1. Introduction

Data localization is one of the most contentious and challenging policy issues in digital trade today.¹ Chander and Le define data localization to include any measure ‘that specifically encumber(s) the transfer of data across national borders’.² In a legislative proposal on cross-border data flows, the European Commission defines data localization as ‘any obligation, prohibition, condition, limit or other requirement’ contained in the ‘laws, regulations or administrative provisions of the Member States, which imposes the location of data storage or other processing requirements in the territory of a specific Member State or hinders storage or other processing of data in any other Member State’.³ Following these broad definitions, in this article a variety of laws and regulations restricting data flows outside one's borders, whether directly or indirectly, are included within the scope of data localization. For example, explicit data residency laws requiring data to be stored⁴ and/or processed⁵ in domestic servers,⁶ and even routed within the territory during transit,⁷ fall within the scope of data localization. Further, implicit restrictions including cross-border data flow restrictions on grounds of privacy or data protection,⁸ cybersecurity⁹ and law enforcement¹⁰ could indirectly force localization by imposing impracticable regulatory requirements or unreasonable compliance costs.

Data localization is premised on the logic that the degree of governmental control over data processing, access, and transfer significantly increases once data are located within one's borders. As data are a highly valuable resource in the digital economy,¹¹ several countries increasingly attempt to confine data within their borders to increase economic profits.¹² Further, many countries believe that domestic laws and regulations can be enforced easily when data reside in local servers; for example, compliance with domestic privacy laws or obtaining data access for criminal investigations.¹³ Since the Snowden revelations in 2013 (exposing the massive digital surveillance of the US government), several countries have also advocated data localization for protecting national sovereignty, including national security, and preventing breach of their citizens’ privacy through foreign surveillance.¹⁴ In practice, however, a country might have multiple policy considerations behind a data localization measure, including conveniently hiding its protectionist intent behind legitimate public policy rationales.¹⁵

By impeding cross-border data flows, data localization measures disrupt various...