Data Localization Laws: A New Trade Dispute?
A recent report says that the White House is considering sanctions on India by putting caps on H-1B visas in response to the country’s new data localization rules that require firms to store payment data and other “sensitive information” within India. India, is far from the only country that has such rules in place. If this is a new front for a trade dispute, how many other countries will be impacted?
According to Big Bang ERP, a cloud computing consultant and advisory firm, six countries have “strong” data localization laws, five have “partial” laws, while 11 have either “mild” or sector-specific laws. The European Union has its own category, called, “de facto”, which has such strong laws about data travelling outside of the EU that it might as well be “prohibitive”
Not all data localization laws are created in the same way. While authoritarian states like Russia and China have them put in place to allow for law enforcement to have easy access to citizen’s data, other countries, such as Canada, Australia, and Taiwan have them because of genuine concern that privacy may be comprised if data travels across borders -- particularly to jurisdictions that lack the same privacy safeguards. It also reduces the burden of a company having to deal with the laws of multiple jurisdictions.
In Canada’s case, its federal Privacy Act, the Personal Information Protection and Electronic Documents Act (PIPEDA), and the provincial counterparts were strengthened in the early 2000s as the cloud computing market matured -- and the US’ PATRIOT ACT began to be enforced.
PIPEDA requires that the data’s owner be informed, and in many times give consent when their data is accessed. The problem is the PATRIOT ACT allows the US government the right in some circumstances to access data without consent, or informing its owner, directly contradicting PIPEDA. As a result, many Canadian provinces (in Canada, health care is provincially managed) imposed strict laws about the export of patient records as they created their electronic health record systems during this time.
Of course in some circumstances, it makes sense for the US to oppose strong data localization laws. China not only requires data to be localized, but it also requires firms to store decryption keys locally and decrypt on demand for law enforcement. Given China’s legal system and respect for privacy laws, this is obviously problematic.
But if the US picks a fight with India over data localization laws, it’s picking a fight with many countries in the world that have similar legal frameworks set up. This is going to cause the US to lose political capital with these countries, potential allies in its trade war with China -- which is based on much more reasonable grounds.