The Effects of Data Localization on Cybersecurity

44 Pages Posted: 18 Feb 2022 Last revised: 12 Sep 2022

See all articles by Peter Swire

Peter Swire

Georgia Institute of Technology - Scheller College of Business; Georgia Tech Institute for Information Security & Privacy; Cross-Border Data Forum

DeBrae Kennedy-Mayo

Georgia Institute of Technology - Scheller College of Business

Date Written: June 24, 2022

Abstract

This paper is the first systematic examination of the effects of data localization laws on cybersecurity. This paper focuses on the effects of “hard” data localization, where transfer of data is prohibited to other countries. Other “softer” versions of data localization also exist, such as where a country requires a copy of data to be stored or mirrored in the country, but transfer of the data remains lawful. The discussion includes both de jure and de facto effects, including China’s explicit laws, recent enforcement actions in the European Union, and proposed privacy legislation in India. The focus is on effects on cybersecurity defense, rather than offensive cyber measures.

Part I provides background. Part II examines privacy and non-privacy reasons driving localization laws, including examining ways that cybersecurity might either reinforce privacy or exist in tension with it. Part III addresses the research for this paper. In addition to a traditional literature review, we reviewed approximately 200 comments submitted to the European Data Protection Board in late 2020 concerning data transfers. Approximately 25% of the comments discussed data localization or a similar concept.

Part IV provides a new categorization of the effects of data localization on cybersecurity. First, our analysis shows that data localization would threaten an organization’s ability to achieve integrated management of cybersecurity risk. 13 of the 14 ISO 27002 controls, as well as multiple sub-controls, would be negatively affected by data localization. As a specific finding, required localization in two or more nations clearly restricts the ability to conduct integrated cybersecurity management.

Second, the analysis explains how data localization pervasively limits provision of cybersecurity-related services by third parties, a global market of roughly $200 billion currently. Notably, data localization laws supported in the name of cybersecurity often undermine cybersecurity – purchasers in the locality are deprived of best-in-breed cybersecurity services, thereby making them systematically easier targets for attackers. Third, data localization threatens non-fee cooperation on cybersecurity defense. Notably, localization undermines information sharing for cybersecurity purposes, which policy leaders have emphasized as vital to effective cybersecurity.

Finally, until and unless proponents of localization address these concerns, scholars, policymakers, and practitioners have strong reason to consider significant cybersecurity harms in any overall analysis of whether to require localization.

Keywords: cybersecurity, privacy, data localization, GDPR

JEL Classification: K2, K33, F13, F15

Suggested Citation

Swire, Peter and Kennedy-Mayo, DeBrae, The Effects of Data Localization on Cybersecurity (June 24, 2022). Georgia Tech Scheller College of Business Research Paper No. 4030905, Available at SSRN: https://ssrn.com/abstract=4030905 or http://dx.doi.org/10.2139/ssrn.4030905

Peter Swire (Contact Author)

Georgia Institute of Technology - Scheller College of Business ( email )

800 West Peachtree St.
Atlanta, GA 30308
United States
(404) 894-2000 (Phone)

Georgia Tech Institute for Information Security & Privacy ( email )

Atlanta, GA 30332
United States

Cross-Border Data Forum

DeBrae Kennedy-Mayo

Georgia Institute of Technology - Scheller College of Business ( email )

800 West Peachtree St.
Atlanta, GA 30308
United States

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Downloads
679
Abstract Views
2,853
rank
55,471
PlumX Metrics