On April 27, 2021, Portugal's data protection authority, the National Data Protection Commission, ordered Statistics Portugal, in carrying out the national census, to suspend processing of personal data in any third country that lacks adequate privacy protections, including the United States. According to the order, Statistics Portugal had not conducted a sufficient data protection impact assessment or provided for adequate additional safeguards in use of standard contractual clauses. Statistics Portugal was, therefore, ordered to suspend processing by its service provider, Cloudflare, within 12 hours of the decision.

The Portuguese decision lends new urgency to concerns that the European Union is moving toward data localization, with the decision noting that other countries in the Cloudflare network included China, India, Mexico and Russia.

Our research has found that data localization is a prominent theme in the nearly 200 comments submitted to the European Data Protection Board in response to its November 2020 draft guidance about transferring personal data from the EU to third countries.

Based on our review of these comments, approximately 25% of the nearly 200 comments submitted to the EDPB expressed concern that the draft guidance would result, in practice, in data localization. Slightly more than 10% of the comments spoke explicitly to the concern that the application of the guidance would result in data localization. Nearly an additional 15% of the submissions included language describing similar concepts without using the term data localization, such as return the EU commerce and society to a “pre-internet era,” transform the EU into a “digital island,” and “balkanize global data flows.”

We highlight five themes from the comments:

1. Many of the effects of the guidance would have adverse impacts specifically on the EU and its economy.
2. Although not a stated goal, implementation of the guidance would result in widespread data localization.
3. The guidance would have negative sector-specific effects.
4. Across sectors, the guidance would have pervasive, negative effects on current business operations.
5. The guidance would have broad effects on EU cross-border data flows, entirely apart from the much-discussed data flows between the EU and U.S.

The discussion here is part of our larger project on data localization, including the comments we submitted to the EDPB in December and published by the IAPP in January. A longer version of this article, detailing numerous additional comments, is being published by the Cross-Border Data Forum.

Background

In its comment to the EDPB, the privacy organization NOYB explained the “default position” under EU law for the last 25 years — beginning with the 1995 European Data Protection Directive and continuing with the strengthened General Data Protection Regulation — has been a “de facto” “export ban for personal data” leaving the EU unless certain protections of fundamental rights under European law are met.

In contrast to a general export ban, EU law and practice have also allowed cross-border commerce to continue, including the EU/U.S. bilateral trade and investment partnership valued at about 6 trillion euros. Georgia Tech Cross-Border Data Forum Research Director Peter Swire, CIPP/US (one of the authors of this article), discussed these ongoing transfers in “None of Your Business: World Data Flows, Electronic Commerce, and the European Privacy Directive,” writing, “Common sense suggests that these organizations [in countries without an adequacy decisions] should have a way to share information between their European and other operations when good privacy protections are in place. The opposite approach, a ban on transfers, would create economic harm in Europe and elsewhere and would lend credence to fears that the privacy laws are being used in a protectionist way to keep out non-European business.”

1. Many of the effects of the guidance would have adverse impacts specifically on the EU and its economy

Numerous commenters stated data localization would have both specific and more general adverse impacts on the EU and its economy. TechUK cautioned, “If implemented, the Recommendations will threaten the perception of the EU as open digital economy by introducing de facto data localisation through strict regulatory recommendations.” Comments expressed specific concerns that the implementation of the guidance could:

• Detrimentally impact the competitiveness of the EU — Dutch Confederation of Dutch Industries and Employees stated, “We remain united by our vision and commitment for a strong and competitive Europe and we fear Europe cannot remain competitive if localisation of data becomes a widespread practice.”
• Negatively affect growth of the EU startups and small- to -medium-sized enterprises — Allied for Startups suggested, “Digital development and globalisation should not suddenly be scaled back in the name of localisation. This will only deprive startups and SMEs of the best possibilities for onboarding efficient services, increase competitiveness, scale up and grow.”
• Raise data-hosting costs — British American Business estimated, “Localization requirements … increase data hosting costs by 30 to 60%.”
• Sever the EU from expertise and technology — Vodaphone cautioned, “Data localisation will sever European companies from the expertise and technology underlying the resilience, reliability and security of global supply chains with additional negative impacts to the global digital agenda across all European companies.”

More generally, Federation of European Direct and Interactive Marketing stated, “These recommendations will isolate the EU in terms of data transfers, trade, research and international cooperation. They send a general message of distrust and will encourage data localization.” The Centre for Information Policy Leadership noted “while a limited number of the services … might, in principle, continue with some form of data localisation, such services likely will be degraded and/or would become economically prohibitive or non-viable without effective cross-border data flows.”

2. Although not a stated goal, implementation of the guidance would result in widespread data localization

Approximately 25% of the comments submitted to the EDPB expressed concern that the guidance would result, in practice, in data localization. Many of these comments focused on use cases 6 and 7 in the guidance. The first five use cases, authorizing transfers, all involved situations when effective encryption or similar technical measures are in place. By contrast, a very wide range of actual transfers involve situations when a person in the third country can access personal data. Use case 6 covers “Transfer to cloud service providers or other processors that require access to data in the clear.” Use case 7 covers “Remote access to data for business purposes.”

The EDPB concluded that use cases 6 and 7 are “scenarios in which no effective measures could be found.” French legal scholar Théodore Christakis thus concluded the “EDPB Guidance seems nonetheless to prohibit almost all such transfers when the personal data is readable in the third country.” In other words, under the guidance, personal data must generally be localized, for situations when a person in the third country could actually understand the data.

3. The guidance would have negative sector-specific effects

To date, much of the commentary within the EU has focused on data flows concerning the largest digital platforms. Based on use case 6 and the comments, cloud providers and digital platforms would indeed be affected but so would numerous other sectors. The submissions of CIPL and the authors of this blog detail specific sectors other than digital platforms that would be significantly impacted by the guidance: financial services, nonprofit organizations, international education institutions and international conferences, as well as business and leisure travel.

With respect to the pandemic, CIPL noted “global (health care) research relies on global data sets and international clinical medical trials [that] are necessary to advance medicine and monitor the safety and effectiveness of existing medicine.” BritishAmerican Business raised concern that data localization would “limit vital activities such as communications between colleagues across borders, researchers and public health officials sharing data to fight COVID-19.”

4. Across sectors, the guidance would have pervasive, negative effects on current business operations

Numerous comments discuss the pervasive effects on current business operations across sectors. Our own submission highlighted that even “apparently simple and lawful data flows may not be so simple in practice” but instead may be “accompanied by multiple, routine, and ongoing transfers of personal data.” For businesses, the impacts may include the following categories:

• Core business functions — BritishAmerican Business, CIPL, Danish Entrepreneurs, DigitalEurope, European Games Developer Federation and TrustArc provided examples of core business functions that could be impacted, including HR records, remote working, paying salaries and communications between employees.
• Technical support — CIPL, EGDF, French Insurance Federation and TrustArc detailed the impacts to technical support, including the inability to outsource services, difficulties providing 24-hour customer service and lack of backup services.
• Background processing — CIPL and Danish Entrepreneurs noted that, in connection with specific purchases or other data processing, the following background processing could be disrupted: cloud services, money transfers, booking travel, shopping online, gaming online, communicating online and health-related wearables.
• Cybersecurity and fraud prevention — BritishAmerican Business, CIPL, MyData-TRUST and our own submission noted the ability to ensure effective cybersecurity and fraud prevention could be impacted.

5. The guidance would have broad effects on EU cross-border data flows, entirely apart from the much-discussed data flows between the EU and US

Much of the public debate post-"Schrems II" has focused on data flows between the EU and U.S. The case, however, explicitly applies to all “third countries” that lack an adequacy decision, thus including China, India and other major EU trading partners. Concerning these effects on China and other third countries, NOYB and our own writing reach similar conclusions. NOYB stated, “In certain cases technical measures may be able to overcome surveillance. …Without such approaches, international data transfers would in many situations become illegal, as third countries that do not adhere to minimum standards of rule of law, democracy, or human rights, would be able to undermine transfers between even the most well-intentioned third countries and the (European Economic Area).” Based on a 2019 study by the authors here, China does not adhere to the European standards of rule of law, democracy or human rights.

The effects on EU-China trade alone are large. As of 2021, China became the EU’s largest trading partner. During the pandemic, China signed a major trade agreement with EU, under which “European firms will gain permission to operate in China in electric cars, telecom cloud services and certain activities linked to air and maritime transport, such as ground handling.” As illustrated further in examples below, the guidance would appear to put at risk much cross-border economic activity with China. PrivacyRules’ comments highlighted similar risks for EU trade with India.

The comments from TechUK highlighted the risk that EU data localization could lead to retaliation against the EU by third countries: “With these Recommendations, the EU risks retaliation from other jurisdictions while also potentially incentivising further data localisation and restrictions on internet access in other parts of the world, ... potentially leading to a number of concerning human rights and privacy consequences.”

DigitalEurope’s comments provided specific case studies about impacts on EU businesses that seek to engage in business ventures with entities located in third countries: use of cloud service provider by European manufacturing company with factory for industrial parts in Mexico, remote access to data for joint venture between China and Germany businesses to build a car, and HR records remotely shared between French parent company and its subsidiaries outside the EU.

Conclusion

This article has summarized the discussion of data localization issues by approximately 25% of all the comments to the EDPB on its draft guidance. For many current practices, the comments indicate that organizations are concerned that implementation of the guidance would require data localization. In addition, the effect of legal requirements similar to the guidance will be a reason for organizations to reduce legal risk by adopting localization even where localization is not necessarily required. The decision in Portugal on April 27 means that regulators and organizations that process personal data will be considering data localization issues with new urgency.

The purpose of this article, instead of proposing specific legal changes, is to make the contents of the comments accessible to a broader range of readers. With that said, we close with two observations based on the comments.

First, data localization in the EU would quite possibly promote data localization elsewhere in the world, ultimately undermining data protection rights outside the EU. EU statements historically have often promoted an open digital economy, but other countries would see these current EU actions as supporting localization. In particular, data localization has long been touted as a means for law enforcement authorities to ensure speedy, direct and unrestricted access to personal data — data that today is often stored in a different country, under more stringent data protection laws that restrict government access to data. In countries that lack minimum standards of rule of law, democratic processes and protections for human rights, direct government access to data could act as a tool to suppress fundamental rights and civil liberties, including privacy. An unintended effect of the guidance may thus be to worsen data protection globally.

Second, although we did not track precise statistics, a recurring recommendation from the overall comments is to adopt a “risk-based” approach when assessing transfers to third countries. For example, many organizations have never received a foreign intelligence request, and many types of personal data are of little or no interest to national security agencies. Under a risk-based approach, organizations could conduct transfer impact assessments, adapting supplemental safeguards and use of derogations to the particular data transfer.

In closing, whether there has been any intention to promote data localization in the EU, the public comments indicate a widely shared and well-documented concern that implementing the guidance would indeed result in widespread data localization, as the Portuguese decisions suggests may be the case.

Photo by NASA on Unsplash