Data Localization

Requiring data to remain within national borders

14 min read 2,839 words 0% read

In an age when information flows across borders as freely as capital once did, governments have increasingly sought to reassert territorial control over data. Data localization—the requirement that certain categories of data be stored and processed within national boundaries—represents one of the most consequential policy tools in the emerging contest over digital-sovereignty. What began as technical compliance questions has evolved into a fundamental debate about sovereignty, security, and the architecture of the global digital economy.

The scale of the data economy makes these questions urgent. Global data creation is projected to reach 175 zettabytes annually by 2025—more than a trillion gigabytes generated every day. Cross-border data flows grew roughly 45-fold between 2005 and 2021, adding an estimated $2.8 trillion to global GDP annually according to McKinsey research. The United States generates and consumes more data than any other nation, while China is rapidly catching up. The infrastructure supporting this flow—undersea cables, data centers, cloud platforms—has become critical infrastructure in the fullest sense, and controlling it has become a matter of high strategy.

Defining Data Localization

Data localization refers to legal and regulatory requirements that restrict the geographic location where data may be stored, processed, or transferred. These requirements vary considerably in scope and stringency. A 2021 OECD study identified over 100 countries with some form of data localization or cross-border transfer restriction in force—a dramatic increase from fewer than 40 a decade earlier.

Storage requirements mandate that copies of specified data categories must reside on servers physically located within a country’s borders. Some regimes require that the primary copy remain domestic; others accept that data may exist elsewhere so long as a local copy is maintained. Vietnam’s 2018 Cybersecurity Law, for instance, requires companies providing services to Vietnamese users to store personal data locally and maintain offices within Vietnam.

Processing requirements go further, stipulating that certain data operations—analysis, computation, access—must occur within national territory. This prevents data from being processed in foreign cloud facilities even if stored domestically. Indonesia’s 2019 Government Regulation 71 requires public sector data to be processed exclusively within Indonesian territory.

Transfer restrictions regulate or prohibit the movement of data across borders. Some frameworks require government approval for cross-border transfers; others ban such transfers entirely for sensitive categories. The European Union’s GDPR, while not a localization requirement per se, restricts transfers to countries lacking “adequate” data protection—effectively limiting where European data may travel. Only 15 countries and territories have received EU adequacy decisions, excluding major economies like China, India, Brazil, and (effectively) the United States until specific frameworks are negotiated.

Conditional localization permits cross-border flows under specified circumstances: consent of the data subject, contractual safeguards, binding corporate rules, or adequacy determinations about the recipient jurisdiction’s legal framework.

The data subject to localization requirements typically includes personal information, financial records, health data, government information, telecommunications metadata, and categories deemed sensitive to national security. The precise scope varies dramatically between jurisdictions—from narrow requirements covering only government data to comprehensive regimes encompassing virtually all personal information.

Motivations for Data Localization

Governments pursue data localization for overlapping and sometimes contradictory reasons:

National Security

The most frequently invoked rationale concerns security. Data stored abroad falls under foreign legal jurisdictions, potentially accessible to foreign intelligence services and law enforcement. The 2013 Snowden revelations—documenting NSA programs like PRISM (with access to data from Google, Facebook, Apple, and other American tech giants) and MUSCULAR (which tapped Google and Yahoo data center links)—demonstrated the extent of American surveillance capabilities and the vulnerability of data transiting American infrastructure. For many governments, the logical response was to ensure that sensitive information remains within reach of domestic authorities—and beyond the reach of foreign ones.

The scale of surveillance revealed was staggering. The NSA reportedly collected metadata on over 3 billion phone calls daily from American networks alone; the XKEYSCORE program allegedly provided access to “nearly everything a typical user does on the internet.” Brazilian President Dilma Rousseff, whose personal communications had been intercepted, cancelled a state visit to Washington. Germany discovered that Chancellor Angela Merkel’s mobile phone had been monitored for over a decade. Brazil and Germany subsequently sponsored UN resolutions on digital privacy and accelerated domestic data localization initiatives.

Security concerns extend beyond espionage. Critical infrastructure increasingly depends on data systems; financial networks, power grids, and telecommunications all require reliable data access. The 2020 SolarWinds hack—in which Russian intelligence compromised software used by 18,000 organizations including US government agencies—illustrated how foreign access to data infrastructure creates systemic vulnerabilities. Localization ensures that this data remains available even during international disputes and cannot be held hostage by foreign providers or governments.

Data localization addresses fundamental questions of legal authority. If a government wishes to compel disclosure of evidence for criminal investigations, serve legal process, or enforce privacy rights, it requires access to the relevant data. When that data resides on foreign servers operated by foreign companies, jurisdictional conflicts multiply.

The Microsoft Ireland case (2013-2018) crystallized the problem. The US government sought emails stored on Microsoft servers in Ireland; Microsoft argued that American warrants did not reach overseas data. The case produced conflicting court rulings before Congress mooted it by passing the CLOUD Act of 2018, which asserts US authority to compel American companies to produce data regardless of where it is stored—a direct challenge to other nations’ sovereignty claims. Ireland, whose data center industry employs over 7,000 people and hosts facilities for Google, Facebook, Microsoft, and Amazon, viewed this as American legal overreach.

Data localization represents one response: if data must remain within national borders, domestic law unambiguously applies, and foreign legal demands can be resisted. The EU’s proposed “e-Evidence” regulation would create mechanisms for cross-border data requests among EU members while potentially conflicting with American CLOUD Act claims.

Economic Development

Localization requirements serve industrial policy objectives. Mandating domestic data storage creates demand for local data centers, benefits domestic cloud providers, and may encourage foreign technology companies to invest in local infrastructure. The global data center market exceeds $250 billion annually; major facilities cost $1-2 billion to construct and employ hundreds of workers. For nations seeking to develop indigenous technology industries, localization offers a form of protection for nascent competitors against established foreign giants.

China’s experience is instructive. The “Great Firewall” and associated regulations effectively excluded American internet platforms, creating space for Baidu (search), Alibaba (e-commerce), Tencent (social media and messaging), and other domestic champions to develop. These companies are now worth hundreds of billions of dollars and employ millions. Whether this model can be replicated elsewhere—and at what cost to innovation and consumer welfare—remains debated.

The economic logic extends to data itself as an economic asset. If data is the raw material of the digital economy, governments may reasonably conclude that this resource should be processed domestically, generating local employment and value creation rather than enriching foreign firms. The “data is the new oil” metaphor, while imperfect, captures the intuition that allowing this resource to flow freely abroad represents a form of exploitation.

Privacy and Data Protection

Some localization requirements aim to ensure that national privacy standards apply to citizens’ data. If personal information can flow freely to jurisdictions with weaker protections, privacy rights become unenforceable. The European Union’s approach—permitting transfers only to countries with adequate protections—reflects this concern, even if it operates through transfer restrictions rather than strict localization.

The Schrems litigation demonstrated the stakes. Austrian privacy activist Max Schrems challenged Facebook’s transfer of European data to the United States, arguing that American surveillance practices violated EU privacy rights. The European Court of Justice agreed, invalidating first the Safe Harbor framework (Schrems I, 2015) and then its successor Privacy Shield (Schrems II, 2020). The current EU-US Data Privacy Framework, adopted in 2023, faces similar legal challenges. Over 5,000 companies had relied on these frameworks; their invalidation created compliance chaos.

Global Approaches

Different nations and regions have adopted distinctive approaches to data localization, reflecting their particular strategic circumstances and values:

The European Union

The EU has pursued regulatory sovereignty rather than strict localization. The General Data Protection Regulation establishes comprehensive standards for data processing that apply to any organization handling EU residents’ data, regardless of where the organization or the data is located. Cross-border transfers require adequate protection in the destination country or specific safeguards such as standard contractual clauses.

This approach allows data to flow but only to trusted destinations and under EU-compliant conditions. The Schrems decisions invalidating successive EU-U.S. data transfer frameworks demonstrate the regime’s teeth: even the world’s largest technology companies must comply or lose access to European markets.

European initiatives like GAIA-X seek to develop federated cloud infrastructure that would reduce dependence on American hyperscalers without requiring strict localization. The emphasis remains on maintaining European standards rather than physical containment of data.

China

China has implemented the most comprehensive localization regime among major economies. The Cybersecurity Law of 2017, the Data Security Law of 2021, and the Personal Information Protection Law of 2021 collectively require that critical information infrastructure operators store personal information and important data within China. Cross-border transfers require security assessments and government approval, with penalties including fines up to 50 million yuan (approximately $7 million) or 5% of annual revenue.

The Chinese approach serves multiple objectives simultaneously: enabling state surveillance (with legally mandated backdoors for security services), protecting domestic technology champions from foreign competition, and asserting sovereignty over the digital domain. Apple was required to store Chinese users’ iCloud data with a state-owned partner, Guizhou-Cloud Big Data (GCBD). Foreign companies operating in China must accept these conditions, including potential access by Chinese authorities, or exit the market—as Google effectively did in 2010.

China’s “data sovereignty” assertions extend globally. The Global Data Security Initiative, proposed in 2020, offers Beijing’s vision for international data governance emphasizing state sovereignty over data within national borders. The Digital Silk Road extends Chinese technology infrastructure—and implicitly Chinese data governance norms—to participating countries.

Russia

Russia implemented data localization requirements in 2015 (Federal Law 242-FZ), mandating that personal data of Russian citizens be stored on servers within Russian territory. The law led to the blocking of LinkedIn in November 2016, affecting 5 million Russian users. Facebook, Twitter, and Google faced repeated threats and fines but maintained access by establishing varying degrees of local data storage.

Russian localization requirements have expanded dramatically over time. The 2019 “sovereign internet” law (Federal Law 90-FZ) requires Russian internet traffic to be routable through state-controlled exchange points, enabling disconnection from the global internet if authorities deem it necessary. Telecommunications providers must retain and provide access to six months of communications content (not just metadata) under the “Yarovaya laws.” Following the 2022 Ukraine invasion, Russia has accelerated efforts to build a self-contained internet infrastructure—essentially a national intranet that could function independently of global connectivity.

The policy serves both surveillance objectives—ensuring the FSB can access communications data—and broader digital-sovereignty goals of reducing dependence on Western technology infrastructure. The 2022 sanctions regime, which saw Visa and Mastercard withdraw from Russia, validated the strategic logic of technological self-reliance, even if implementation has lagged ambition.

India

India has pursued an evolving approach to data localization. The Reserve Bank of India mandated in 2018 that payment system data be stored exclusively in India, affecting major platforms including Visa, Mastercard, and PayPal. Broader data localization proposals have been debated but not fully implemented as of 2025.

India’s position reflects its particular circumstances: a massive domestic market attractive to foreign technology companies, a growing technology sector seeking protection, security concerns following border conflicts with China, and democratic values that complicate adoption of the Chinese model.

The United States

The United States has historically opposed data localization, viewing it as a barrier to trade and an obstacle to American technology companies’ global operations. American policy has favored free data flows, reflecting both ideological commitments to internet openness and commercial interests in maintaining American platforms’ access to global markets.

However, American practice has grown more complex. Restrictions on Chinese technology—from Huawei equipment in telecommunications networks to TikTok’s data practices—reflect localization-adjacent concerns about data security. The CHIPS Act and related industrial policies aim to localize semiconductor production. The distinction between American opposition to others’ localization requirements and American restrictions on foreign technology has become increasingly difficult to maintain.

Trade-offs and Tensions

Data localization involves genuine trade-offs that resist easy resolution:

Security Versus Efficiency

Localization enhances certain security properties—data remains under domestic legal control, physically present for inspection, insulated from foreign government demands. But it also increases costs, as organizations must maintain infrastructure in multiple jurisdictions rather than centralizing operations. For smaller countries, the expense of building sovereign data infrastructure may exceed its security benefits.

Localization may paradoxically reduce security in some dimensions. Global cloud providers offer sophisticated security capabilities that smaller domestic providers cannot match. Fragmenting data across national boundaries may create more attack surfaces than consolidating it with well-resourced providers.

Economic Development Versus Integration

Localization may nurture domestic technology industries by ensuring a captive market for local providers. China’s firewall enabled the growth of Baidu, Alibaba, and Tencent. But protection from competition can also breed complacency; industries shielded from global markets may fail to develop globally competitive capabilities.

For developing economies, aggressive localization risks deterring foreign investment and limiting citizens’ access to global platforms and services. The benefits of integration—technology transfer, access to capital, participation in global value chains—must be weighed against sovereignty concerns.

Privacy Versus Access

Localization can protect privacy by ensuring domestic standards apply to citizens’ data. But it can equally facilitate surveillance by ensuring that data remains accessible to domestic authorities. The same Russian laws that keep data away from American intelligence services keep it available to the FSB. Whether localization enhances or threatens privacy depends entirely on the character of the localizing government.

Strategic Implications

Data localization has become a significant dimension of geoeconomic competition and great power rivalry, with implications extending far beyond technical compliance questions:

The fragmentation of the global internet into distinct regulatory zones—sometimes called the “splinternet”—accelerates as major powers impose incompatible requirements. Multinational companies must navigate a patchwork of localization mandates, maintaining separate infrastructure and data practices for different jurisdictions. A company operating globally might face GDPR in Europe, the Cybersecurity Law in China, data localization requirements in Russia, India, Vietnam, and Indonesia, and varying sector-specific mandates in dozens of other markets. Compliance costs are substantial: estimates suggest GDPR compliance alone cost Fortune 500 companies over $7.8 billion initially, with ongoing costs of $1.3 billion annually.

Localization requirements create leverage in international negotiations. Access to a large domestic market—conditional on data localization compliance—becomes a bargaining chip. India’s 1.4 billion potential users, China’s 1.4 billion, or the European Union’s 450 million give these jurisdictions significant power over global technology companies. When India’s Reserve Bank mandated payment data localization in 2018, Visa, Mastercard, and PayPal had no choice but to comply—the Indian market was too valuable to abandon.

The contest over data localization intersects with broader competition over technology standards, weaponized-interdependence, and the future architecture of the digital economy. American technology dominance has enabled American surveillance and provided American companies with competitive advantages; data localization represents one response to this dominance. But localization itself enables surveillance by governments with poor human rights records and fragments markets in ways that may reduce innovation and consumer choice.

The economic costs of data localization are debated but potentially significant. The European Centre for International Political Economy estimated that strict data localization could reduce GDP by 0.5-1.1% in Brazil, the EU, India, Indonesia, Korea, and Vietnam. The Information Technology and Innovation Foundation calculated that strict localization would cost the EU economy 0.4% of GDP annually. These estimates are contested, but the direction of effect—that localization imposes efficiency costs—is generally accepted by economists.

For states navigating this landscape, data localization represents neither pure protectionism nor straightforward sovereignty assertion but a complex policy instrument with genuine costs and benefits. The challenge lies in calibrating requirements to achieve legitimate security and regulatory objectives without sacrificing the economic benefits of an integrated global digital economy—a balance that each nation must strike according to its own circumstances and values. The decisions made in the coming decade will determine whether the internet remains a global commons or fractures into digital territories as firmly bounded as the physical world.

Sources & Further Reading

  • The Sovereign Artificial Intelligence by Anu Bradford — Examines how major powers are competing to regulate the digital economy, including data governance, and how these regulatory choices shape the future of global technology.

  • Digital Empires: The Global Battle to Regulate Technology by Anu Bradford — Compares American, European, and Chinese models of technology governance, showing how different approaches to data localization reflect deeper values and interests.

  • Data and Goliath by Bruce Schneier — Explains the technical and policy dimensions of data collection and surveillance, providing essential background for understanding what data localization seeks to protect.

  • The Brussels Effect by Anu Bradford — Demonstrates how the European Union exports its regulatory standards globally, including GDPR’s influence on data protection norms worldwide.