The Human Rights Costs of Data Localization Around the World

Four civil society experts weigh in on why data localization is becoming an increasingly common policy and what this means for people’s rights.

Data localization, in which companies are mandated to store personal data on local servers, is a growing policy area. But particularly in contexts with poor rule of law, such requirements can allow authorities to access people’s data more easily, creating a fertile ground for human rights abuses. Restricting the free flow of data also accelerates the fragmentation of the global internet.

Last October, debate on this topic was again thrown on the international stage when the United States Trade Representative withdrew its support for cross-border data flows at the World Trade Organization. In doing so, the USTR risks exacerbating the growing prevalence of data localization and encouraging other governments to follow suit.

In the discussion below, Freedom House's Allie Funk and Jennifer Brody interview four experts analyzing data localization across Africa, Asia, and Eastern Europe:

• Alena Epifanova, Research Fellow at the German Council on Foreign Relations (DGAP)
• Lillian Nalwoga, Programme Manager at the Collaboration on International ICT Policy for East and Southern Africa (CIPESA)
• Shmyla Khan, Digital Rights Researcher and Campaigner
• Sabhanaz Rashid Diya, Founder and Executive Director of the Tech Global Institute

The discussion sheds light on the myriad ways in which data localization is incorporated into law, the complex drivers behind it and associated human rights implications, and how democratic leaders can support global civil society’s work to protect human rights online. Note: this record of the conversation has been lightly edited for clarity and concision.

Allie Funk and Jennifer Brody:

Data localization comes in many different forms depending on a country’s political and legal context. How has this issue emerged in the country or region you focus on?

Alena Epifanova:

The data localization law was adopted in Russia in July 2014 against the backdrop of escalating tensions with the West following Edward Snowden’s revelations about US government surveillance, as well as Russia’s annexation of Crimea. The Kremlin’s perception that digital technologies and data could be weaponized against Russia from foreign actors has significantly grown and triggered a shift to strengthening sovereignty. During the same time, Putin’s regime faced the largest protests in Russia since the 1990s and aimed to assert the upper hand in controlling all levels of Russian political life and society.

Lillian Nalwoga:

Data localization is becoming a growing trend in Africa with a number of countries enacting data protection laws that require data to be stored locally and forbid cross-border transfers of personal data unless authorized by the data protection authorities or designated entities. Governments are using cybersecurity, financial services, and telecommunication regulations to do this.

Sabhanaz Rashid Diya:

Data localization has been a growing trend in Asia with many governments enacting legislation that mandate varying degrees of restrictions on cross-border transfers. In Bangladesh, financial services regulations have been used to impose sector-specific local data storage requirements for resident companies. Since 2020, various drafts of the Data Protection Act have imposed forms of mandatory restrictions on international data transfers for both resident and non-resident entities. The country’s most recent draft imposes a de facto restriction on cross-border transfer of personal data by making it contingent on having bilateral, regional, or multilateral agreements with transferee countries, while requiring mandatory storage of "classified data," a term undefined in the statute.

Shmyla Khan:

Data localization in Pakistan has cropped up in two pieces of proposed legislation: the draft Personal Data Protection Bill and the Rules for Removal and Blocking of Unlawful Online Content (Procedure, Oversight, and Safeguards) Rules, 2020 which focus on “securing” “sensitive personal data” within the boundaries of the country. These laws also require social media companies to register inside the country and establish local offices.

Allie Funk and Jennifer Brody:

Freedom House has developed a three-tiered approach to assess the extent to which data localization policies impact privacy, free expression, due process, and other fundamental freedoms. What are you concerned about from a human rights perspective? How have you seen these concerns play out?

Lillian Nalwoga:

Unfettered access to personal data undermines data privacy as it gives states the ability to surveil users as and when needed. In Africa, countries with data localization policies are also spending billions of US dollars to buy surveillance technologies and implement data collection programs. Many countries lack the necessary measures to protect personal data, such as adequate privacy laws, and where these laws are present, their implementation is wanting.

Alena Epifanova:

When coupled with additional legislation, data localization laws and user data protection measures can be exploited for mass surveillance purposes. In 2016, Russia enacted two federal bills collectively referred to as the “Yarovaya Law.” This legislation mandates Internet Service Providers and online platforms to retain user data, including messages, phone calls, images, and other information, for a duration of up to six months. Moreover, it grants the Federal Security Service of Russia (FSB) access to this data upon request, even in the absence of a court order; for instance, the FSB got access to databases of taxi companies in 2023.

Shmyla Khan:

Within the Pakistani context, the state, particularly the military establishment, already has access to vast amounts of information and is largely unaccountable. The prospect of having personal data stored on local servers further allows the state to prosecute people for offenses relating to their online speech, such as religious expression or for alleged sedition. It also reduces companies’ ability to refuse data requests.

Sabhanaz Rashid Diya:

States are increasingly leaning towards legalization of access to vast amounts of personal data without procedural guardrails, expanding their ability to surveil and suppress people. For example, the Bangladesh Telecommunication Regulatory Act, 2018, has provisions requiring telecommunication operators to hand over personal data about their users to law enforcement agencies, else risk losing their licenses. Similar provisions were introduced in both the Cyber Security Act, 2023 and the draft Data Protection Act, 2023. Similarly, India’s Digital Personal Data Protection Act, 2023, provides broad exemptions to government entities from procedural guardrails and allows access to personal data on vague grounds of national security and public order. If storage in domestic servers becomes mandatory, then it becomes easier for state entities to coerce access to sensitive data that exacerbates surveillance and self-censorship.

Allie Funk and Jennifer Brody:

Any other concerns you want to bring up about the impact of these laws?

Alena Epifanova:

Data localization contributes to the fragmentation of the global internet. More and more countries are seeking to assert their sovereignty, build their own internet infrastructure, and introduce their own regulations on data flow. The splintering of the global internet is already impacting how people access information, express themselves online, and communicate with each other.

Shmyla Khan:

Countries like Pakistan lack the necessary technical and energy capacity (the country experiences frequent electricity “load shedding”) to host such servers. It also creates security issues for the data collected as the country lacks good digital security protocols.

Sabhanaz Rashid Diya:

Many Global Majority countries lack the institutional safeguards and infrastructure capacities to keep personal data secure within their national borders. This risks more frequent data breach and privacy violations with little to no meaningful recourse available to the general public.

Allie Funk and Jennifer Brody:

Policymakers often pursue data localization in an attempt to tackle legitimate concerns that deserve thoughtful policy responses– such as cybersecurity, better protections for data, bolstering local tech sectors, or countering tech companies’ monopolistic practices. Do you have ideas for more rights respecting solutions to these problems?

Sabhanaz Rashid Diya:

There is substantive evidence that data localization alone cannot bolster local tech sectors or strengthen cybersecurity. Many governments are still pursuing the idea that if only they had access to more data, then many overarching national security challenges would be resolved.

However, in the absence of investigation capabilities, investments in local tech sectors, developing talent pipelines, robust competition laws, and mainstreaming media literacy, data localization can do little to respond to any of the aforementioned gaps. The “money” in data lies with its processing, not storage, therefore, countries will generally benefit more from creating incentives to boost their local tech sectors and ecosystems.

Lillian Nalwoga:

Governments need to draw a balance between data localization, data privacy, and digital transformation agendas. In the case of Africa, different countries are at different levels of digital development and adoption. Restrictions on cross-border data transfers may not only impede efforts to meet the localization demands mandated by certain laws but also limit progress toward adopting their digital transformation agendas.

Shmyla Khan:

The government has often used the rubric of tackling cybercrimes and national security concerns to justify these laws. However, history shows that many laws made on this basis of national security are used to silence dissent online.

Allie Funk and Jennifer Brody:

How can democratic governments engage and support civil society’s efforts to counter data localization?

Alena Epifanova:

Democratic policymakers should foster a discussion on the concept of digital sovereignty, which revolves around individual’s self-determination and democratic values in the digital realm. Conducting human rights assessments of proposed data localization policies should be imperative. Enhancing international cooperation within organizations such as the World Trade Organization, G20, and the Organization for Economic Co-operation and Development is crucial to ensure the unrestricted flow of data.

Lillian Nalwoga:

I agree with Alena. Democratic governments can provide aid to strengthen infrastructure and invest in innovation and human capital skilling.

Sabhanaz Rashid Diya:

Civil society is doing the hard work to navigate a myriad of legislation and to create better regulatory frameworks, but they need the short- and long-term support to do this work. This includes both financial resources and capacity building opportunities. Democratic policymakers should also support civil society’s efforts to explore alternative governance models and regulatory innovation. There is not a one-size-fits-all approach to regulating digital ecosystems. What works in one country may not work in another. Instead, laws should be reflective of local needs and communities’ realities, while ensuring legislation abides by international human rights law and democratic standards of transparency and inclusivity.

Shmyla Khan:

Most countries in the Global South feel left out of the gains from the tech industry, and thus feel compelled to adopt nativist strategies such as data localization to gain more control over data. Democratic actors can help ensure that the benefits from digital technology are equitably distributed and that governments have the resources and capacity to deal with a changing world. They can also strengthen support for local civil society, who are best placed to have these nuanced conversations that can balance the need for regulation of big tech while resisting efforts by undemocratic governments to assert control over personal data.