The policy of data localization is rapidly gaining popularity worldwide, which will significantly reduce trade volume, lower productivity, and increase prices in downstream industries. All countries must work together to eliminate barriers to cross-border data flow and build an open, rule-based, and innovative digital economy. 
Key points 
In recent years, the number of data localization measures implemented around the world has more than doubled. In 2017, 35 countries implemented 67 such measures. Currently, 62 countries have implemented 144 restrictions, and several dozen more are under consideration. 
Restricting data flow would have a significant statistical impact on a country's economy - significantly reducing its total trade volume, lowering productivity, and increasing the prices of downstream industries that are increasingly dependent on data. 
ITIF used a scale based on the market supervision data from the Organization for Economic Cooperation and Development (OECD) to find that for every 1 percentage point increase in data restrictions in a country, its total trade output would decrease by 7%, productivity would decline by 2.9%, and downstream prices would rise by 1.5% within 5 years. 
Policy makers should continuously improve the laws to address issues related to data, ensuring that citizens, enterprises and the government can fully leverage the significant social and economic benefits brought about by data and digital technologies. 
In order to establish an open, rule-based and innovative digital economy, countries such as Australia, Canada, Chile, Japan, Singapore, New Zealand, the United States and the United Kingdom must collaborate on constructive alternatives for data localization. 
Overview

For centuries, information has been flowing around the world. The Internet demonstrates the potential to rapidly send large amounts of data to every corner of the world. On this global network, the cost of sending data abroad is no higher than that of sending data domestically, and there is almost no cost for global data flow. The COVID-19 pandemic has clearly demonstrated the importance of data flow to the global economy. As more countries and departments undergo digital transformation, the volume of data flow will continue to increase. Although some countries allow data flow, more countries have set new obstacles for data transmission. The development and spread of data localization have made transmitting data abroad more expensive and time-consuming. The goal of data localization is to protect specific types of data and data considered "important" or "sensitive" and related to national security. The reasons used by policymakers are also constantly changing. Some policymakers, especially those in Europe and India, openly call for data localization as part of digital protectionism, while other policymakers hide localization and protectionism within technical regulations as a cover-up. 
Data localization is spreading to more countries and more types of data, posing an increasingly significant threat to the open, rule-based and innovative global digital economy. Data localization makes the internet less accessible, more costly and more complex, and also reduces innovation. Enterprises create value through data, and many enterprises can maximize their value only when data can freely flow across borders. Therefore, data localization weakens the impact of data-intensive services on economic productivity and innovation. For example, a 2018 report by the Organization for Economic Cooperation and Development (OECD) pointed out that a 10% increase in bilateral digital connectivity would lead to an increase in service trade of over 3.1%, and vice versa. The econometric model of ITIF estimates that for every one-unit increase in a country's data restrictive index (DRI), its total output transaction volume (cumulative over 5 years) will decrease by 7%, the prices of goods and services in downstream industries will increase by 1.5%, and the productivity of the entire economy will decrease by 2.9%. 
Enforcing data localization can also undermine the ability of shared governance. Countries can work together to address legitimate concerns regarding data transmission, such as preventing espionage, maintaining financial regulation and law enforcement investigations, while still allowing for the free flow of data. Each country should establish a sound data privacy framework that protects consumers while addressing national security issues, but decision-makers should make decisions in a transparent, targeted and balanced manner, avoiding unnecessary, costly and restrictive policies. As the world gradually emerges from the COVID-19 crisis, decision-makers need to do more to ensure that the global digital economy remains an engine for economic growth and recovery. Fortunately, some countries are putting this concept into practice through new mechanisms, agreements, data flow governance and digital trade frameworks. 
Types of Data Localization 
Data localization mainly consists of three types: 
First, some governments impose restrictions on the overseas transmission of specific types of data. These include personal information; health and genetic data; mapping and geographic spatial data; government data; banking, credit reports, finance, payment, taxation, insurance and accounting data; internal company data of listed companies; data related to user-generated content on social media and internet platforms; and data of e-commerce operators, etc. 
Secondly, more and more countries are imposing restrictions on data that are regarded as "sensitive", "important", "core", or related to national security, as their scope is rather broad and the boundaries are rather vague. This often affects a wider range of commercial data. Moreover, the European Union and India are striving to extend these restrictions to a framework that targets non-personal data as well. 
Thirdly, the actual trend of data localization is also increasing. Due to the complexity and uncertainty of data transmission, enterprises basically have no choice but to store data locally, especially when facing huge fines. For instance, the EU has abolished the data transmission mechanism, failed to add new certifications or other new legal tools for data transmission, and simultaneously continuously increases the restrictive conditions for the remaining mechanisms (such as standard contract clauses), which may make GDPR the largest factual data localization framework in the world. 
Five reasons for data localization 
The reasons for data localization are constantly evolving. Almost all proposals for data localization involve mixed factors. When the main (hidden) reasons of policymakers are protectionism, national security, strengthening control over the internet, or a combination of these factors, they often adopt "dual-use" methods to achieve seemingly legitimate official goals, such as data privacy or cyber security. 
Misunderstandings regarding the concepts of data privacy, protection, and cybersecurity 
As more and more countries introduce new data protection frameworks, some decision-makers will inevitably propose data localization because they instinctively believe that the best way to protect data is to store it within their own country. This misunderstanding lies at the core of many data localization policies. However, the security of data does not depend on where it is stored. 
Firstly, organizations cannot evade the laws of a country by transmitting data abroad. Therefore, data localization is not a necessary condition for organizations to comply with domestic data laws. Similarly, enterprises cannot evade the law in this way. Laws and contracts can still require enterprises to be responsible for how data is used, and the "legal relationship" will place enterprises under the jurisdiction of a country. 
Secondly, the security of data mainly depends on the logical and physical controls for protecting the data, such as device encryption and perimeter security of data centers. Who owns or controls the servers, and where these devices are located, have little to do with their security. 
Policy makers pay attention to the location of data storage, partly because they do not want to address the more challenging factors, which in fact are conducive to cybersecurity. For instance, enhancing the cybersecurity awareness of users and enterprises, encouraging enterprises and government agencies to adopt and continue to commit to top-notch cybersecurity practices and services. Good cybersecurity management and the personnel who access the data are, in fact, as important as the data itself, because they are the core of most cybersecurity incidents. 
2. Digital protectionism is the main cause of "data sovereignty". 
Digital protectionism remains a key motivation behind the implementation of data localization in many countries, but it has been incorporated into a broader discussion surrounding cyber sovereignty (also known as data sovereignty or digital sovereignty) and control. 
In recent years, the application of data localization in protectionism has seen significant development. More and more policymakers are seeking to utilize information technology to assist local enterprises. They recognize that data-driven innovation is at the core of modern competitiveness, but they have not made long-term investments in areas such as education, infrastructure, and other favorable factors that can help enterprises and economies enhance their competitiveness. For instance, countries like Europe, India, South Africa, and others have employed data localization policies specifically targeting American companies. 
Policy makers usually depict cyber sovereignty as a powerful yet vague concept, typically referring to a country's control over data, data flow, and digital technologies. It helps various countries "reclaim control" and "gain sovereignty" from foreign technology companies and trading partners. Misunderstandings about data and cyber sovereignty ignore the fact that the interaction of economic, governance, social, and political factors determines a country's ultimate stance on digital issues. Europe is attempting to position itself as the moral leader in digital regulation, with European leaders such as German Chancellor Merkel and French President Macron explicitly calling for both digital protectionism and data sovereignty. The draft of Europe's data strategy promotes data localization and claims that the EU needs to have its own cloud service providers operating in Europe. Many policy makers, academics, civil advocates, and business leaders in developing countries have turned to the concept of "digital colonialism" related to this, viewing data localization as a way to weaken or prevent foreign technology companies. 
3. Data localization carried out for the purpose of review and monitoring 
Each country uses the requirement of data localization as a means to force foreign companies to provide easier access to data for their surveillance and political purposes, and to compel them to comply with censorship requirements. For instance, data localization is at the core of Vietnam's constantly evolving network censorship and surveillance system. Vietnam's Cybersecurity Law requires internet companies to store personal and other types of data locally and set up offices in Vietnam. The motivation is broad and vague: protecting national security, social order security, and social morality, etc. Companies must have a license in Vietnam and at least one server that is available for inspection at all times, storing detailed information about users and their activities, and deleting illegal content within three hours upon receiving a notice. Considering that Vietnam does not have a dedicated and independent data protection agency, people do indeed worry about how Vietnam will use this to help the government obtain data. Pakistan's "Deletion and Blocking of Illegal Online Content" requirement allows the government to force companies to block content crucial to the government and provide convenience for user data access, etc. 
4. Data localization due to law enforcement and regulatory requirements 
Various countries have taken advantage of the concerns of law enforcement and regulatory authorities regarding data cross-border access to defend data localization, and at the same time, they have sought excuses for digital protectionism. Some policymakers have stated that data localization is the only way to make local and foreign companies respond to data requests from law enforcement agencies and financial regulatory bodies. Due to the lack of effective cross-border law enforcement legal tools and treaties, some countries support data localization. This idea holds that if data is stored locally, foreign governments will be unable to prevent suppliers from meeting government requirements. However, data localization motivated by law enforcement purposes often stems from the fact that decision-makers do not want to solve the fundamental problems through existing legal mechanisms in order to improve the handling process of cross-border data requests. The transnational nature of crimes and digital services means that even if countries have formulated localization policies, they inevitably need the assistance of other countries. Therefore, the current legal tools definitely need to be upgraded. 
5. Data localization caused by geopolitical risks and financial sanctions 
Some countries implement data localization and other policies to prepare for hypothetical (unlikely) international financial sanctions. Some people consider national payment systems to be part of the country's critical infrastructure, while the use of global payment networks represents systemic, geopolitical and sovereign risks, as these payment services are not locally owned. Although the possibility of sanctions is extremely low, Indonesia, Mexico, South Africa and Vietnam have abused national security and sovereign risks to defend restrictions on payment services (including data localization). For example, in 2018, the South African Reserve Bank implemented a moratorium, prohibiting the transfer of domestic transaction volumes from BankservAfrica (a domestic payment exchange machine owned by South African banks) to international payments. The Mexican financial regulatory authority released a draft rule requiring payment services to use local computing services when applying for licenses. 
Policy Recommendations 
The report offers several general suggestions for decision-makers: 
Global Data Governance: Policy makers should provide multiple mechanisms for personal data transmission, encourage enterprises to enhance consumer trust by improving data management transparency, support the formulation of global data-related standards, and provide more assistance to developing countries to help them formulate digital economy policies. 
Digital Free Trade: Policy makers should protect data flow, prohibit data localization, and only allow a few exceptions to these provisions in the World Trade Organization (WTO)’s e-commerce negotiations. Policy makers should also create new tools to take measures against countries that formulate data localization and other digital protectionist rules. Policy makers should encourage countries and global institutions to conduct investigations into the impacts of data localization at the enterprise level. Trade negotiators should formulate more transparent and good regulatory practice provisions to ensure that data flow and digital trade are not hindered by opaque regulatory rules. 
As for specific suggestions, decision-makers should: 
Focus on the overall concept of establishing "interoperability" among different regulatory systems; 
Implement new digital economy cooperation mechanisms, such as the ones negotiated and reached by Australia, Chile, New Zealand and Singapore; 
Cooperate with other countries to establish an interoperable framework for sharing health data. This will facilitate responsible and ethical cross-border sharing of health and genetic data. 
By opening it to non-APEC members, the "APEC Cross-border Privacy Rules" have become a global data governance model. 
Support the establishment of a "Geneva Data Convention" by multiple countries, which would set common principles, procedures and safeguards for managing the access to data by governments. 
Formulate a targeted strategy to support the supervision framework, focusing on the acquisition of regulatory data rather than the location of data storage. 
Improve the existing mechanisms and establish new ones to facilitate cross-border requests for data related to law enforcement investigations, such as the "Clarification of the Legal Use of Foreign Data Act (CLOUD)" and the updated Mutual Legal Assistance Treaty (MLAT), in order to provide timely assistance. 
Appendix A: List of Data Localization Measures 
This is a comprehensive list of explicit, factual and proposed data localization policies from around the world, organized by specific regions, and in some cases by country/region.