⇓ More from ICTworks

Data Localization Is a Political Decision, Not a Technological One

By Wayan Vota on November 27, 2024

Data Localization Political Decision

Governments are passing regulations that require companies to store certain data on servers located within national borders. These data localization laws are restricting global data flows in an effort to increase digital sovereignty.

The laws are often framed as measures to enhance privacy, security, and national control. However, the truth is more complex. Data localization is primarily a political decision, not a technological one. There is not a clear technological need to store data inside physical geographic boundaries.

Data Localization Is a Political Decision

Here are 4 reasons why data localization rules are primarily politically motivated, and can negatively impact international services like artificial intelligence models that need global data and servers.

1. Government Control

At its core, data localization is about control. Governments are driven by a desire to assert “data sovereignty” over digital assets, much like physical territory. There is a compelling political case to be made that the data of a country’s citizens should remain in the physical jurisdiction of that country.

However, national digital sovereignty is often hypocritical when key government processes are run on international cloud computing infrastructure. I vividly remember being told by a Minister that we must host our data system in his country for security reasons – via an email from his official Gmail account.

2. Economic Protectionism

Data localization can serve as a barrier to foreign competition, promoting the growth of domestic industries. This approach is evident in policies that restrict cross-border data flows, thereby supporting local businesses.

India, for example, has pushed for data localization, with lawmakers arguing that keeping data within the country fosters local job creation and boosts the domestic technology industry. The Reserve Bank of India’s directive in 2018, mandating that financial data generated by payment systems be stored only in India, is often framed as a strategy to stimulate India’s burgeoning digital economy.

3. National Security

By requiring data to be stored domestically, governments aim to protect sensitive information from foreign surveillance and potential cyber threats. Low- and Middle-income countries (LMICs) also have a legitimate fear that if their citizens’ data is stored in the United States, it could be subject to US government requests, compromising their autonomy.

However, data can often be secured more effectively in international data centers with multiple layers of digital and physical security measures than dodgy server rooms in physical locations controlled by a government. I’ve lost count of the messy server rooms I’ve seen behind a random unlocked government office door.

4. International Relations

Data has become a strategic asset in geopolitical negotiations. Countries that control their data flows have more bargaining power in trade agreements and diplomatic discussions.

The European Union’s General Data Protection Regulation (GDPR) includes provisions for the transfer of personal data outside the EU, but only to countries with adequate data protection standards. This gives the EU considerable leverage over how companies and governments handle data across borders.

Data Localization Harms Cloud Computing

Cloud computing distributes data and computing resources across multiple locations to maximize efficiency, security, and cost-effectiveness. Cloud providers such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud operate data centers globally, allowing them to optimize performance by locating data in regions where it can be processed most efficiently.

Data localization laws restrict this ability by forcing companies to store data within specific geographic boundaries. As a result, companies must either build or lease data centers in every country with localization requirements, which is both costly and inefficient.

For example, compliance with Brazil’s Marco Civil da Internet requires companies to store Brazilians’ personal data within Brazil. For multinational cloud providers, this means building expensive infrastructure locally or partnering with local firms, both of which inflate operational costs and slow innovation.

Data localization laws also undermine the core benefits of cloud services such as redundancy, scalability, and disaster recovery. Cloud providers typically replicate data across multiple regions to ensure resilience in case of an outage or disaster in one region.

However, localization requirements prevent this type of cross-border redundancy. If data is required to remain within a single jurisdiction, it becomes more vulnerable to local disruptions, such as fiber optic cable cuts, power outages, cyber-attacks, or natural disasters.

For example, Vietnam’s cybersecurity law imposes stringent requirements on foreign cloud service providers, leaving data center managers unable to benefit from the resilience and redundancy typically offered by global cloud architectures.

Finally, cloud computing’s scalability—a key selling point—is hampered by data localization. Scalability in the cloud relies on the ability to dynamically shift resources where they are most needed. If a surge in demand occurs in a data localization country, cloud providers cannot shift data and processing power to other regions.

Data Localization vs. Digital Scale

Data localization laws are not technology regulations. They are deeply political decisions, driven by concerns over sovereignty, security, and economic control. Each regulation that aims to enhance citizen data protection and data privacy often brings increased costs, reduced flexibility, and heightened vulnerability to cloud computing solutions.

Governments and solution providers need to have honest discussions on the future of cloud computing and global data flows to find a balance between national control and the continued growth of the digital economy.

Filed Under: Data
More About: , , , , , , , , , ,

Written by
Wayan Vota co-founded ICTworks. He also co-founded Technology Salon, MERL Tech, ICTforAg, ICT4Djobs, ICT4Drinks, JadedAid, Kurante, OLPC News and a few other things. Opinions expressed here are his own and do not reflect the position of his employer, any of its entities, or any ICTWorks sponsor.
Stay Current with ICTworksGet Regular Updates via Email

9 Comments to “Data Localization Is a Political Decision, Not a Technological One”

  1. The key word is “control” which at the international stage should be absolutely held by the Governments as the custodians of the data owners. That should be totally enforced irrespective of where the data is actually located. Countries like Kenya in its Data Protection Act 2013 describe this and further state that data can be stored outside the country as long as there is a serving copy within the country (as defined by its administrative borders).
    In my strong opinion, data should absolutely be localized in terms of absolute control being held by Governments that represent its people.

  2. Daniel Wilson says:

    Thanks for this great post Wayan. I want to ask if you think this is the inevitable future for LMICs, that they must remain dependent on US-based hyperscalers. I agree with many of the points you made, but I don’t think this necessarily means a perpetual dependence on the West, especially as more examples of successful DPI emerge. I’ve been inspired recently by the Open Cloud Compute initiative in India which addresses many of the concerns you introduced. How can this be replicated? https://peopleplus.ai/occ

    • Wayan Vota says:

      I don’t expect reliance on international data centers to be the inevitable permanent future for all LMICs. I do think there is a continuum, where a) Some countries will develop their own capacities and run their own systems – India is a great example today. b) Some countries will need international systems for certain solutions that can only be designed or deployed as SaaS – OpenAI is a great example today. c) Some countries will not have local capacity for years, if ever – for example, countries with small populations or limited technology resources.

  3. Helinah Muniu says:

    Thank you very much Wayan for this very interesting article.

    In my humble opionion, I believe LMICs should be assisted to get their standards and security up to the level of say the US and or India in order to protect their citizen’s personal data and take advantage of cloud computing to the full extent. This is very doable and can happen over time. The LMICs have the necessary local talent to assist governments with this task.

  4. Mike Dawson says:

    I think data sovereignty should not be a luxury only for the likes of the US, EU, India and China. It also need not be a trade-off: using open-source software and interoperable standards (e.g. open APIs) can provide the best of both worlds: data sovereignty AND digital scale.

  5. Mohamoud says:

    I recently visit a tier-3 data center outside Nairobi and I was very impressed. I think, in the future, most East Africa business, governments, etc. will use local data centers like the I visited. East African countries are harmonizing their commercial legal systems and eliminating intra-Africa trade barriers so leveraging regional tech and infrastructure capabilities will become the norm.

  6. Amélie says:

    The Pandora’s box on data residency is open for too long and lawyers and companies have found more than a few ways to exploit loopholes. It’s bad for consumers in my mind and it’s not gonna get better.

  7. Interesting post, thanks for writing it!

Leave a Reply

*

*