For the better part of the year, Mastercard, American Express and Diners Club have been banned from issuing new cards in India. Its central bank stopped the firms, which collectively process one-third of the country’s card transactions according to payments start-up PPRO, from adding new customers until they comply with regulations that require domestic payments data be stored within India.
The incident is a preview of what is to come. A recent study by think tank the Information Technology and Innovation Foundation (ITIF) found that the number of countries that require data be processed or stored within national borders — or make its cross-border transfer prohibitively expensive or complicated — has grown from 35 in 2017 to 62 today.
Many of these rules have been inspired by the EU’s General Data Protection Regulation (GDPR), which is regarded as the world’s toughest privacy law. The latest is China’s Personal Information Protection Law (PIPL), which took effect in November and requires a security assessment by regulators before transferring data overseas. To date, Beijing has loosely enforced its patchwork of data restrictions, but Peter Yared, CEO of InCountry, which helps firms comply with localisation rules, says PIPL is a sign that things have changed. “We’ve had a rush of inbound [requests] on PIPL from pretty much every brand you’ve ever heard of,” he says.
Rules like these are causing headaches for businesses and prompting some to reconsider where they operate. In Kearney’s latest FDI Confidence Index, 82% of large multinationals said localisation requirements have a significant or moderate impact on their foreign investments. Research by the International Association of Privacy Professionals found the average cost of GDPR compliance is $3m per company. While most large firms can justify such an expense, it has prompted some — including US home furnishings staple Pottery Barn — to stop serving EU customers.
However it is small and medium-sized enterprises (SME), with their limited financial and other resources, that bear the brunt of these regimes. A recent survey by Kearney and the European Centre for International Political Economy (ECIPE) found that cross-border data restrictions have prompted 29% of EU SMEs to stop or reduce marketing and sales to customers outside the bloc. “For SMEs in particular, there is a constant re-evaluation of where they would like to play,” says Kearney partner Daniela Chikova. “There is always a trade-off between the cost-burden of understanding and complying with these requirements, and the revenue they generate from that destination.”
While compliance costs are easier to justify in sizeable markets like the EU and China, the smaller economies adopting localisation rules could be depriving themselves of trade and investment opportunities. “With its spread to … the developing world, I suspect we’ll see its implications play out much more tangibly in the next few years,” says Nigel Cory, an associate director at ITIF.
Yet these rules pose risks for economies of all sizes. ITIF’s research shows that restricting cross-border data flow sharply reduces trade, lowers productivity and increases prices. Forecasting based on recent GDPR developments offers a warning to governments looking to adopt localisation rules.
In 2020, the bloc’s top court struck down Privacy Shield, a self-certification scheme that some 5300 businesses had relied on to transfer EU data to the US without having to follow GDPR’s requirements. The court then tightened GDPR’s rules by making data transfers subject to an assessment of the recipient country’s rules. “This [assessment] is a very burdensome exercise,” says Tanguy Van Overstraeten, a Linklaters partner in Brussels. “At the moment it’s only accessible to large companies.”
EU regulators are yet to confirm whether Privacy Shield will be replaced with another mechanism that eases EU transfers to the US. The stricter the outcome, the bigger the economic hit will be. Modelling by Kearney and ECIPE estimates that a full ban on transatlantic data transfers would cause EU gross domestic product to contract up to 3% or €420bn.
Policy-makers give many reasons for regulating international data transfers. Ms Chikova says safeguarding personal information, securing sensitive information (such as credit card numbers), and reducing the risk of data breaches are the most common objectives. “But there are governments around the world that have used data protection rules as an excuse to protect the local economy and fend off foreign companies,” she adds. Multinationals are attuned to this trend. In Kearney’s latest Confidence Index, 71% said they were concerned about data nationalism impacting their investments.
Protectionist motivations are also spurred by data’s critical role in improving business competitiveness. But Mr Cory is quick to note the flaws in this rationale. “Data’s value is in how it is used, not where it is stored. Having lots of data does not mean you have lots of value,” he says.
Policy-makers’ security rationale is also misguided. While fears over data leaks and misuse are well-founded, experts agree that data is no safer when stored within the country’s borders. “If you think you have physical control over your data centre in a cyber world, that shows how far you are from reality,” says Mr Cory. “If it’s plugged into the internet, it is exposed to the same degree of risk whether it is on-premises or in the cloud.”
With data volumes growing rapidly, there are early calls for globally agreed minimum standards on international data transfers. The World Economic Forum wants governments to enact data protection laws, allow cross-border transfers and establish a cooperation mechanism to build international trust.
Such a system would help appease government concerns, avoid the economic damage of localisation and unleash data’s full potential. It would also ease businesses’ international operations. Indeed, most firms’ biggest pain point is not complying with data protection and transfer rules, but the discrepancy from one jurisdiction to another.
“I realise that all countries subscribing to one system is aspirational. But what if at least half the countries complied?” proposes Ms Chikova. “That is what we should be talking about, as data that is protected and flowing freely between countries has tremendous potential and value for companies, consumers and economies.”
This article was first published in the December 2021/January 2022 edition of fDi Intelligence magazine. Read the online edition here.