Feature: Data Governance – Part 1 Data Governance – Part 1...

Share on LinkedIn Share on WhatsApp Print this page

Power Maps

By identifying key players, quantifying relative influence, and assessing the competitive landscape, FP Analytics breaks down complex foreign policy issues by mapping out spheres of influence and the risks and opportunities these topics present for Insiders. LEARN MORE

Global Data Governance

Part One: Emerging Data Governance Practices

UPDATED: Sept. 15, 2021
PUBLISHED: May 13, 2020

In FP Analytics’ Power Map, 5G Explained, we detailed the complex physical infrastructure necessary to create 5G networks and broke down the issues surrounding the control of that infrastructure, setting of international standards, bandwidth ownership, and security. In Part I of this series, we examine the emerging regulatory challenges surrounding governance of the data and information that flow through not only 5G networks, but digital infrastructure globally. While 5G networks will be vast, they represent only a fraction of the interconnected computer networks that the entirety of the Internet comprises. As the Internet serves as the circulatory system allowing data to flow to connected users globally, data represents the lifeblood of this system. How it is allowed to move throughout this system has immense consequences for governments, companies, and individuals and has catalyzed governments to regulate data flows at micro and macro levels. Emerging global data governance practices are already impacting the competitive landscape for companies around the world and helping determine how individual users and organizations interact with the rapidly digitizing global economy.

Read Executive Summary

Thank you for your interest. Please enjoy the Executive Summary below.

Power Maps are an exclusive benefit of the FP Insider subscription. For full access to Data Governance, contact us at insider@foreignpolicy.com.

Executive Summary

Data governance has long been the domain of corporate and organizational strategy, lending a competitive advantage to those able to optimize their data collection, organization, transfer, and discovery practices. With the increasing digitalization of organizations and economies, data governance—and clear establishment of data collection standards, storage, transfer and use protocols—is becoming an increasingly pressing and global issue.

While intellectual property and proprietary data have long been governed through strict legal frameworks, relatively scant protections have existed for user data and personal information. This lax regulatory environment for consumer data in particular has enabled the rise and dominance of global tech companies from Facebook and Google to Baidu and Tencent and has spurred a wave of privacy-focused regulation around the world.

In FP Analytics’ Global Data Governance Power Map series, we examine the emerging laws, regulations, and technologies that are both enabling greater data collection and impacting cross-border data flows. By cataloging the data localization laws, comprehensive national data regulations, government data collection, monitoring and surveillance technologies, and cybersecurity norms and standards shaping the global data governance landscape, we identify and analyze the wide-ranging impacts for individuals, companies, governments, multilaterals, and non-profits.

Emerging data regulations are fundamentally altering how organizations of all types operate internationally. Major data privacy frameworks developed by first movers are serving as templates for other national frameworks under development, many of which are being tweaked to suit prevailing governments’ domestic agendas. For example, the recent passage of the EU’s General Data Protection Regulation (GDPR) and China’s Cybersecurity Law—two of the most comprehensive packages of data privacy regulations—have already had cascading impacts on businesses and organizations in these markets and on their trading partners. In 2017, U.S. firms cited data localization policies as their number-one impediment to digital trade, and these types of protectionist measures are rapidly proliferating worldwide. And that is just the beginning.

Simultaneously, many national governments are crafting exemptions to their data privacy laws, empowering them to expand monitoring capabilities and build up massive data collection infrastructure. New digital technologies, such as artificial intelligence (AI), biometric monitoring and facial-recognition software, are making data collection increasingly efficient. The onset of the COVID-19 pandemic accelerated the adoption of these technologies as governments began rapidly deploying surveillance technology to enforce quarantines and track the spread of the coronavirus. This mass accumulation of sensitive data can have transformative impacts on societies but pose new cybersecurity and privacy risks as regulation struggles to match the pace of technological advancement.

FP Analytics’ Data Governance Power Map series breaks down key emerging trends in global data governance by:

  • Pinpointing emerging global data governance trends;
  • Cataloguing specific data localization and data privacy laws by country;
  • Mapping encryption policies around the world;
  • Charting the global sales of data collection and surveillance technology; and
  • Exploring cybersecurity and privacy risks and the implications for businesses and individuals.

FP Analytics provides the most comprehensive assessment and mapping of data localization and privacy laws to date, as well as one of the most complete assessments and mappings of government data collection and regulation trends around the world. It is a powerful tool for businesses and others seeking to understand how evolving global governance regimes are shaping our digital world.

Subscribe to FP Insider below or contact us at insider@foreignpolicy.com for full access to Data Governance.

PART ONEEmerging Data Governance Practices

Introduction

Increasingly, government regulation is impacting the global flow of data, with varying, interconnected factors and incentives driving this proliferation of regulation. Specifically, governments are debating what information qualifies as personal data, and how private and public entities can collect, utilize, transfer, and monetize this data. The myriad measures implemented to date reflect a delicate balance of political, economic, and social factors, influenced by government officials, private companies, and citizens. Regulators around the world face the challenge of balancing nuanced and fraught issues of access and privacy, support for economic development, and establishing a functional, cross-border framework for the international transfer and collection of compounding volumes of data. Additionally, multiple parties must ensure data security across governmental, commercial, and personal realms. Varying efforts to craft regulations that optimize for national interests and constituencies are producing an increasingly complex mix of global Internet and data regulations expressing differing visions for how digital infrastructure should ultimately function, how big data is managed, and by whom. In this Power Map series, we break down the most comprehensive and impactful of these regulations and explain what they mean for businesses and citizens in our increasingly digital world.

Part 1

The Digital Economy and Drivers Behind Increasing Regulation

The massive volume of data flowing through global digital networks fueled the rise of many of the world’s largest companies, including global behemoths such as Alphabet and Tencent. It spawned multinational social media companies, such as Facebook and WeChat, allowing individuals to generate, access, and spread information at unprecedented rates. But new regulations are threatening to break up the party. The data collection practices upon which these companies’ business models are predicated are coming under increasing scrutiny from governments concerned about domestic and foreign companies’ collection and handling of their citizens’ data. This concern, coupled with some governments’ desire to expand their own digital economies and tax bases, is accelerating the global proliferation of data-related laws—from privacy, to data security, to data localization—as these government officials and regulators attempt to assert authority and capture value.

Key Takeaways

  • The Issue

    U.S. and Chinese companies dominate the global digital landscape. The digital economy accounts for 15.5 percent of world GDP, with the combined value of Internet platform companies—such as Alphabet (Google) and WeChat—accounting for roughly 9.4 percent of world GDP (roughly $7 trillion, larger than the GDP of any country in the world besides the U.S. or China). The vast majority of revenues accrue to a handful of U.S. and Chinese companies whose power and influence continue to grow as they collect and monetize data from citizens around the world.

  • The Reaction

    Governments’ increasing concern over foreign companies’ collection and monetization of user data is a primary driver of digital regulation. The rise of data privacy, security, and localization laws to protect citizens’ data rights and countries’ economic interests, while boosting individuals’ control over their data, is creating an increasingly complex legal and regulatory environment while raising operational and compliance costs for multinational companies operating across borders.

  • What’s at Stake

    While offering some protection for domestic companies, onerous and conflicting data governance regimes and regulations risk companies’ market access and further value creation in the digital economy Beyond threatening to create different regulatory regimes, government intervention in the market could push major tech companies to break up, or fundamentally change the rules of the Internet.

The Breakdown
The Rise of the Digital Economy and the Economic Drivers of Regulation
The Rise of the Digital Economy and the Economic Drivers of Regulation
User data is, by far, the most valuable commodity in the global economy.
  • GRAPHIC 1: The Size of the Digital Economy
  • GRAPHIC 2: Data Collected by Major Tech Companies
  • GRAPHIC 3: Market Dominance of Major Digital Economy Companies
Click to expand

The global digital economy encompasses the vast physical infrastructure enabling the Internet, the full range of Internet-connected user devices, and the immense amount of data flowing through them. The rapid growth of each of these components has collectively generated tremendous economic activity. Over the past 15 years, the global digital economy has grown two and a half times faster than global GDP. One key driver behind this robust growth is the exponential volume of data being generated, processed, and monetized. Every second, there are 2.7 million emails sent, 71,966 Google searches executed, 8,342 Tweets, and a total of 289,351 gigabytes (GB) of new user data generated. For context, 1 GB of data is equal to 677,963 pages of text, meaning that every second the equivalent a 196.2 billion-page book of new data is generated. 5G technology will connect billions more devices to the Internet through the enabling of the Internet of Things (IoT), and the combination of this vast expansion of Internet-connected devices and more of the world coming online in the next decade will exponentially increase the amount of data being generated. Currently, roughly 60 percent of the global population is online, with estimates showing that nearly 90 percent of the world’s population will come online by 2030 as Internet access is expanded throughout the developing world. This growing reservoir of data will fuel the world’s emerging and incumbent technology companies, with the ability to collect and monetize this data a matter of survival for some and a determinant of future growth for all.

Over the past fifteen years, the global digital economy has grown two and a half times faster than global GDP.

Among the digital giants, U.S. companies hold a dominant position, which has been gained largely through first-mover advantage, but Chinese companies are rapidly catching up. Led by Google, Amazon, and Facebook, 19 of the world’s twenty largest Internet companies are either American or Chinese. The five largest tech companies by market cap (Google, Amazon, Facebook, Alibaba, and Tencent) had a combined market value of nearly $3.5 trillion dollars at the end of 2020,8 and held dominant market positions. In 2020, Google accounted for 91 percent of the Internet search market, Facebook accounted for 69 percent of the global social media market, Amazon was responsible for 33 percent11 of the world’s cloud infrastructure services market These companies leveraged first-mover advantage by reinforcing network effects—the more users in the network, the more valuable the network is for all users—accumulating a competitive data edge early on, and turning their data edge into integrated services offerings that increase the cost to users if they switch to a competitor’s platform. Chinese companies have been able to replicate this success with domestic Internet and tech companies—such as Alibaba, Baidu, and JD.com—through a combination of limiting outside competition on the Internet, state funding, and the controversial joint-venture policy--which critics say has enabled Chinese firms to coopt outsiders’ technology. Critically, maintaining these advantages relies heavily on these companies’ ability to collect users’ data across international borders, with minimal if any restrictions, and integrate it into algorithms or sell it to advertisers. The proprietary algorithms used to monetize companies’ collected data are already governed through strict legal protections. However, the broader value of these companies is derived from their ability to generate, freely access, and smoothly transfer vast amounts of usergenerated data with minimal legal restrictions. This access to data enabled the meteoric rise of companies such as Facebook and Google, among others, which rely on being able to collect troves of global data to enable services such as Google Maps. The race to develop artificial intelligence applications is amplifying this demand.

Limited regulation of these companies to date has enabled them to capture the majority of revenue associated with data flows across borders. However, countries are increasingly developing measures to regulate data flows and e-commerce transactions to exert greater control over data generated within, and passing across, their national borders. In fact, data localization laws are becoming a standard mechanism for countries to exert control over the foreign collection of their citizens’ data and capture a share of the value. These laws and associated regulations place restrictions on how data can be stored within, and transferred outside of, a country. Their aims vary, from restricting foreign companies’ and governments’ access to sensitive user data, to boosting foreign and domestic investment in server infrastructure, to, in limited cases, handicapping or completely inhibiting foreign companies’ ability to operate within a country’s borders.

To date, roughly 75 percent of all data localization measures in place are meant to ensure data privacy and security when data is transferred outside of a country. These measures focus on restricting data transfers to countries that are deemed to have inadequate data privacy frameworks. However, roughly 25 percent of existing data localization measures include more extensive restrictions that aim to exert influence over data flows through physical data storage infrastructure. Countries that are intent on boosting their domestic economy (and tax base) through increased foreign investments in server infrastructure, or developing their domestic data storage industry, use data localization laws to mandate that data collected in a country be stored on a server within that country. This strategy is currently being pursued in Indonesia and Vietnam, for example. In a more extreme case, China has combined data localization laws with tight restrictions on foreign companies’ operations, beginning as early as 1996, to protect and foster the rise of its own multinational digital giants, such as Tencent and Alibaba, which use data to drive services from artificial intelligence to e-commerce. China’s development and increasing protection of its digital giants through regulation have provided a roadmap for other countries to emulate. In contrast, the U.S. and its digital giants have greatly benefited from the ability to collect data internationally through open data borders and have generally been at the forefront of opposition to emerging data localization laws.

Graphic 1

The Size of the Digital Economy

This graphic will illustrate all the different types of data and the amount of data being generated within the digital economy. See Appendix for sample graphic.

Internet of Things

Internet of Things (IoT)

26.6B

connected devices

400 zettabytes of data generated per year

Mobile Phones

Mobile Phones

7.2B

mobile phones

23 billion texts sent per day

Mobile Apps

Mobile Apps

3M

unique apps

205 billion annual app downloads

Internet Access

Internet Access

4.4B

Internet connnections (57.3% of population)

5 billion internet searches per day

Digital Platforms

Digital Platforms

294B

emails sent per day

500 million tweets per day

65 billion whatsapp messages per day

Finance Data

Finance Data

111B

credit card transaction per year (U.S.)

189 countries with financial transaction databases

SOURCES: World Economic Forum. How Much Data Is Generated Each Day?, UN Report: Radical Transformation or Dystopia?

Graphic 2

Personal Data Collected by Major Tech Companies

This graphic will illustrate the different categories of data that the largest tech companies admit to collecting about users in their privacy policies. See attachment for data.

  • Personal Data
  • Usage Data
SOURCES: Google Privacy Policy, Facebook Privacy Policy, Amazon Privacy Policy, Microsoft Privacy Policy, Alibaba Privacy Policy, Tencent (WeChat) Privacy Policy, Baidu Privacy Policy

Graphic 3

Market Dominance of Major Digital Economy Companies

This graphic will outline the amount of market share afforded to the largest tech companies operating in the digital economy. It is meant to show the tremendous advantage that incumbent companies have. See Appendix for sample graphic.

Cloud Service Providers Market Share

2020 Sales in USD Billions (estimated)  |  Market Share Percentage

Amazon Web Services

$41.28B  |  32%

Microsoft Azure

$25.8B  |  20%

Google Cloud

$11.61B  |  9%

Alibaba Cloud

$7.74B  |  6%

IBM Cloud

$6.45B  |  5%

Salesforce

$3.87B  |  3%

Oracle Cloud

$2.58B  |  2%

Tencent Cloud

$2.58B  |  2%

Other

$27.09B  |  21%
SOURCES: Amazon Web Service 2019 Earnings, IBM Cloud 2019 Earnings, Microsoft Azure 2019 Earnings, Google Cloud 2019 Earnings, Oracle Cloud 2019 Earnings, Salesforce Cloud 2019 Earnings, Alibaba Cloud 2019 Earnings, Tencent Cloud 2019 Earnings
Social Media Platform Market Share

2019 Sales in USD Billions  |  Market Share Percentage

Facebook

$70.7B  |  67%

YouTube

$15.1B  |  14%

Instagram

$14B  |  13%

Twitter

$3.46B  |  3%

Pinterest

$1.14B  |  1%

WeChat

$1.1B  |  1%
SOURCES: Facebook 2019 Earnings, YouTube 2019 Earnings, Instagram 2019 Earnings, Twitter 2019 Earnings, Pinterest 2019 Earnings, WeChat 2019 Earnings
Search Engine Market Share

2019 Sales in USD Billions  |  Market Share Percentage

Google

$134.8B  |  81%

Baidu

$15.43B  |  9%

Bing

$7.63B  |  5%

Yahoo!

$5.17B  |  3%

Yandex

$2.83B  |  2%
SOURCES: Google 2019 Earnings, Baidu 2019 Earnings, Bing 2019 Earnings, Yahoo! 2019 Earnings, Yandex 2019 Earnings

Government Regulation and the Increasing Demand for Data Privacy and Security

The unequal gains from the rise of the digital economy represent a key economic driver behind increasingly restrictive global data governance regimes and the proliferation of data localization laws worldwide. However, the push for data regulation has also been energized by growing social and political concerns over data privacy and data security. Government regulation in these realms is in response to citizens’ demands for data privacy and protection, the increasing frequency and severity of cyberattacks, and concern over foreign governments’ access to citizens’ data. While a simplification, these major drivers provide a framework for breaking down nuanced national, transnational, and local data regulations of varying scope, which may include conflicting elements as each government or regulatory body wrestles with balancing the intended and unintended consequences of regulation. Regulatory agencies, many of which are governed by politicians—not technocrats—are determining what data can be collected, where it can be stored, whether or how it can be transmitted, and how it can be secured, not to mention who is liable for the content.

The unequal gains from the rise of the digital economy represent a key economic driver behind increasingly restrictive global data governance regimes and the proliferation of data localization laws worldwide.

As governments and citizens around the world become increasingly aware of the scope of user data that big tech companies collect, data privacy laws are becoming increasingly stringent, and governments are increasingly pushing to reign in the power of large tech companies through regulatory action. Though laws were on the books in the U.S. and Europe as far back as the 1970s, they did not effectively govern the scope of data collection activities at the heart of today’s big tech companies’ operations. The recent and ongoing regulatory push illustrates governments’ attempts to catch up, as many are racing to update existing privacy laws by placing explicit limits on companies’ collection of user data and enforcing comprehensive data security and data transfer practices. The EU led the push to modernize data privacy laws, enacting the first comprehensive data privacy regulation, the Data Protection Directive, in 1995. In 2018, the EU’s release of the General Data Protection Regulation (GDPR) modernized the framework for data privacy regulation built on enforcing citizens’ civil liberties, individual freedoms, and rights in the digital realm, and it by far represents the most comprehensive legislation to date. Specifically, the GDPR requires that companies obtain consent to collect user data, honor requests to delete user data, enforce tighter cybersecurity practices, and comply with restrictions on the international transfer of users’ data outside of the EU. GDPR implementation rocked the digital world, increasing compliance costs and generating fines of €275 million ($330 million) as of January of 2021. It continues to alter how companies operate, not only in Europe but around the world. As countries such as Brazil and India draft similar comprehensive data privacy laws, the disruptive impact on digital commerce—and these major markets—is set to increase.

While other countries are adopting laws similar to the GDPR, the EU has continued to actively push for stronger data regulation measures domestically and among its trade partners. In December of 2020, the European Commission released drafts for the Digital Services Act (DSA) and the Digital Markets Act (DMA), representing a major overhaul of existing EU Internet regulation. These acts aim to put limits on mixing commercially obtained data with personally collected data—a practice that allows tech companies to create more comprehensive data profiles; collecting business competitors’ data; and refusing access to data collected on users and businesses. The EU aims to finalize the DSA and DMA in the first half of 2022, but a number of EU states, including France, Germany, and the Netherlands, have voiced concerns that the regulations are not strict enough. The Court of Justice of the European Union (CJEU) struck down the EU-U.S. Privacy Shield, effectively ending free data flows between the U.S. and the EU, until the two sides reach a new agreement. The UK’s decision to leave the EU has generated further disputes over data protection standards. In February 2021, the Commission presented a draft adequacy decision that would allow EU-UK data flows to continue uninterrupted, but as of July 2021, this adequacy decision has yet to be approved by the European Parliament. Similar to the EU-U.S. Privacy Shield, the decision could be challenged before the CJEU. If adopted, the Commission’s adequacy decision would contain a “sunset clause” of four years, which could lead to diverging standards on data privacy becoming a source of tension between the EU and the UK. Failure to meet EU data protection adequacy could cost UK firms between $1.35 billion and $2.16 billion, according to economists’ projections.

These regulations are part of an emerging trend in which governments seek to reign in large tech companies’ power. In the U.S., ten states are suing Google in an antitrust lawsuit, alleging that it has monopolized digital advertising. China has also moved toward tighter regulation on large tech companies, unveiling legislation drafts that include proposals to block companies from using consumer data to set discriminatory prices, or sell products at prices below cost to gain market share. These moves are indicative of a coming comprehensive regulatory push, illustrating governments’ will to establish stricter data governance regimes. Spurred by the threat that incendiary speech and misinformation on social media platforms pose to democratic discourse, governments have also started to take aim at regulating digital content. Existing regulations in the EU and the United States shield social media companies from liability for content on their platforms, but in recent years, some countries have passed laws that introduce so-called intermediary liability for social media companies. Most prominently, under Germany’s 2017 Network Enforcement Act, social media companies can face fines of up to 50 million Euros ($60 million) if they fail to take down certain illegal content, such as criminal online hate speech, in a timely manner. In the U.S., there are bipartisan calls for an overhaul or revocation of Section 230 of the 1996 Communications Decency Act, which shields Internet companies from intermediary liability. Under the DSA, digital platforms would remain protected from liability for user content, but growing backlash against such protections in Europe and the U.S. signals that further regulation could be created in the near future.

Despite the complexity of emerging regulations and multiple drivers behind them, characteristics of data governance regimes are emerging around the world, with each nation’s specific regulations reflecting the unique mix of economic, political, and social variables exerting the greatest influence on governing officials. Collectively, the clear global trend is toward increased regulation and protectionism.

Part 2

Data Localization and Its Commercial Implications

Data localization laws encompass the full range of restrictions a country places on foreign collection, storage, and transfer of its citizens’ data. Government regimes are taking different approaches to data localization; for example, Russia has the most restrictive data localization measures in place, and the U.S. is the strongest advocate for open borders with respect to data transfer. The methods that countries use to enforce and enact data localization regulations substantially impact how international companies can operate within their borders, with consequences for commercial activity both domestically and internationally.

Key Takeaways

  • The Issue

    Four distinct approaches to data localization regulation and implementation largely determine how companies’ digital operations can function within a country. They include: no restrictions, conditional restrictions, local copy requirements, and local data storage mandates. Without one uniform method for regulating international data flows, multinational firms will need to adjust practices to comply with the distinct laws of each market in which they operate.

  • The Reaction

    Some countries stand to benefit economically from data localization, but widespread global barriers on data transfers risk lower global growth overall. Data localization practices restrict the flow of data and raise costs for international tech companies, fragmenting markets and threatening to hinder global growth. Despite the potentially adverse economic impacts globally, data localization measures are continuing to be implemented as countries’ concerns with foreign data collection and governments’ attempts to limit their operations increase.

  • What’s at Stake

    Data localization restrictions threaten to deny or limit access to major data-reliant international corporations, including in key developing markets where the majority of future growth could occur, such as India and Vietnam. On a broad scale, data localization regulations stand to seriously disrupt the free cross-border flow of data, which has enabled the rise of digital commerce for the past few decades.

The Breakdown
Understanding Data Localization and Its Impact on Business
Understanding Data Localization and Its Impact on Business
Data localization restrictions are set to re-shape global digital commerce, and their impact is already being felt.
  • GRAPHIC 4: Impact of Data Localization Laws on Different Sectors
  • GRAPHIC 5: Global Data Localization Laws and Their Stringency
Click to expand

Data localization laws stand to have the most significant commercial impact on how businesses operate internationally and can determine whether a company is able to operate in a foreign country at all. They can be included in comprehensive national regulations or international agreements, or they can stand alone as single pieces of legislation. As noted above, the three major forms of data localization restrictions that countries impose include: conditional restrictions, local copy requirements, and local data storage mandates. Conditional restrictions lay out a set of rules that a company must follow to transfer data outside the country in which it was collected. The GDPR encapsulates this form of data localization, which mandates that data may only be transferred outside the EU to designated safe countries, or if there is a legally binding contract in place guaranteeing that certain conditions are met. In the GDPR, “safe” countries are defined by the levels of the data privacy and protection they provide, with transfers to countries deemed to have inadequate data protection regulations allowed only in exceptional circumstances.

Data localization laws stand to have the most significant commercial impact on how businesses operate internationally and can determine whether a company is able to operate in a foreign country at all.

The establishment of this standard has been the key catalyst in the recent proliferation of data privacy, data protection, and data localization laws. Of the 91 countries with one or more data localization laws in place, 62 have enacted or updated their data localization laws within the last five years. Fifty-one countries have data regulations that put in place similar data protection standards to the GDPR, with data localization clauses allowing data transfer only to other countries with similar standards in place. This has had a domino effect—the more countries that use a similar standard to the GDPR for data transfers, the more countries are forced to adopt similar data protection standards. This effect explains, in part, both the quickening pace of adoption of data privacy and data localization laws and why this trend is likely to continue accelerating.

The other forms of data localization regulations currently in place include local copy requirements and local only storage mandates. Local copy regulations allow data to be stored outside of a country only if there is a copy of the same data held on a server inside the country. Local only regulations—the most restrictive form of data localization—require that data be stored on a server within the country. Both of these types of regulatory practices grant governments access to all data collected but increase costs for foreign companies as they need to double the amount of data they store, build new servers, or rent server space locally. The increase in cost is a major objection raised against data localization regulations, primarily by the U.S. government and U.S.-based companies. In 2017, U.S. firms cited data localization policies as their number-one impediment to digital trade, with cost increases being a major contributing factor. For example, the U.S. government estimates the average cost of setting up a data center in Brazil, a country without extensive server infrastructure already in place, to be $60.9 million. The cost of renting one rack of server space in Thailand, where there is already a large domestic server industry, is $1,510 per month. Both countries are crucial markets for U.S. firms with data localization regulations currently in place.

In 2017, U.S. firms cited data localization policies as their number-one impediment to digital trade, with cost increases being a major contributing factor.

A 2016 study found that firms’ inability to operate internationally due to data localization–driven cost increases would result in a GDP decline of 0.1 to 0.3 percent in the U.S., 0.1 percent in Brazil, 0.55 percent in China, 0.48 percent in the EU, and 0.58 percent in South Korea. Despite this, more countries, and most major economies, continue to adopt data localization laws. If adopted, India’s Personal Data Protection Act, which is currently being debated in the Indian Parliament, will include both local copy and local only data localization restrictions—a move that will fundamentally alter India’s digital economy. As recently highlighted in Foreign Policy, eagerness to act before this law is adopted is likely a large driver behind Facebook’s recent $5.7 billion investment, the largest in its history, in the Indian cellular Internet service firm Jio Platforms. While as of this writing India’s Data Protection Act is still being finalized, many other major economies, such as the EU, Brazil, China, and Russia, have already enacted comprehensive data localization regulations, with varying degrees of stringency, which threaten to further fragment, if not completely inhibit, companies’ ability to operate internationally.

Graphic 4

Impact of Data Localization Laws on Different Sectors

This illustrates the way that data localization impacts different tech sectors in non-economic ways. See Appendix for sample graphic.

Internet communication services

Internet communication services

Impact: Internet service providers will need to individually craft data policies for each country in which they wish to operate. In other cases, laws may forbid a company from operating in the country at all.

Case Study from Russia: In 2016, Russia blocked web access to LinkedIn, citing breach of Russian law requiring websites to store personal data of Russian citizens on servers in Russia.

Cloud-based data processing

Cloud-based data processing

Impact: Cloud-based data processing will need to be done in-country, and companies will need to buy or rent server space in countries with strict data localization laws, such as Vietnam and Thailand. These costs are likely to be untenable for smaller operators, inhibiting them from being able to enter these countries.

Case Study from Vietnam: In a country such as Vietnam, where natural disasters are frequent, the risk of losing critical data is amplified by multinationals storing it within the country’s borders. The World Bank estimates that 60 percent of Vietnam’s total land area and 71 percent of its population are at risk of cyclones and floods.

E-commerce

E-commerce

Impact: Data localization will likely add costs to conducting e-commerce, as countries operating in multiple markets with data localization laws will need to store customer data, including financial transaction records, in those respective countries.

Case Study from Turkey: Turkey’s data localization laws requiring all suppliers of electronic payment services to maintain all information systems within Turkey led PayPal to suspend operations within Turkey in 2016.

Internet of Things

Internet of Things (IoT)

Impact: Applying data localization to the IoT will necessitate the creation of new data centers and create an increased number of potential breach sites containing sensitive information. The IoT relies heavily on data being transferred seamlessly, usually in real time, and data localization measures threaten to prevent certain IoT innovations from being able to function.

Case Study from South Korea: South Korea restricts the export of location-based data. This policy could potentially prevent autonomous vehicles, which would incorporate traffic updates and navigation, from functioning.

SOURCE: United States International Trade Commission: Global Digital Trade Report 2017; FP Analytics.

Graphic 5

Global Data Localization Laws and Their Stringency

Data localization laws are becoming increasingly common around the world, despite U.S. objections. Globally, 74 countries have a form of conditional restrictions on the transfer of data, and 18 countries have more stringent local only, or local copy, data localization laws covering different types of personal data. In most cases, data localization laws do not cover all types of data, and restrictions on the transfer of data may differ, depending on the type of data. For example, local only data localization restrictions are used more frequently to cover financial information and health information than to cover other types of data (such as Internet search results). With the exception of Pakistan, all of the data localization restrictions mapped out below are embedded into wider data privacy protection laws, which are covered in detail in the next section.

Hover over the countries for details.

Conditional restrictions on data transfers
Local copy restrictions on one or more types of personal data
Local only restrictions on one or more types of personal data
No data localization laws
Global Data Localization Laws and Their Severity
SOURCE: DLA Piper: Global Data Protection Laws of the World Full Handbook.

DIG DEEPER: Explore FP Analytics’ Global Data Governance policy database that provides a comprehensive regional and country-level breakdown of global data governance practices in 138 countries worldwide.

Part 3

Beyond Data Localization: Other Influential Data Regulations and Emerging Data Governance Practices

In addition to data localization, varying economic, political, and social factors are driving governments to craft other data governance measures. Due to each country’s unique regulatory environment, data governance practices can differ significantly globally. However, common frameworks, particularly for data privacy laws, are emerging. As with GDPR, to date, a few influential countries with significant market power are leading the way by enacting comprehensive data regulation laws.

Key Takeaways

  • The Issue

    Led by the EU and China, countries with large domestic markets and significant global influence are defining data governance trends internationally. Within the past four years, the EU, China, India, and Brazil all enacted or drafted comprehensive data regulations focused on their national interests. These regulations are reshaping the global data governance landscape and are being emulated, revised, or adapted by other nations with similar interests.

  • The Reaction

    Variations within and among data governance regimes are disrupting multinationals’ ability to operate in the global digital economy and raising costs. Data regulations are fundamentally dividing cyberspace into different spheres and upending businesses’ ability to operate seamlessly across borders, forcing businesses to adhere to a complex mix of often conflicting regulations in order to operate within different national borders.

  • What’s at Stake

    While aiming to protect privacy more effectively, the layering of data regulations is making operating internationally in the digital economy more complicated and costly. Despite the GDPR and similar data privacy laws being enacted largely in response to the international dominance and data collection practices of large U.S. tech companies, a more complicated regulatory landscape will likely favor larger and more established firms, as they can better bear the increased legal costs and potential fines.

The Breakdown
Key Regulations and Emerging Data Governance Practices
Key Regulations and Emerging Data Governance Practices
Comprehensive data privacy regulations in the EU and China are establishing new norms for global data governance.
  • GRAPHIC 6: Comprehensive Regulations Reshaping Global Data Governance Norms
  • GRAPHIC 7: GDPR Fines to Date
  • GRAPHIC 8: Mapping Global Data Privacy Regulations
Click to expand

Data privacy laws have undergone numerous transformations globally since the first national level data privacy law, Bundesdatenschutzgesetz (BDSG), was enacted in Germany in 1970. The rapid advancement of digital technologies in the Internet age and growing consumer awareness, particularly over the past two decades, are putting increasing pressure on countries to update their privacy laws. Currently, 160 countries have a law or laws that reference data privacy, and 102 countries and territories have specific laws dedicated primarily to data privacy. In an early effort to harmonize the increasingly fractured regulatory landscape, international data privacy standardization frameworks emerged. The international framework currently covering the greatest share of global economic activity is the Asian Pacific Economic Cooperation’s Cross-Border Privacy Rules (referred to as the APEC Privacy Framework), which was established in 2011. Twenty-one countries have opted into these data privacy standards, including the U.S., Mexico, Canada, Japan, South Korea, Singapore, and Australia, as well as twenty-three multinational corporations, including Apple, HP, IBM, and Merck. However, this international framework is not legally enforceable as it is not backed by a specific government jurisdiction.

The passage of the GDPR and China’s Cybersecurity Law marked the beginning of a new trend in data governance—the implementation of comprehensive national level data privacy regulations that carry cascading impacts for the global digital economy.

Until 2016, it appeared that the APEC Privacy Framework, and similar international data privacy agreements, would foster harmonization of international data governance going forward. However, in 2016, the APEC Privacy Framework and the global data regulatory landscape were upended with the passing of the EU’s GDPR and China’s Cybersecurity Law. Both laws introduced key changes to how data privacy is regulated and were consequentially enacted in two of the world’s largest economic blocs and most globally influential countries. Driven by concerns over civil liberties and foreign companies’ data collection activities, the GDPR introduced an expansive definition of how personal data applies broadly to any business offering services to EU citizens, set higher compliance standards, and is enforceable directly through fines. China’s Cybersecurity Law uses the GDPR principles as a base but built on the GDPR standards by setting significantly stricter limits on data transfers outside of the country, placing export restrictions on data deemed essential to the public interest and granting the government broad access to data collected within its borders. Critically, China’s Cybersecurity Law adapted the GDPR principles to suit its own national interests, effectively creating its own data governance framework and further dividing digital commerce instead of harmonizing it under GDPR standards. The GDPR initially received some criticism from businesses due to increased compliance costs and the risk of fines, with small businesses in particular struggling to meet new requirements. The GDPR also impacted small businesses with little brand recognition, who lacked the established consumer trust necessary for data collection consent. The end result has been that, in practice, many small businesses in the EU have simply opted not to comply with the GDPR—fewer than half of businesses (44 percent) report compliance with key measures in 2019—leaving them vulnerable to being fined.

The passage of the GDPR and China’s Cybersecurity Law marked the beginning of a new trend in data governance—the implementation of comprehensive national level data privacy regulations that carry cascading impacts for the global digital economy. The U.S. government and private sector are vocal critics of this trend, broadly preferring the APEC Privacy Framework, as it is more flexible and favorable to business, is less costly, and allows companies to expand internationally with greater ease. However, comprehensive national frameworks are shaping global digital commerce, with the volume of goods and services traded under the EU’s GDPR standard ($8.1 trillion) and China’s Cybersecurity Law ($2.5 trillion), dwarfing the volume traded under the APEC Privacy Framework ($1.2 trillion). Additionally, India and Brazil, two of the world’s top-five countries in terms of Internet users, have both adopted or drafted comprehensive national-level data privacy regulations similar to the GDPR. Overall, thirty-five countries, besides the EU countries and China, have updated or adopted more comprehensive data privacy laws since 2016, generally using the GDPR as a minimum standard from which to construct a unique national data privacy framework. This demonstrates a clear trend toward national-level regulation and stricter data privacy standards enforceable through fines.

While there remains a debate on the long-run impact of compliance and which companies it will hit hardest, the GDPR has undeniably impacted EU tech startups, as the overall venture funding for EU tech firms decreased by €12.5 million per month per member state, between May 2018 and April 2019. Additionally, advertisers have been hit particularly hard by the GDPR. Advertising vendors, particularly smaller companies, lost between 18 and 31 percent market reach in the EU, between April and July 2018. If the trend toward more comprehensive data governance regulations modeled after the GDPR standards continues, these impacts are likely to be replicated around the world. As countries adopt similar standards, the ability to fully understand diverse regulatory environments, and to take proactive measures as legislation is adopted, will provide a competitive advantage for businesses with the capacity and resources to comply.

Graphic 6

Breakdown of Major Existing Data Governance Regulations

While there are hundreds of data governance laws and regulations globally, a handful of comprehensive laws in the EU, China, Brazil, and India are shaping the emerging data governance frameworks globally. Understanding these regulations, and their impact, will be critical to the future of e-commerce due to the size and importance of their markets. (China’s is the world’s largest e-commerce market with $2.3 trillion in sales in 2020, the EU is third, and India is seventh.) Understanding these data privacy regulations provides insight into what provisions future comprehensive data regulations in smaller regional markets are likely to contain. The key data localization and privacy provisions of each regulation are broken down below. Additional cyber and national security provisions will be covered in Part II of this series.

DIG DEEPER: Explore FP Analytics’ Global Data Governance policy database that provides a comprehensive regional and country-level breakdown of global data governance practices in 138 countries worldwide.

Breakdown of Major Existing Data Governance Regulations

Four major data privacy regulations in the EU, China, India, and Brazil are reshaping global data governance. Their key provisions are broken down below.

Major Regulations
Region map
EU: GDPR

(Passed: 2016, In effect since 2018)

Snapshot: Establishes a comprehensive data privacy framework for EU citizens.

Background: Europe has a long history of data privacy laws dating back to 1970, with varying versions of data privacy regulation enacted across its member states. Adopted in April 2016, and enforceable since May 2018, the GDPR is an attempt to harmonize the EU’s Member States’ data collection and data transfer practices. The GDPR increases privacy around individuals’ personally identifying data, makes data laws enforceable through fines, harmonizes data laws across Member States, and makes national data laws enforceable on international firms. To date, €284 million in fines have been levied, with the largest fine being €50 million against Google for having an insufficient legal basis for processing data.

Data Localization Elements

Personal data can only be transferred to another country, and that is acceptable when an “adequate level of protection,” defined as a country with comparable data privacy laws, is provided. Countries and jurisdictions that are currently considered to have an adequate level of protection are Andorra, Argentina, Canada (only commercial organizations), the Faroe Islands, Guernsey, Israel, the Isle of Man, Jersey, New Zealand, Switzerland, Uruguay, and Japan. For data transfers outside of these countries, data protections must be guaranteed through a legally binding contractual clause.

Data Privacy Elements
  • Consumers must give expressed, unambiguous consent to having their personal data shared, and that consent can be withdrawn at any time.
  • Companies must notify the GDPR supervisory board within seventy-two hours of a data breach, or fines of up to 4 percent of yearly revenue will be imposed.
  • Individuals have the “right to be forgotten” and may request that information be removed from Internet searches and other directories.
  • Platforms are held legally liable for removing copyright-infringing material and can be fined for non-compliance.
China: Cyber Security Law

(Passed: 2016, In effect since 2017)

Snapshot: Significantly restricts foreign companies’ ability to operate in China through strict data localization laws and increases government private-sector oversight.

Background:China’s Cyber Security Law, passed in 2016 and enacted in June 2017, is broad, sweeping legislation that dictates how national companies must approach security and privacy. Critically, it reforms data management and Internet-usage regulations in China, enhancing the government’s jurisdictional control over content on the Internet and data collected by private companies. In addition to the Cyber Security Law, the Chinese government also introduced a draft Data Security Law and a draft Personal Information Protection Law (PIPL) in 2020. These laws differ in scope from the Cyber Security Law, but if passed, they would create new data security requirements and binding obligations on personal data protection for organizations and further restrict cross-border data transfer. The PIPL is a comprehensive personal data protection law, modeled on the EU’s GDPR. Like the GDPR, under the draft PIPL, data processors could process personal data without consent in certain cases, such as when needed to fulfill a contract or perform a legal duty, or when responding to a public health emergency. The PIPL’s jurisdiction would extend outside of China and would require large data processors to store personal data within China.

Data Localization Elements
  • Require network operators in critical sectors to store data gathered or produced in the country within mainland China, which both allows government access to the data and increases the need for companies in key sectors, such as banking, to have their services within China.
  • Require business information and data on Chinese citizens gathered within China to be kept on domestic servers and not transferred abroad without permission.
Data Privacy Elements
  • Network product and service providers that collect users’ information are required to inform and obtain consent from the users.
  • Individuals have the right to require network operators to correct errors in personal information collected or stored by them.
  • Fines for non-compliance are up to €20 million or 4 percent of annual global revenue.
Brazil: Lei Geral de Proteção de Dados (General Data Protection Act, or LGPD)

(Passed: 2018; In effect: 2020)

Snapshot: Modeled after the GDPR, it establishes a data privacy framework similar to the EU’s in Brazil.

Background: Inspired by the GDPR, the Brazilian General Data Protection Act is a comprehensive data governance regulation establishing rules on collecting, handling, storing, and sharing of personal data managed by any organization operating in Brazil or handling Brazilians’ data. The bill differs from the GDPR most significantly in its enforcement mechanisms, having significantly lower maximum fines of €11 million (R$50 million) or 2 percent of annual global revenue and no time requirements for data breach reporting, and places less stringent legal requirements on data processors, thus allowing them additional justifications for collecting and processing individuals’ data (such as to protect an individual’s credit score).

Data Localization Elements
  • Data can be transferred with minimal restrictions to countries deemed to have adequate levels of privacy protections in place.
  • Personal data can be transferred internationally with the express consent of the data subject, which must be obtained prior to the transfer.
  • User data may be transferred internationally if there is a guarantee by the controller through contractual instruments, such as binding corporate rules and standard clauses, that it will comply with the principles, data subject rights, and data protection regime provided by law.
Data Privacy Elements
  • Require implied authorization for collection and sale of personal data, a modified and slightly less stringent standard than the GDPR; the wording leaves it ambiguous compared to the GDPR, which states that consent must always be given through an opt-in, a declaration, or an active motion.
  • Users have the right to anonymize (remove personally identifying information from the data) or block or delete unnecessary or excessive data or data that is not being processed in compliance with the LGPD.
  • Users have the right to request elimination of personal data processed with the consent of the holder.
India: Personal Data Protection Bill (Draft)

(Drafted: August 2018, Pending)

Snapshot:Includes stricter local copy data localization provisions than the GDPR, but less restrictive than China’s, and requires written consent for data collection and transfer for sensitive data.

Background: The bill is currently up for consideration in the Indian parliament and is still being analyzed by a joint parliamentary committee. The bill represents India’s first comprehensive approach to regulating data privacy and security. If passed, the bill will significantly alter the global digital economy by enforcing data localization standards on the world’s second-largest IT market—India has the second-largest number of citizens online in the world, with 560 million, compared to China’s 854 million. While the bill is modeled after the GDPR to an extent, provisions on data localization, users’ consent for businesses to collect data, and government access to users’ data go significantly further.

Data Localization Elements
  • Require the storage and processing of personal data on servers located within India.
  • Sensitive personal data may not be transferred outside of India.
  • Financial records and any personal banking data may not be transferred outside of India.
Data Privacy Elements
  • Require companies to obtain parent or guardian consent for collecting data belonging to children.
  • Individuals have the “right to be forgotten” as well as the “right to access in one place the identities of the data fiduciaries with whom his personal data has been shared by any data fiduciary together with the categories of personal data shared with them.”
  • Data fiduciaries are required to prepare a “privacy by design” policy to apply when building their internal IT systems.
SOURCES: GDPR Text, China Cybersecurity Law Text, Brazil LGPD Text, India Data Privacy Draft Law Text

Graphic 7

GDPR Fines to Date

To date, the EU has levied 714 fines related to GDPR infractions; their distribution is broken down below.

  • USD
  • EURO

Totals: 714 Violations / $347,099,396 Total Cost / $486,134 Average Cost

Totals: 714 Violations / €291,680,165 Total Cost / €408,516 Average Cost

SOURCE: GDPR Enforcement Tracker
Largest Fines by Company (USD)
as of June 30, 2021

Google Inc.

$59,500,000

H&M

$41,957,863

TIM

$33,082,000

British Airways

$26,234,740

Marriot International, Inc

$24,335,500

Wind Tre S.p.A.

$19,873,000

Vodafone Italia S.p.A.

$14,579,405

notebooksbilliger.de

$12,376,000

Eni Gas e Luce

$10,115,000

Vodafone España, S.A.U.

$9,698,500
SOURCE: GDPR Enforcement Tracker

Graphic 8

Mapping Global Data Privacy Regulations

The most comprehensive and influential data governance regulations to date, listed above, are already serving as templates for data governance throughout the world, a trend that is likely to continue. As of July of 2021, 113 countries have laws that specifically address data privacy elements. However, few countries have one comprehensive data governance law covering all aspects of data privacy. Existing laws often restrict private companies’ access to personal data, limit the sale of data on secondary markets without user consent, and seek to ensure safe international transfer of data. Critically, existing data privacy laws are meant to protect citizens’ data from being exploited by private companies, foreign governments, and bad actors. Generally, they are not meant to protect citizens’ data from domestic government access. In fact, many of these privacy laws actually increase government access to user data. The issues of government access and surveillance will be covered in the second installment of this Power Map.

Below, we map out the different data privacy laws in place throughout the world and list the data privacy issues they address. The dropdown menu below the map includes details on the provisions included in each data privacy law, and the corresponding level of data localization measures included (which were mapped out in the previous section).

Global Privacy Laws
  • National Data Protection Authority: A central government authority is established to oversee and enforce data privacy laws.
  • Registration Requirement: Businesses are required to register their databases with the national data protection authority.
  • Data Protection Officer: A data protection officer is designated at either the national, regional, or organizational level.
  • Data Localization Provisions: There is some form of restriction on the international transfer of data in place.
  • Cybersecurity Provisions: There are cybersecurity standards established, which data processors are legally bound to uphold.
  • Breach Notification: Data controllers and processors must notify individuals if their personal data has been compromised.
  • Enforcement Through Fine: Laws can be enforced through a monetary fine.
  • Online Data Privacy Element: Online collection of data is restricted to some degree.

Hover over the countries for details or see the table below.

See the table below for details.

Data Privacy Laws
SOURCE: DLA Piper: Global Data Protection Laws of the World Full Handbook.

*Map only includes countries with laws specifically governing electronic data and addressing similar standards to other major data privacy regulations or international frameworks. Countries with data privacy laws that are not enforceable, or do not address any of the key areas covered in other major data privacy regulations and frameworks, are not included.

National level data privacy laws including embedded degree of data localization restriction
Conditional restrictions on data transfers
Local copy restrictions on one or more types of personal data
Local only restrictions on one or more types of personal data
No data localization laws

Search for a country or view by region:

  • All Regions
  • Africa & Middle East
  • Asia & Pacific
  • Europe
  • The Americas
Click to expand

DIG DEEPER: Explore FP Analytics’ Global Data Governance policy database that provides a comprehensive regional and country-level breakdown of global data governance practices in 138 countries worldwide.

Navigating an Increasingly Fractured Future

The implementation of new and updated data governance regulations across the world is fundamentally changing the business landscape across the digital landscape. Data localization requirements, more comprehensive and widely enforceable data privacy laws, and increased cybersecurity laws (which will be explored in Part II of this series) are creating a complicated and increasingly costly web of regulations for businesses to navigate. These factors stand to impact small businesses disproportionately, though increasing compliance costs have been a major point of contention for large businesses as well. However, with the recent adoption of comprehensive privacy laws in major e-commerce markets, data regulation is likely to continue to accelerate. While privacy laws to date have been passed to protect users’ data from being exploited by large international companies and foreign governments, there is a concurrent wave of data privacy laws around the world that are enabling governments to have sweeping access to user data. These laws range from China’s Cybersecurity Law (elements of which we have covered in this section) to the Patriot Act in the U.S. For individuals, the amount of data being accessed by governments through surveillance and requests to private companies is rising sharply. Simultaneously, governments are embarking on a drive to repeal cybersecurity provisions, such as end-to-end encryption as in the case of the U.S.’s EARN IT Act, in order to collect citizens’ data more effectively. In Part II of our Data Governance Power Map series, we dive into these and other measures and how governments are increasing their data collection efforts globally, and what this means for businesses and private citizens.

READ PART TWO NOW:Evolving Government Data Collection Practices

EXPLORE FP ANALYTICS’ GLOBAL DATA GOVERNANCE POLICY DATABASE

Written by Christian Perez. Edited by Allison Carlson. Copyedited by David Johnstone. Design by Andrew Baughman and Jon Benedict. Development by Andrew Baughman. Art direction by Lori Kelley.

FP Analytics

Learn more about how FP Analytics can enable your organization to act strategically through data-driven insights at ForeignPolicy.com/FP-Analytics.

[ related articles heading here ]:

References

Back to top