Abstract

Digital sovereignty is one of the contemporary trends for governments to either gain dominance or preserve their positions in the international arena. While offering various attractive benefits from a purely governmental perspective such as fighting against unfair competitive advantages of big tech companies, reinforcing law enforcement and attaining economic objectives, data localization also brings along critical disadvantages such as vulnerabilities in terms of data security and obstacles against innovation, international transactions and provision of services. Policy makers should diligently evaluate the pros and cons of restricting free flow of data in an era of ever-increasing digitalized services so as to mitigate the risks associated with limiting data residency requirements. To this end, security concerns need to be addressed, bilateral or multilateral agreements on globally recognized set of rules should be established, and an international body should be established for proper implementation of the multilaterally accepted set of rules and principles.

Keywords: data localization, personal data protection, cross-border data transfers, data security

Dijital Egemenlik: Yeni Bir Erk Türü mü, yoksa Dost Görünümlü Düşman mı?

ÖZ

Dijital egemenlik, hükümetlerin uluslararası arenada egemenlik kazanmaları veya var olan pozisyonlarını korumaları için ortaya çıkan eğilimlerden birisidir. Dijital egemenlik için yapılan çalışmalar büyük teknoloji şirketlerinin rekabet avantajları ile mücadele etmek, kolluk kuvvetlerini gücünü arttırmak ve ekonomik hedeflere ulaşmak gibi devletlerin bakış açısından önemli faydalar sunarken; veri lokalizasyonu, veri güvenliği açısından zafiyetlerin oluşması ve inovasyonun, kıtalararası işlemlerin gerçekleştirilmesi ve hizmetlerin sunulmasının önün engeller koyabilmektedir. Bu nedenle yasa koyucuların, veri lokalizasyonunu risklerini bertaraf etmek adına dijitalleşme çağında verinin serbest akışını kısıtlamanın artılarını ve eksilerini doğru şekilde ortaya koyması gerekmektedir. Bu itibarla, veri güvenliğine ilişkin kaygıların ele alınması; küresel olarak kabul gören prensiplere dayanan ikili ve çok taraflı anlaşmaların yapılması; bu çok taraflı kuralların uygulanmasını sağlamak adına uluslararası bir denetim organı oluşturulması düşünülebilecektir.

Anahtar Sözcükler: veri lokalizasyonu, kişisel verilerin korunması, verilerin yurt dışına aktarımı, veri güvenliği

a. Introduction

In today's world where we observe ever-increased data-driven economies, the borders have become almost seamless. Data transfers form one of the most prominent global links not only among numerous firms within the same country, but also across several countries. On the other hand, despite increasing globalization and economic interdependence, a rise in inward-oriented tendencies can also be observed in the field of protection of personal data. As such, some governments are inclined to restrict the free flow of data by introducing legal requirements for data residency. Forced data residency, also known as data localization, refers to an attempt to erect barriers to avoid cross-border data transfers. One of the most compelling reasons for this tendency is the growing concerns for efficient law enforcement, surveillance, detection of irregularities and management of socio-economic dynamics due to the decreasing control of certain governments on the data of millions of people (Sargsyan, 2016). Because one of the most prominent ways to collect data on a global scale is through social media platforms and e-commerce websites operated mainly by big tech companies, governments look for a way to keep the data within their reach by imposing new requirements on companies that both use and produce the data. Such requirements serve the purposes of asserting control over data, known as data sovereignty (Wu, 2021).

Nevertheless, considering the positive outcomes of globalization such as innovations and advanced hi-fi services; there are also counter arguments to data-residency. To find a compromise, decision makers should carefully assess concerns and legitimate claims of not only the proponents who support further data localization and control over the data but also opponents who emphasize the benefits of free flow of data and potential drawbacks of data residency requirements. Reaching a consensus between these two stances requires an in-depth analysis of the advantages and disadvantages of both approaches with an effort to minimize the cons with international cooperation and trust.

This article aims to present approaches toward data localization by reviewing various implementations from different jurisdictions. For this purpose, below we categorize the data residency policies across the world under four main groups, summarize the associated policies and then discuss the arguments for and against regarding data localization practices.

b. Types of Data Localization

Data localization rules adopted by various jurisdictions can be examined under four main categories: (i) no transfer rules; (ii) local copy requirement; (iii) outsourcing restrictions; and (iv) conditional requirements.

No transfer rules are the strictest form of data sovereignty mechanisms that necessitate the storing, transmitting and processing to be at the local level and leaves no room for cross-border data transfers. This mechanism can be observed in China, where critical data infrastructures (CIIOs) are required to store personal data in China (China: Data Localization Requirements, 2020). To elaborate, the Cybersecurity Law (CSL) obliges CIIOs to store personal data and critical data that concerns the national interests of the Chinese government and public. The Personal Information Protection Law (PIPL) and the Measures for Security Assessment of Cross-border Data Transfer introduced certain relaxations — albeit based on vaguely designed provisions — into the data localization requirements, which will be further evaluated in the following sections. Another example falling into the "no transfers" category is Indonesia where Government Regulation No. 82 of 2012 requires electronic system operators, which are entities that provide systems to collect, analyze, store and/or disseminate information electronically as public service, to have their data and recovery centers in Indonesia (Wildana, 2020). Nevertheless, due to the equivocal nature of the definition of "public services" under Indonesian laws, the data localization requirement was imposed very broadly on the electronic system operators until Government Regulation No. 71 shed light on the "public services" in 2019.

Local copy requirement, also known as data mirroring, enables governments to have easier access to data that is allowed to be transferred abroad with the precondition of keeping a local copy. Given the additional costs of maintaining a local copy of the data, this method is considered as a mechanism to indirectly encourage data companies to have data localization (IRSG and DAC Beachcroft LLP Report, 2020). For instance, the Indian government requires a local copy to be stored locally if sensitive personal data will be transferred abroad (Wu, 2021). In detail, in the current form of the Personal Data Protection Bill of India, regardless of whether stored within the country or not, critical personal data is not allowed to leave the country except for extraordinary circumstances. On the other hand, sensitive personal data can be transferred abroad if certain conditions such as the data subject's explicit consent or specific authorization of the Indian Data Protection Authority are met and with the condition that a copy is stored in India (Basu, 2020; the National Law Review, 2022). Sensitive personal data under Indian laws covers not only the special category of personal data in the General Data Protection Regulation (GDPR) (e.g., data regarding health, religion, sexual life) but also financial information of the data subjects (IRSG and DAC Beachcroft LLP Report, 2020). It is important to note that more robust and comprehensive regulations are in sight due to the Joint Parliamentary Committee (JPC) 2019 report on the Personal Data Protection Bill that suggests for the Indian government to bring back the copies of sensitive and critical personal data to India (Chakraborty and Walia, 2022).

Several governments opt to regulate outsourcing activities, which eventually amounts to indirect data localization rules. This type of data localization is often observed in the financial services industry in Türkiye. To elaborate, Turkish banks must maintain their primary (i.e., infrastructure, hardware, software and data and other systems related to banking activities) and secondary (i.e., backup of the primary system) data systems in Türkiye. As part of the outsourcing restrictions, these requirements also apply to outsourced services such as cloud service providers. Similarly, outsourced service providers of the banks in Luxembourg and Switzerland are subject to strict legal rules to ensure the secrecy and security of the data concerned. Further, in Switzerland, cross-border data transfer of non-encrypted data is allowed only upon the prior explicit consent of the data subject (IRSG and DAC Beachcroft LLP Report, 2020). In Luxembourg, companies wishing to outsource services must be authorized by the Commission for Surveillance of the Financial Sector (IRSG and DAC Beachcroft LLP Report, 2020).

Last, in certain countries, cross-border data transfers are allowed only upon fulfillment of certain conditions either by the transferor and/ or recipient country. For instance, as per the GDPR, whether personal data can be transferred outside the European Economic Area (EEA) or not is subject to fulfillment of one of the following criteria: (a) recipient country has adequate level of protection for personal data; (b) transfer is based on appropriate safeguards with effective legal remedies; or (c) derogation is allowed based on the specifics of the situation (e.g., consent of the data subject, transfer is necessary for the conclusion or performance of a contract).

To view the full article click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.