Data Residency Laws Tracked in Trade Barriers Report

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By George Lynch

Barriers to digital trade have spread to such an extent that the Office of the U.S. Trade Representative analyzed how the topic is playing out in dozens of countries in its 2017 annual report on foreign barriers to trade.

The 492-page report, released March 31, defined digital trade barriers as “restrictions and other discriminatory practices affecting cross-border data flows, digital products, Internet-enabled services, and other restrictive technology requirements.” The 32nd annual USTR report highlighted a range of foreign barriers to U.S. exports, including foreign import policies, lack of intellectual property protections, export subsidies and barriers to investment.

Foreign digital trade barriers make it more expensive for U.S. technology companies and cloud service providers to enter foreign markets.

The report tracked “data residency” laws, requiring companies to store certain types of data within a country’s borders, that have sprung up around the world.

A side effect of those laws is protectionism, in that they are “intended to favor local providers (who naturally find it easier to keep data local) and foreign direct investment” to build data centers, Lothar Determann, a privacy partner at Baker McKenzie LLP in Palo Alto, Calif., told Bloomberg BNA.

“Data residency requirements pose a threat to efficient cloud architectures, free speech and global trade,” Determann said.

Bret Cohen, a privacy and cybersecurity partner at Hogan Lovells LLP in Washington, told Bloomberg BNA April 3 that local data storage requirements increase cost. The prevailing view throughout the tech and cloud industry is that trade barriers related to data storage prevent “cloud companies and customers from searching out the cheapest cloud solution” to data management, Cohen said.

The USTR report highlights what it sees as “the most important foreign barriers” to trade in order to enhance awareness of the trade restrictions, in accordance with the Trade Act of 1974, and facilitate negotiations aimed at reducing them. Digital trade barriers were included to “highlight the growing and evolving trade using or enabled by electronic networks and information communications technology.”

Private Sector Residency

Two broad trends are emerging with data residency laws, Cohen said.

The first is the increasing emergence of data residency laws “that require private sector companies to store information locally"— with Russia’s law serving as the model for such private-sector aimed residency laws, Cohen said.

Russia’s 2015 data residency law requires data operators to store and process all personal information of Russian citizens that has been electronically collected by companies.

“When you look at data localization as broad as Russia’s, it’s impacting all big multinational companies,” Cohen said.

USTR found that, “Companies most likely affected by this law include companies seeking to serve Russia entirely on a cross-border basis.”

Since Russia enacted its law, Kazakhstan has implemented a similar law. Brazil is debating a law that could regulate storage requirements.

Government Data Residency

The second trend involves laws that require government data to be stored locally, Cohen said. Such laws can be found in China, Indonesia, Canada and Nigeria.

Indonesia, for example, requires all providers of a “public service” to establish local data centers. The USTR said Indonesia’s definition of “public service” is very broad and “creates uncertainty for service providers across sectors.”

“U.S. firms have expressed concern that a local data center requirement could prevent service suppliers from leveraging economies of scale from existing data centers and inhibit cross-border data flows,” USTR said.

Citing national security, Canada requires the company that will consolidate all federal government information technology to keep the data in Canada, effective precluding “U.S.-based ‘cloud’ computing suppliers from participating in the procurement process,” the USTR said.

Data residency laws are often sold by government’s as “privacy and civil rights protection measures,” Determann said. “But they really have the opposite purpose and effect” in that they really just secure access to data for intelligence and law enforcement purposes, he said.

To contact the reporter on this story: George Lynch in Washington at gLynch@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

For More Information

The full USTR report can be found at http://src.bna.com/nz3.

Bloomberg Law will be hosting a panel on international data residency laws at the IAPP Global Privacy Summit in Washington. The schedule can be found at http://src.bna.com/nAS.

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security