By identifying key players, quantifying relative influence, and assessing the competitive landscape, FP Analytics breaks down complex foreign policy issues by mapping out spheres of influence and the risks and opportunities these topics present for Insiders. LEARN MORE

Data Governance

Part One: Emerging Data Governance Practices

PUBLISHED: May 13, 2020

In FP Analytics’ previous Power Map, 5G Explained, we detailed the complex physical infrastructure necessary to create 5G networks and broke down the issues surrounding the control of that infrastructure, setting of international standards, bandwidth ownership, and security. In Part I of this series, we examine the emerging regulatory challenges surrounding governance of the data and information that flows through not only 5G networks, but digital infrastructure globally. While 5G networks will be vast, they represent a mere fraction of the interconnected digital networks that comprise the global Internet. As the Internet serves as the circulatory system for digital connectivity, data is its lifeblood. How it is allowed to move throughout this system has immense consequences for governments, companies, and individuals.

Thank you for your interest. Please enjoy the Executive Summary below.

Power Maps are an exclusive benefit of the FP Insider subscription. For full access to Data Governance, contact us at insider@foreignpolicy.com.

Executive Summary

Emerging data governance trends are re-shaping the global digital economy, which currently accounts for nearly 16% of global GDP and is growing two and a half times as fast. To date, the general lack of data governance has long been a core competitive advantage for U.S. tech companies and has facilitated the rise of global Chinese competitors. This environment enabled the market dominance of companies such as Facebook, Google, Baidu, and Tencent, which rely on being able to collect troves of global data from countries all around the world.

However, new and updated national data privacy and data localization laws are fundamentally altering the way that companies can conduct businesses internationally. The recent passage of the EU’s General Data Protection Regulation (GDPR) and China’s Cybersecurity Law – two of the most comprehensive packages of data privacy regulations - have already had cascading impacts on businesses in these markets and all of their trading partners. And this is just the beginning.

Among the data governance measures, data localization represent a powerful tool for governments seeking to gain control over data - and a share of the value it generates - within their national borders. In the last few years, over seventy countries have passed new or updated data privacy laws that include some form of data localization – one of the most restrictive and costly measures. In 2017, U.S. firms cited data localization policies as their number-one impediment to digital trade – and these types of protectionist measures are only growing.

The coming era of increasingly stringent data localization and data privacy laws has the potential to erode digital giants’ competitive advantage – making operating in certain markets significantly more costly, and potentially pushing foreign firms out of some markets all together, as has already been the case in Russia and China. They also make it difficult for smaller firms to compete. While the growing layers of data regulation will impact each firm differently, understanding how data governance regimes are evolving and the explicit data-related measures that apply in each country will be critical to maintaining competitiveness within and across borders.

In Part I of FP Analytics’ Data Governance Power Map Series, we break down the rapidly evolving regulatory environment surrounding data by:

  • Pinpointing emerging governance trends;
  • Cataloguing specific data localization and data privacy laws by country;
  • Mapping regulation and the world; and,
  • Explaining the risks and potential impacts on business.

FP Analytics’ Power Map provides the most comprehensive assessment and mapping of data localization and privacy laws to date and is a tool for businesses and others seeking to understand how these evolving governance regimes are shaping our digital world.

Subscribe to FP Insider below or contact us at insider@foreignpolicy.com for full access to Data Governance.

Introduction

Increasingly, government regulation is disrupting the global flow of data, with varying, interconnected factors and incentives driving this proliferation of regulation. The myriad measures implemented to date reflect a delicate balance of political, economic, and social factors, influenced by government officials, private companies, and citizens. Regulators around the world face the challenge of balancing nuanced and fraught issues of access and privacy, support for economic development, and establishing a functional, cross-border framework for the international transfer and collection of compounding volumes of data. Additionally, multiple parties must ensure data security across governmental, commercial, and personal realms. Varying efforts to craft regulations that optimize for national interests and constituencies are producing an increasingly complex mix of global Internet and data regulations expressing differing visions for how digital infrastructure should ultimately function, how big data is managed, and by whom. In this Power Map series, we break down the most comprehensive and impactful of these regulations and explain what they mean for businesses and citizens in our increasingly digital world.

Part 1

The Digital Economy and Drivers Behind Increasing Regulation

The massive volume of data flowing through global digital networks fueled the rise of many of the world’s largest companies, including global behemoths such as Alphabet and Tencent. It spawned multinational social media companies, such as Facebook and WeChat, allowing individuals to generate, access, and spread information at unprecedented rates. But new regulations are threatening this meteoric growth. The data collection practices upon which these companies’ business models are predicated are coming under increasing scrutiny from governments concerned about domestic and foreign companies’ collection and handling of their citizens’ data. This concern, coupled with some governments’ desire to expand their own digital economies and tax bases, is accelerating the global proliferation of data-related laws—from data localization, to privacy, to data security—as these government officials and regulators attempt to assert authority and capture value.

Key Takeaways

  • The Issue

    U.S. and Chinese companies dominate the global digital landscape. The digital economy accounts for 15.5 percent of world GDP, with the combined value of Internet platform companies—such as Google and WeChat—accounting for roughly 9.4 of world GDP (roughly $7 trillion, larger than the GDP of any country in the world besides the U.S. or China). The vast majority of revenues accrue to a handful of U.S. and Chinese companies whose power and influence continue to grow as they collect and monetize data from citizens around the world.

  • The Reaction

    Governments’ increasing concern over foreign companies’ collection and monetization of user data is a primary driver of digital regulation. The rise of data privacy, security, and localization laws to protect citizens’ data rights and countries’ economic interests, while boosting individuals’ control over their data, is creating an increasingly complex legal and regulatory environment while raising operational and compliance costs for multinational companies operating across borders.

  • What’s at Stake

    While offering some protection for domestic companies, onerous and conflicting data governance regimes and regulations risk companies’ market access and further valuation creation in the digital economy.

The Breakdown
The Rise of the Digital Economy and the Economic Drivers of Regulation
The Rise of the Digital Economy and the Economic Drivers of Regulation
User data is, by far, the most valuable commodity in the global economy.
  • GRAPHIC 1: The Size of the Digital Economy
  • GRAPHIC 2: Data Collected by Major Tech Companies
  • GRAPHIC 3: Market Dominance of Major Digital Economy Companies
Click to expand

The global digital economy encompasses the vast physical infrastructure enabling the Internet, the full range of Internet-connected user devices, and the immense amount of data flowing through them. The rapid growth of each of these components has collectively generated tremendous economic activity. Over the past fifteen years, the global digital economy has grown two and a half times faster than global GDP. One key driver behind this robust growth is the exponential volume of data being generated, processed, and monetized. Every second, there are 2.7 million emails sent, 71,966 Google searches executed, 8,342 Tweets, and a total of 289,351 gigabytes (GB) of new user data generated. For context, 1 GB of data is equal to 677,963 pages of text, meaning that every second the equivalent a 196.2 billion-page book of new data is generated. 5G technology will connect billions more devices to the Internet through the enabling of the Internet of Things (IoT), and the combination of this vast expansion of Internet-connected devices and more of the world coming online in the next decade will exponentially increase the amount of data being generated. Currently, roughly 60 percent of the global population is online, with estimates showing that nearly 90 percent of the world’s population will come online by 2030 as Internet access is expanded throughout the developing world. This growing reservoir of data will fuel the world’s emerging and incumbent technology companies, with the ability to collect and monetize this data existential for some and a determinant of future growth for all.

Over the past fifteen years, the global digital economy has grown two and a half times faster than global GDP.

Among the digital giants, U.S. companies hold a dominant position which has been gained largely through first-mover advantage. The world’s five largest companies by revenue are all U.S.-based (Apple, Amazon, Facebook, Google, and Microsoft) and have a combined market value of nearly $4 trillion dollars. Google accounts for 81 percent of the Internet search market, Facebook accounts for 67 percent of the global social media networks, and Amazon is responsible for 36 percent of the world’s online retail activity and cloud infrastructure services market. These companies leveraged first-mover advantage by reinforcing network effects—the more users in the network, the more valuable the network is for all users—accumulating a competitive data edge early on, and turning their data edge into integrated services offerings that increase the cost to users if they switch to a competitor’s platform. Critically, these advantages relied heavily on these companies’ ability to collect users’ data across international borders, with minimal if any restrictions, and integrate it into algorithms or sell it to advertisers. This access to data enabled the meteoric rise of companies such as Facebook and Google, among others, which rely on being able to collect troves of global data to enable services such as Google Maps. The race to develop artificial intelligence applications is amplifying this demand.

Limited regulation of these companies to date has enabled them to capture the majority of revenue associated with data flows across borders. However, countries are increasingly developing measures to regulate data flows and e-commerce transactions to exert greater control over data generated within, and passing across, their national borders. In fact, data localization laws are becoming a standard mechanism for countries to exert control over the foreign collection of their citizens’ data and capture a share of the value. These laws and associated regulations place restrictions on how data can be stored within, and transferred outside of, a country. Their aims vary, from restricting foreign companies’ and governments’ access to sensitive user data, to boosting foreign and domestic investment in server infrastructure, to, in limited cases, handicapping or completely inhibiting foreign companies’ ability to operate within a country’s borders.

To date, roughly 75 percent of all data localization measures in place are meant to ensure data privacy and security when data is transferred outside of a country. These measures focus on restricting data transfers to countries that are deemed to have inadequate data privacy frameworks. However, roughly 25 percent of existing data localization measures include more extensive restrictions that aim to exert influence over data flows through physical data storage infrastructure. Countries that are intent on boosting their domestic economy (and tax base) through increased foreign investments in server infrastructure, or developing their domestic data storage industry, use data localization laws to mandate that data collected in a country be stored on a server within that country. This strategy is currently being pursued in Indonesia and Vietnam, for example. In a more extreme case, China has combined data localization laws with tight restrictions on foreign companies’ operations, beginning as early as 1996, to protect and foster the rise of its own multinational digital giants, such as Tencent and Alibaba, which use data to drive services from artificial intelligence to e-commerce. China’s development and increasing protection of its digital giants through regulation have provided a roadmap for other countries to emulate. In contrast, the U.S. and its digital giants have greatly benefited from the ability to collect data internationally through open data borders and have generally been at the forefront of opposition to emerging data localization laws.

Graphic 1

The Size of the Digital Economy

The modern digital economy continually generates massive amounts of personal data

Internet of Things

Internet of Things (IoT)

26.6B

connected devices

400 zettabytes of data generated per year

Mobile Phones

Mobile Phones

7.2B

mobile phones

23 billion texts sent per day

Mobile Apps

Mobile Apps

3M

unique apps

205 billion annual app downloads

Internet Access

Internet Access

4.4B

Internet connnections (57.3% of population)

5 billion internet searches per day

Digital Platforms

Digital Platforms

294B

emails sent per day

500 million tweets per day

65 billion whatsapp messages per day

Finance Data

Finance Data

111B

credit card transaction per year (U.S.)

189 countries with financial transaction databases

Graphic 2

Data Collected by Major Tech Companies

Personal data collected and stored by the largest U.S. and Chinese tech companies

  • Personal Data
  • Usage Data

Graphic 3

Market Dominance of Major Digital Economy Companies

The largest cloud service, social media, and search engine companies dominate the global competition

Cloud Service Providers Market Share

2019 Sales in USD Billions  |  Market Share Percentage

Amazon Web Services

$35.06B  |  36%

IBM Cloud

$21.2B  |  22%

Microsoft Azure

$11.9B  |  12%

Oracle Cloud

$5.9B  |  6%

Google Cloud

$8.92B  |  9%

Salesforce

$4.5B  |  5%

Alibaba Cloud

$3.68B  |  4%

Tencent Cloud

$2.4B  |  2%

Other

$2.54B  |  3%
SOURCES: Amazon Web Service 2019 Earnings, IBM Cloud 2019 Earnings, Microsoft Azure 2019 Earnings, Google Cloud 2019 Earnings, Oracle Cloud 2019 Earnings, Salesforce Cloud 2019 Earnings, Alibaba Cloud 2019 Earnings, Tencent Cloud 2019 Earnings
Social Media Platform Market Share

2019 Sales in USD Billions  |  Market Share Percentage

Facebook

$70.7B  |  67%

YouTube

$15.1B  |  14%

Instagram

$14B  |  13%

Twitter

$3.46B  |  3%

Pinterest

$1.14B  |  1%

WeChat

$1.1B  |  1%
SOURCES: Facebook 2019 Earnings, YouTube 2019 Earnings, Instagram 2019 Earnings, Twitter 2019 Earnings, Pinterest 2019 Earnings, WeChat 2019 Earnings
Search Engine Market Share

2019 Sales in USD Billions  |  Market Share Percentage

Google

$134.8B  |  81%

Baidu

$15.43B  |  9%

Bing

$7.63B  |  5%

Yahoo!

$5.17B  |  3%

Yandex

$2.83B  |  2%
SOURCES: Google 2019 Earnings, Baidu 2019 Earnings, Bing 2019 Earnings, Yahoo! 2019 Earnings, Yandex 2019 Earnings

Government Regulation and the Increasing Demand for Data Privacy and Security

The unequal gains from the rise of the digital economy represent a key economic driver behind increasingly restrictive global data governance regimes and the proliferation of data localization laws worldwide. However, the push for data regulation has also been energized by growing social and political concerns over data privacy and data security. Government regulation in these realms is in response to citizens’ demands for data privacy and protection, the increasing frequency and severity of cyberattacks, and concern over foreign governments’ access to citizens’ data. While a simplification, these major drivers provide a framework for breaking down nuanced national, transnational, and local data regulations of varying scope, which may include conflicting elements as each government or regulatory body wrestles with balancing the intended and unintended consequences of regulation. Regulatory agencies, many of which are governed by politicians—not technocrats—are determining what data can be collected, where it can be stored, whether or how it can be transmitted, and how it can be secured, not to mention who is liable for the content.

The unequal gains from the rise of the digital economy represent a key economic driver behind increasingly restrictive global data governance regimes and the proliferation of data localization laws worldwide.

As governments and citizens around the world become increasingly aware of the scope of user data that big tech companies collect, data privacy laws are becoming increasingly stringent. Though laws were on the books in the U.S. and Europe as far back as the 1970s, they did not effectively govern the scope of data collection activities at the heart of today’s big tech companies’ operations. The recent and ongoing regulatory push illustrates governments’ attempts to catch up, as many are racing to update existing privacy laws by placing explicit limits on companies’ collection of user data and enforcing comprehensive data security and data transfer practices. The EU led the push to modernize data privacy laws, enacting the first comprehensive data privacy regulation, the Data Protection Directive, in 1995. In 2018, the EU’s release of the General Data Protection Regulation (GDPR) modernized the framework for data privacy regulation built on enforcing citizens’ civil liberties, individual freedoms, and rights in the digital realm, and it by far represents the most comprehensive legislation to date. Specifically, the GDPR requires that companies obtain consent to collect user data, honor requests to delete user data, enforce tighter cybersecurity practices, and comply with restrictions on the international transfer of users’ data outside of the EU. GDPR implementation rocked the digital world, increasing compliance costs and generating fines of €466 million ($508 million) as of April 2020. It continues to alter how companies operate, not only in Europe but around the world. As countries such as Brazil and India draft similar comprehensive data privacy laws, the disruptive impact on digital commerce—and these major markets—is set to increase.

Despite the complexity of the regulations and multiple drivers behind them, characteristics of data governance regimes are emerging around the world, with each nation’s specific regulations reflecting the unique mix of economic, political, and social variables exerting the greatest influence on governing officials. Collectively, the clear global trend is toward protectionism.

Part 2

Data Localization and Its Commercial Implications

Data localization laws encompass the full range of restrictions a country places on foreign collection, storage, and transfer of its citizens’ data. Government regimes are taking different approaches to data localization; for example, Russia has the most restrictive data localization measures in place, and the U.S. is the strongest advocate for open borders with respect to data transfer. The methods that countries use to enforce and enact data localization regulations substantially impact how international companies can operate within their borders, with consequences for commercial activity both domestically and internationally.

Key Takeaways

  • The Issue

    Four distinct approaches to data localization regulation and implementation largely determine how companies’ digital operations can function within a country. They include: no restrictions, conditional restrictions, local copy requirements, and local data storage mandates. Without one uniform method for regulating international data flows, multinational firms will need to adjust practices to comply with the distinct laws of each market in which they operate.

  • The Reaction

    Some countries stand to benefit economically from data localization, but widespread global barriers on data transfers risk lower global growth overall. Data localization practices restrict the flow of data and raise costs for international tech companies, fragmenting markets and threatening to hinder global growth. Despite the potentially adverse economic impacts globally, data localization measures are continuing to be implemented as countries’ concerns with foreign data collection and governments’ attempts to limit their operations increase.

  • What’s at Stake

    Data localization restrictions threaten to deny or limit access to major data-reliant international corporations, including in key developing markets where the majority of future growth could occur, such as India and Vietnam. On a broad scale, data localization regulations stand to seriously disrupt the free cross-border flow of data, which has enabled the rise of digital commerce for the past few decades.

The Breakdown
Understanding Data Localization and Its Impact on Business
Understanding Data Localization and Its Impact on Business
Data localization restrictions are set to re-shape global digital commerce, and their impact is already being felt.
  • GRAPHIC 4: Impact of Data Localization Laws on Different Sectors
  • GRAPHIC 5: Global Data Localization Laws and Their Stringency
Click to expand

Data localization laws stand to have the most significant commercial impact on how businesses operate internationally and can determine whether a company is able to operate in a foreign country at all. They can be included in comprehensive national regulations or international agreements, or they can stand alone as single pieces of legislation. As noted above, the three major forms of data localization restrictions that countries impose include: conditional restrictions, local copy requirements, and local data storage mandates. Conditional restrictions lay out a set of rules that a company must follow to transfer data outside the country in which it was collected. The GDPR encapsulates this form of data localization, which mandates that data may only be transferred outside the EU to designated safe countries, or if there is a legally binding contract in place guaranteeing that certain conditions are met. In the GDPR, “safe” countries are defined by the levels of the data privacy and protection they provide, with transfers to countries deemed to have inadequate data protection regulations allowed only in exceptional circumstances.

Data localization laws stand to have the most significant commercial impact on how businesses operate internationally and can determine whether a company is able to operate in a foreign country at all.

The establishment of this standard has been the key catalyst in the recent proliferation of data privacy, data protection, and data localization laws. Of the seventy-one countries with one or more data localization laws in place, fifty have enacted or updated their data localization laws within the last five years. Fifty-two countries have data regulations that put in place data protection standards similar to the GDPR, with data localization clauses allowing data transfer only to other countries with similar standards in place. This has had a domino effect—the more countries that use a similar standard to the GDPR for data transfers, the more countries are forced to adopt similar data protection standards. This effect explains, in part, both the quickening pace of adoption of data privacy and data localization laws and why this trend is likely to accelerate.

The other forms of data localization regulations currently in place include local copy requirements and local only storage mandates. Local copy regulations allow data to be stored outside of a country only if there is a copy of the same data held on a server inside the country. Local only regulations—the most restrictive form of data localization—require that data be stored on a server within the country. Both of these types of regulatory practices grant governments access to all data collected but increase costs for foreign companies as they need to double the amount of data they store, build new servers, or rent server space locally. The increase in cost is a major objection raised against data localization regulations, primarily by the U.S. government and U.S.-based companies. In 2017, U.S. firms cited data localization policies as their number-one impediment to digital trade, with cost increases being a major contributing factor. For example, the U.S. government estimates the average cost of setting up a data center in Brazil, a country without extensive server infrastructure already in place, to be $60.9 million. The cost of renting one rack of server space in Thailand, where there is already a large domestic server industry, is $1,510 per month. Both countries are crucial markets for U.S. firms with data localization regulations currently in place.

In 2017, U.S. firms cited data localization policies as their number-one impediment to digital trade, with cost increases being a major contributing factor.

A 2016 study found that firms’ inability to operate internationally due to data localization–driven cost increases would result in a GDP decline of 0.1–0.3 percent in the U.S., 0.1 percent in Brazil, 0.55 percent in China, 0.48 percent in the EU, and 0.58 percent in South Korea. Despite this, more countries, and most major economies, continue to adopt data localization laws. If adopted, India’s Personal Data Protection Act, which is currently being debated in the Indian Parliament, will include both local copy and local only data localization restrictions—a move that will fundamentally alter India’s digital economy. As recently highlighted in Foreign Policy, eagerness to act before this law is adopted is likely a large driver behind Facebook’s recent $5.7 billion investment, the largest in its history, in the Indian cellular Internet service firm Jio Platforms. While as of this writing India’s Data Protection Act is still being finalized, many other major economies, such as the EU, Brazil, China, and Russia, have already enacted comprehensive data localization regulations, with varying degrees of stringency, which threaten to further fragment, if not completely inhibit, companies’ ability to operate internationally.

Graphic 4

Impact of Data Localization Laws on Different Sectors

Data localization will have cascading impacts across tech-based industries

Internet communication services

Internet communication services

Impact: Internet service providers will need to individually craft data policies for each country in which they wish to operate. In other cases, laws may forbid a company from operating in the country at all.

Case Study from Russia: In 2016, Russia blocked web access to LinkedIn, citing breach of Russian law requiring websites to store personal data of Russian citizens on servers in Russia.

Cloud-based data processing

Cloud-based data processing

Impact: Cloud-based data processing will need to be done in-country, and companies will need to buy or rent server space in countries with strict data localization laws, such as Vietnam and Thailand. These costs are likely to be untenable for smaller operators, inhibiting them from being able to enter these countries.

Case Study from Vietnam: In a country such as Vietnam, where natural disasters are frequent, the risk of losing critical data is amplified by multinationals storing it within the country’s borders. The World Bank estimates that 60 percent of Vietnam’s total land area and 71 percent of its population are at risk of cyclones and floods.

E-commerce

E-commerce

Impact: Data localization will likely add costs to conducting e-commerce, as countries operating in multiple markets with data localization laws will need to store customer data, including financial transaction records, in those respective countries.

Case Study from Turkey: Turkey’s data localization laws requiring all suppliers of electronic payment services to maintain all information systems within Turkey led PayPal to suspend operations within Turkey in 2016.

Internet of Things

Internet of Things (IoT)

Impact: Applying data localization to the IoT will necessitate the creation of new data centers and create an increased number of potential breach sites containing sensitive information. The IoT relies heavily on data being transferred seamlessly, usually in real time, and data localization measures threaten to prevent certain IoT innovations from being able to function.

Case Study from South Korea: South Korea restricts the export of location-based data. This policy could potentially prevent autonomous vehicles, which would incorporate traffic updates and navigation, from functioning.

SOURCE: United States International Trade Commission: Global Digital Trade Report 2017; FP Analytics.

Graphic 5

Global Data Localization Laws and Their Stringency

Data localization laws are becoming increasingly common around the world, despite U.S. objections. Globally, seventy-one countries have a form of conditional restrictions on the transfer of data, and seventeen countries have more stringent local only, or local copy, data localization laws covering different types of personal data. In the majority of cases, data localization laws do not cover all types of data, and restrictions on the transfer of data may differ, depending on the type of data. For example, local only data localization restrictions are used more frequently to cover financial information and health information than to cover other types of data (such as Internet search results). With the exception of Pakistan, all of the data localization restrictions mapped out below are embedded into wider data privacy protection laws, which are covered in detail in the next section.

Countries with data localization and their corresponding stringency are mapped out below.

Hover over the countries for details.

Conditional restrictions on data transfers
Local copy restrictions on one or more types of personal data
Local only restrictions on one or more types of personal data
No data localization laws
Global Data Localization Laws and Their Severity
SOURCE: DLA Piper: Global Data Protection Laws of the World Full Handbook.
Part 3

Beyond Data Localization: Other Influential Data Regulations and Emerging Data Governance Practices

In addition to data localization, varying economic, political, and social factors are driving governments to craft other data governance measures. Due to each country’s unique regulatory environment, data governance practices can differ significantly globally. However, common frameworks, particularly for data privacy laws, are emerging. As with GDPR, to date, a few influential countries with significant market power are leading the way by enacting comprehensive data regulation laws.

Key Takeaways

  • The Issue

    Led by the EU and China, countries with large domestic markets and significant global influence are defining data governance trends internationally. Within the past four years, the EU, China, India, and Brazil all enacted or drafted comprehensive data regulations focused on their national interests. These regulations are reshaping the global data governance landscape and are being emulated, revised, or adapted by other nations with similar interests.

  • The Reaction

    Variations within and among data governance regimes are disrupting multinationals’ ability to operate in the global digital economy and raising costs. Data regulations are fundamentally dividing cyberspace into different spheres and upending businesses’ ability to operate seamlessly across borders, forcing businesses to adhere to a complex mix of often conflicting regulations in order to operate within different national borders.

  • What’s at Stake

    While aiming to more effectively protect privacy, the layering of data regulations is making operating internationally in the digital economy more complicated and costly. Despite the GDPR and similar data privacy laws being enacted largely in response to the international dominance and data collection practices of large U.S. tech companies, a more complicated regulatory landscape will likely favor larger and more established firms, as they can better bear the increased legal costs and potential fines.

The Breakdown
Key Regulations and Emerging Data Governance Practices
Key Regulations and Emerging Data Governance Practices
Comprehensive data privacy regulations in the EU and China are establishing new norms for global data governance.
  • GRAPHIC 6: Comprehensive Regulations Reshaping Global Data Governance Norms
  • GRAPHIC 7: GDPR Fines to Date
  • GRAPHIC 8: Mapping Global Data Privacy Regulations
Click to expand

Data privacy laws have undergone numerous transformations globally since the first national level data privacy law, Bundesdatenschutzgesetz (BDSG), was enacted in Germany in 1970. The rapid advancement of digital technologies in the Internet age and growing consumer awareness, particularly over the past two decades, are putting increasing pressure on countries to update their privacy laws. Currently, 160 countries have a law or laws that reference data privacy, and ninety-six countries have specific laws dedicated primarily to data privacy. In an early effort to harmonize the increasingly fractured regulatory landscape, international data privacy standardization frameworks emerged. The international framework currently covering the greatest share of global economic activity is the Asian Pacific Economic Cooperation’s Cross-Border Privacy Rules (referred to as the APEC Privacy Framework), which was established in 2011. Twenty-one countries have opted into these data privacy standards, including the U.S., Mexico, Canada, Japan, South Korea, Singapore, and Australia, as well as twenty-three multinational corporations, including Apple, HP, IBM, and Merck. However, this international framework is not legally enforceable as it is not backed by a specific government jurisdiction.

The passage of the GDPR and China’s Cybersecurity Law marked the beginning of a new trend in data governance—the implementation of comprehensive national level data privacy regulations that carry cascading impacts for the global digital economy.

Until 2016, it appeared that the APEC Privacy Framework, and similar international data privacy agreements, would foster harmonization of international data governance going forward. However, in 2016, the APEC Privacy Framework and the global data regulatory landscape were upended with the passing of the EU’s GDPR and China’s Cybersecurity Law. Both laws introduced key changes to how data privacy is regulated; they were enacted in two of the world’s largest economic blocs and consequently, are influencing digital regulation around the world. Driven by concerns over civil liberties and foreign companies’ data collection activities, the GDPR introduced an expansive definition of how personal data applies broadly to any business offering services to EU citizens, set higher compliance standards, and is enforceable directly through fines. China’s Cybersecurity Law uses the GDPR principles as a base but built on the GDPR standards by setting significantly stricter limits on data transfers outside of the country, placing export restrictions on data deemed essential to the public interest and granting the government broad access to data collected within its borders. Critically, China’s Cybersecurity Law adapted the GDPR principles to suit its own national interests, effectively creating its own data governance framework and further dividing digital commerce instead of harmonizing it under GDPR standards. The GDPR initially received some criticism from businesses due to increased compliance costs and the risk of fines, with small businesses in particular struggling to meet new requirements. The GDPR also impacted small businesses with little brand recognition, that lacked the established consumer trust necessary for data collection consent. The end result has been that, in practice, many small businesses in the EU have simply opted not to comply with the GDPR—fewer than half of businesses (44 percent) report compliance with key measures in 2019—leaving them vulnerable to being fined.

The passage of the GDPR and China’s Cybersecurity Law marked the beginning of a new trend in data governance—the implementation of comprehensive national level data privacy regulations that carry cascading impacts for the global digital economy. The U.S. government and private sector are vocal critics of this trend, broadly preferring the APEC Privacy Framework, as it is more flexible and favorable to business, is less costly, and allows companies to expand internationally with greater ease. However, comprehensive national frameworks are shaping global digital commerce, with the volume of goods and services traded under the EU’s GDPR standard ($8.1 trillion) and China’s Cybersecurity Law ($2.5 trillion), dwarfing the volume traded under the APEC Privacy Framework ($1.2 trillion). Additionally, India and Brazil, two of the world’s top-five countries in terms of Internet users, have both adopted or drafted comprehensive national-level data privacy regulations similar to the GDPR. Overall, thirty-five countries, besides the EU countries and China, have updated or adopted more comprehensive data privacy laws since 2016, generally using the GDPR as a minimum standard from which to construct a unique national data privacy framework. This demonstrates a clear trend toward national-level regulation and stricter data privacy standards enforceable through fines.

While there remains a debate on the long-run impact of compliance and which companies it will hit hardest, the GDPR has undeniably impacted EU tech startups, as the overall venture funding for EU tech firms decreased by €12.5 million per month per member state, between May 2018 and April 2019. Additionally, advertisers have been hit particularly hard by the GDPR. Advertising vendors, particularly smaller companies, lost between 18 and 31 percent market reach in the EU, between April and July 2018. If the trend toward more comprehensive data governance regulations modeled after the GDPR standards continues, these impacts are likely to be replicated around the world. As countries adopt similar standards, the ability to fully understand diverse regulatory environments, and to take proactive measures as legislation is adopted, will provide a competitive advantage for businesses with the capacity and resources to comply.

Graphic 6

Comprehensive Regulations Reshaping Global Data Privacy and Governance Norms

While there are hundreds of data governance laws and regulations globally, a handful of comprehensive laws in the EU, China, Brazil, and India are shaping the emerging data governance frameworks globally. Understanding these regulations, and their impact, will be critical to the future of e-commerce due to the size and importance of their markets. (China’s is the world’s largest e-commerce market with $1.94 trillion in sales in 2019, the EU is third, and India is seventh.) Understanding these data privacy regulations provides insight into what provisions future comprehensive data regulations in smaller regional markets are likely to contain. The key data localization and privacy provisions of each regulation are broken down below. Additional cyber and national security provisions will be covered in Part II of this series.

Breakdown of Major Existing Data Governance Regulations

Four major data privacy regulations in the EU, China, India, and Brazil are reshaping global data governance. Their key provisions are broken down below.

Major Regulations
EU: GDPR

(Passed: 2016, In effect since 2018)

Snapshot: Establishes a comprehensive data privacy framework for EU citizens.

Background: Europe has a long history of data privacy laws dating back to 1970, with varying versions of data privacy regulation enacted across its member states. Adopted in April 2016, and enforceable since May 2018, the GDPR is an attempt to harmonize the EU’s Member States’ data collection and data transfer practices. The GDPR increases privacy around individuals’ personally identifying data, makes data laws enforceable through fines, harmonizes data laws across Member States, and makes national data laws enforceable on international firms. To date, €466 million in fines have been levied, with the largest fine being €204 million against British Airways for failing to sufficiently secure personal data.

Data Localization Elements

Personal data can only be transferred to another country, and that is acceptable when an “adequate level of protection,” defined as a country with comparable data privacy laws, is provided. Countries and jurisdictions that are currently considered to have an adequate level of protection are Andorra, Argentina, Canada (only commercial organizations), the Faroe Islands, Guernsey, Israel, the Isle of Man, Jersey, New Zealand, Switzerland, Uruguay, Japan, and the United States (if the recipient belongs to the Privacy Shield—the data privacy framework agreement specifically governing data transfers between the EU and U.S.). For data transfers outside of these countries, data protections must be guaranteed through a legally binding contractual clause.

Data Privacy Elements
  • Consumers must give expressed, unambiguous consent to having their personal data shared, and that consent can be withdrawn at any time.
  • Companies must notify the GDPR supervisory board within seventy-two hours of a data breach, or fines of up to 4 percent of yearly revenue will be imposed.
  • Individuals have the “right to be forgotten” and may request that information be removed from Internet searches and other directories.
  • Platforms are held legally liable for removing copyright-infringing material and can be fined for non-compliance.
China: Cyber Security Law

(Passed: 2016, In effect since 2017)

Snapshot: Significantly restricts foreign companies’ ability to operate in China through strict data localization laws and increases government private-sector oversight.

Background: China’s Cyber Security Law, passed in 2016 and enacted in June 2017, is broad, sweeping legislation that dictates how national companies must approach security and privacy. Critically, it reforms data management and Internet-usage regulations in China, enhancing the government’s jurisdictional control over content on the Internet and data collected by private companies.

Data Localization Elements
  • Require network operators in critical sectors to store data gathered or produced in the country within mainland China, which both allows government access to the data and increases the need for companies in key sectors, such as banking, to have their services within China.
  • Require business information and data on Chinese citizens gathered within China to be kept on domestic servers and not transferred abroad without permission.
Data Privacy Elements
  • Network product and service providers that collect users’ information are required to inform and obtain consent from the users.
  • Individuals have the right to require network operators to correct errors in personal information collected or stored by them.
  • Fines for non-compliance are up to €20 million or 4 percent of annual global revenue.
Brazil: Lei Geral de Proteção de Dados (General Data Protection Act, or LGPD)

(Passed: 2018; In effect: 2020)

Snapshot: Modeled after the GDPR, it establishes a data privacy framework similar to the EU’s in Brazil.

Background: Inspired by the GDPR, the Brazilian General Data Protection Act is a comprehensive data governance regulation establishing rules on collecting, handling, storing, and sharing of personal data managed by any organization operating in Brazil or handling Brazilians’ data. The bill differs from the GDPR most significantly in its enforcement mechanisms, having significantly lower maximum fines of €11 million (R$50 million) or 2 percent of annual global revenue and no time requirements for data breach reporting, and places less stringent legal requirements on data processors, thus allowing them additional justifications for collecting and processing individuals’ data (such as to protect an individual’s credit score).

Data Localization Elements
  • Data can be transferred with minimal restrictions to countries deemed to have adequate levels of privacy protections in place.
  • Personal data can be transferred internationally with the express consent of the data subject, which must be obtained prior to the transfer.
  • User data may be transferred internationally if there is a guarantee by the controller through contractual instruments, such as binding corporate rules and standard clauses, that it will comply with the principles, data subject rights, and data protection regime provided by law.
Data Privacy Elements
  • Require implied authorization for collection and sale of personal data, a modified and slightly less stringent standard than the GDPR; the wording leaves it ambiguous compared to the GDPR, which states that consent must always be given through an opt-in, a declaration, or an active motion.
  • Users have the right to anonymize (remove personally identifying information from the data) or block or delete unnecessary or excessive data or data that is not being processed in compliance with the LGPD.
  • Users have the right to request elimination of personal data processed with the consent of the holder.
India: Personal Data Protection Bill (Draft)

(Drafted: August 2018, Pending)

Snapshot: Includes stricter local copy data localization provisions than the GDPR, but less restrictive than China’s, and requires written consent for data collection and transfer for sensitive data.

Background: The bill is currently up for consideration in the Indian Parliament and is still being analyzed by a joint parliamentary committee. The bill represents India’s first comprehensive approach to regulating data privacy and security. If passed, the bill will significantly alter the global digital economy by enforcing data localization standards on the world’s second-largest IT market—India has the second-largest number of citizens online in the world, with 455 million, compared to China’s 748 million). While the bill is modeled after the GDPR to an extent, provisions on data localization, users’ consent for businesses to collect data, and government access to users’ data go significantly further.

Data Localization Elements
  • Require the storage and processing of personal data on servers located within India.
  • Sensitive personal data may not be transferred outside of India.
  • Financial records and any personal banking data may not be transferred outside of India.
Data Privacy Elements
  • Require companies to obtain parent or guardian consent for collecting data belonging to children.
  • Individuals have the “right to be forgotten” as well as the “right to access in one place the identities of the data fiduciaries with whom his personal data has been shared by any data fiduciary together with the categories of personal data shared with them.”
  • Data fiduciaries are required to prepare a “privacy by design” policy to apply when building their internal IT systems.

Graphic 7

GDPR Fines to Date

To date, the EU has levied 268 fines related to GDPR infractions; their distribution is broken down below.

  • USD
  • EURO

Totals: 268 Violations / $506,216,298 Total Cost / $1,888,867 Average Cost

Totals: 268 Violations / €468,718,794 Total Cost / €1,748,951 Average Cost

SOURCE: GDPR Enforcement Tracker
Largest Fines by Company (USD)
as of May 13, 2020

British Airways

$204.6M

Google Inc.

$50M

Deutsche Wohnen SE

$14.5M

Oracle Cloud

$7M

Professional Football League (LaLiga)

$250K

Payment service provider UAB MisterTango

$61.5K

Telefónica

$30K

Facebook Germany GmbH

$51K

Major of Aleksandrów Kujawski

$9.4K

Unknown

$500

Graphic 8

Mapping Global Data Privacy Regulations

The most comprehensive and influential data governance regulations to date, listed above, are already serving as templates for data governance throughout the world, a trend that is likely to continue. As of April 2020, globally, ninety-seven countries have laws that specifically address data privacy elements. However, few countries have one comprehensive data governance law covering all aspects of data privacy. Existing laws often restrict private companies’ access to personal data, limit the sale of data on secondary markets without user consent, and seek to ensure safe international transfer of data. Critically, existing data privacy laws are meant to protect citizens’ data from being exploited by private companies, foreign governments, and bad actors. Generally, they are not meant to protect citizens’ data from domestic government access. In fact, many of these privacy laws actually increase government access to user data. The issues of government access and surveillance will be covered in the second installment of this Power Map.

Below, we map out the different data privacy laws in place throughout the world and list the data privacy issues they address.* The dropdown menu below the map includes details on the provisions included in each data privacy law, and the corresponding level of data localization measures included (which were mapped out in the previous section).

Global Privacy Laws
  • National Data Protection Authority: A central government authority is established to oversee and enforce data privacy laws.
  • Registration Requirement: Businesses are required to register their databases with the national data protection authority.
  • Data Protection Officer: A data protection officer is designated at either the national, regional, or organizational level.
  • Data Localization Provisions: There is some form of restriction on the international transfer of data in place.
  • Cybersecurity Provisions: There are cybersecurity standards established, which data processors are legally bound to uphold.
  • Breach Notification: Data controllers and processors must notify individuals if their personal data has been compromised.
  • Enforcement Through Fine: Laws can be enforced through a monetary fine.
  • Online Data Privacy Element: Online collection of data is restricted to some degree.

Hover over the countries for details or see the table below.

See the table below for details.

Data Privacy Laws
SOURCE: DLA Piper: Global Data Protection Laws of the World Full Handbook.

*Map only includes countries with laws specifically governing electronic data and addressing similar standards to other major data privacy regulations or international frameworks. Countries with data privacy laws that are not enforceable, or do not address any of the key areas covered in other major data privacy regulations and frameworks, are not included.

National level data privacy laws including embedded degree of data localization restriction
Conditional restrictions on data transfers
Local copy restrictions on one or more types of personal data
Local only restrictions on one or more types of personal data
No data localization laws

Search for a country or view by region:

  • All Regions
  • Africa & Middle East
  • Asia & Pacific
  • Europe
  • The Americas
Click to expand

Navigating an Increasingly Fractured Future

The implementation of new and updated data governance regulations across the world is fundamentally changing the digital business landscape. Data localization requirements, more comprehensive and widely enforceable data privacy laws, and increased cybersecurity laws (which will be explored in Part II of this series) are creating a complicated and increasingly costly web of regulations for businesses to navigate. These factors stand to impact small businesses disproportionately, though increasing compliance costs have been a major point of contention for large businesses as well. However, with the recent adoption of comprehensive privacy laws in major e-commerce markets, data regulation is likely to continue to accelerate. While privacy laws to date have been passed to protect users’ data from being exploited by large international companies and foreign governments, there is a concurrent wave of data privacy laws around the world that are actually enabling governments to have sweeping access to user data. These laws range from China’s Cybersecurity Law (elements of which we have covered in this section) to the Patriot Act in the U.S. For individuals, the amount of data being accessed by governments through surveillance and requests to private companies is rising sharply. Simultaneously, governments are embarking on a drive to repeal cybersecurity provisions, such as end-to-end encryption as in the case of the U.S.’s EARN IT Act, in order to collect citizens’ data more effectively. In Part II of our Data Governance Power Map series, we will dive into these and other measures and how governments are increasing their data collection efforts globally, and what this means for businesses and private citizens.

Written by Christian Perez. Edited by Allison Carlson. Copyedited by David Johnstone. Design by Andrew Baughman and Jon Benedict. Development by Andrew Baughman. Art direction by Lori Kelley.

FP Analytics

Learn more about how FP Analytics can enable your organization to act strategically through data-driven insights at ForeignPolicy.com/FP-Analytics.

[ related articles heading here ]:

References