localization measures in the e-payment sector has led to an increase in the cost of operating domestically and across geographical borders; any form of local storage can be costly because keeping local copies of data requires duplicating measure to maintain high level of data security, implying significant additional capital and personnel costs; businesses in this sector prefer centralization of servers to reduce costs; for large markets the costs can be faced but businesses might reduce services or pass costs to consumers and in small markets business might choose to pull out of the market or reduce investment there. (pp. 19-20)
  5. Indirect impacts of data localization measures in this sector include: reduced efficiency of e-payment systems; less secure and reliable e-payment systems subject to increased risk of cyberattacks; decreased competition in e-payment markets; increased risk of data loss from natural disasters and reduced resilience; reduced ability to detect and prevent fraud; negative downstream affects for small businesses; and uncertainty about regulation. (pp. 20-21)
  6. Cloud computing allows users to rent IT resources, including computing power, storage, and database management, offering the ability to scale up or down activities without needing to undertake important capital investments; the use of cloud computing is growing and will continue to grow; cross-border data flows are integral to cloud computing as the cloud is a vast network of remote but interconnected servers located around the world that allow access to files and data from and Internet-capable device regardless of location. (p. 21)
  7. Data localization measures are motivated by data safety, national security, respect for human rights, and ensuring government access to data in the event of judicial proceedings; some businesses perceive that these measures are intended to favor domestic cloud computing companies; 7 requirements have been identified to date. (pp. 22-23, Box 5)
  8. Data localization requirements are problematic for cloud providers since location independence is a core aspect of the cloud delivery model; regulatory requirements push providers to increase transparency over server location; data localization requirements can lead to: 1) increased costs of providing cloud computing services; 2) negative impacts on downstream users; 3) reduction in the amount of services provided; 4) increased compliance costs given challenges navigating requirements apply to what kinds of data; 5) increased cybersecurity risks; and 6) increased risk of data loss from natural disasters and reduced resilience. (pp. 23-24)
  9. Air travel data: Aviation is a data intensive sector; the ticketing process involves the collection, transfer, and processing of data across different countries; when passengers book a specific flight, Passenger Name Records with personal travel information are created and stored on computer reservation systems (CRS); for payments, third party payment providers or payment gateways are used, many of which are dependent on processing data across borders; information on CRS systems is integrated with airline departure control systems (DCS) and airport information systems; the DCS system also shares passenger information with international baggage tracking platforms; passenger information may also be shared with government agencies in countries passengers are traveling to or where they are transiting or overflying. (pp. 24-25, Figure 9)
    Figure 9 - Use of data in ticket booking and processing
  10. The Convention on International Civil Aviation (Chicago Convention) governs international air transport rules, with a comprehensive network of bilateral air services agreements; sharing of passenger information is governed by Annex 9 of the Chicago Convention, which many ICAO members accept, but individual member states increasingly impose their own requirements on provision of such data; the aviation industry is subject to more cross-cutting requirements on business operations, including data transfer and data localization; as the sector handles large volumes of personal data, localization requirements also have substantial implications on the cross-border sharing of passenger information needed for international air travel. (p. 26)
  11. Rules prohibiting or unduly restricting the ability to transfer passenger data internationally restrict passenger travel internationally; because of constant updates to passenger data and airline activity, it is essential that there is a single source of that information and in practice a single geographic location where that data is held; as a result, data localization requirements in certain countries will have very significant impact on how airlines operate in those countries, and at worst, might negatively impact decisions of airlines to fly to those countries. (pp. 26-27)
  12. The aviation industry already has well-defined rules and standards in place for passenger data; cross-cutting data localization measures can affect business operations; there are growing uncertainties on the linkages with data protection and privacy rules in aviation; regulatory uncertainty can raise compliance costs and undermine efficient air transport services. (p. 27)

How to apply the insights

  • This section provides really useful practical information about how data localization requirements can impact specific industries and businesses, including implications for small business owners and consumers or services.

  • It is practical insight essential for any policymaker contemplating data localization rules in their country or economy.

Identifying discussion points

  1. International discussions can ensure that approaches to data localization deliver on justified public policy objectives in a least trade restrictive way, including through continued:
    • monitoring of the evolving regulatory environment;
    • discussion around moving towards less restrictive forms of data localization;
    • cooperation on data localization issues in dialogue with regulators, trade policymakers and other relevant stakeholders, including the private sector; and
    • efforts to realize global rules that address data localization and take into account justified public policy objectives while avoiding excessive fragmentation. (pp. 27-28)

How to apply the insights

  • This section raises the key questions that should guide multilateral or international discussions on the issue of data localization moving forward, and is useful for and trade policymakers working on policy approaches toward data localization in the context of international trade relations or negotiations.

Conclusion

The OECD trade policy paper provides a short, concise, and easily accessible summary of data localization requirements, trends, and the impact on select businesses and industries. It is a helpful and easy to use summary of an issue of growing importance in international trade and investment.

Download report

Complementary reports and analysis

Hinrich Foundation

External Resources

© The Hinrich Foundation. See our website Terms and conditions for our copyright and reprint policy. All statements of fact and the views, conclusions and recommendations expressed in this publication are the sole responsibility of the author(s).

BACK TO TOP