Strict privacy regimes, requests to use local data centres and outright bans to transfer data abroad are a few examples of policies imposed recently that restrict data from crossing national or regional borders. This paper is the first one to propose a comprehensive taxonomy of these restrictions, which has a bearing on international trade law.
I would like to thank my colleagues Hosuk Lee-Makiyama and Erik Van der Marel for the precious discussions that guided the development of this taxonomy. I am also grateful to Anupam Chander, Martin Luther King, Jr. Professor of Law at the University of California, Davis, for his helpful comments.
2. A taxonomy of restrictions to data flows
From a trade perspective, restrictions on data flows can be defined as all those measures that raise the cost of conducting business across borders by either mandating companies to keep data within a certain border or by imposing additional requirements for data to be transferred abroad. These measures are very different in how they are designed and implemented.
Despite their heterogeneity, restrictions on data flow share a common trait: private entities are de facto forced to keep their data locally or are bearing higher costs for sending or processing their data abroad. These requirements can be imposed by local, central or regional governments, or in certain cases by a single public entity, such as hospitals.
Restrictions on cross-border data flows can be categorised as “strict” when they specifically require data to be stored locally or as “conditional” when they impose certain conditions for data to be transferred cross-border. Both cases increase the cost of data transfers and can, therefore, result in the localisation of data.
Strict and conditional restrictions to cross-border data flow can be classified as follows:
A. Strict restrictions on cross-border data flows:
I: Local storage requirement;
II: Local storage and processing requirement;
III: Ban on data transfer (i.e. local storage, local processing and local access requirement).
B. Conditional restrictions to cross-border data flows:
I: Conditional flow regime where conditions apply to the recipient country;
II: Conditional flow regime where conditions apply to the data controller or data processor.
Figure 2 summarises the types of restrictions on cross-border data flows from the least restrictive regime of the free flow of data across borders to the most restrictive option of a ban on the transfer of data abroad. As shown in the figure (and explained in detail below), the conditional flow regime can result in a system in which data can flow freely when the conditions are fulfilled, or in a ban on the transfer of data when the conditions are not fulfilled.
While it is relatively straightforward to conclude that more restrictive measures on data imply higher costs for businesses, it is not easy to assess whether a conditional regime on data flows can be more or less costly than other regimes. This can only be assessed by looking at the specificities of the regime. In any case, the restrictiveness of any measure on trade depends on the type of data affected as well as the sectors covered by the measure.
2.1. Local storage requirement
When a local storage requirement applies, the data cannot be transferred across borders unless a copy is stored within the borders of the country (or the jurisdiction which has imposed the requirement). In such cases, as long as a copy of the data is saved domestically, data storage and processing activities can also take place outside the country and a business can operate as usual.
In most of the cases, this requirement applies to specific data such as tax and accounting records, corporate or social documents, and, in rare cases, public archives. For example, the Swedish Bookkeeping Act imposes documents such as a company’s annual (financial) reports and balance sheets to be physically stored in Sweden for a period of seven years.
2.2. Local processing requirement
In addition to local storage requirements, localisation could also extend to the processing of data. This means that the company needs to use data centres located in the country for the main processing of the data. The company is therefore required for the company to either build a data centre or to switch to local providers of data processing solutions. Alternatively, the company might decide to leave the market altogether. If this regime applies, the company can still send the data abroad, for example to the parent company, after the main processing.
Such requirements have recently been introduced in Russia, with the amendment of the Russian data protection law by the Federal Law No. 242-FZ in July 2014. Article 18 §5 requires data operators to ensure that the recording, systematization, accumulation, storage, update/amendment and retrieval of personal data of the citizens of the Russian Federation is made using databases located in the Russian Federation.
2.3. Ban on data transfer
The third and most stringent type of restriction to cross-border data flows consists of a ban to transfer the data across borders. Therefore, data has to be stored, processed and accessed within the territory of the implementing country. Such policy usually applies to specific sets of data considered especially sensitive, such as health or financial data.
The difference between a ban on data transfer and a local processing requirement could be quite subtle. One might argue that storage and processing requirement taken together is de facto a ban on transfers. However, in the case of a ban on transfers, the company is not allowed to even send a copy of its data abroad, which can be important for lag-free communication between subsidiaries, or for the security of data. In both cases, however, the main data processing activities need to be done in the country.
To date, there is no country that imposes an economy-wide ban on the transfer of all data abroad, regardless of the nature of the data. However, some jurisdictions impose bans on the transfer of specific sets of data. For example, Australia requires that no personal electronic health information is held or processed outside national borders. Another example is two provinces of Canada (British Columbia and Nova Scotia) which have enacted laws that require personal information held by public institutions (such as schools, universities, hospitals or other government-owned utilities and agencies) to stay in Canada – with only a few limited exceptions.
2.4 Conditional flow regime
When a conditional flow regime is in place, the transfer of the data abroad is forbidden unless certain conditions are fulfilled. The conditions can apply to the recipient country, to the company, or to both the recipient country and the company. In most of the cases, it is enough that one of the alternative options is fulfilled in order for the company to transfer data abroad. If the conditions are stringent and cannot be fulfilled by the recipient country nor the company, the measure results in a ban on the transfer of data abroad.
The European regime of data protection is typical example of a conditional regime. Under European law, conditions apply to both the recipient country and the transferring entity. In the first case, the company can transfer data abroad to countries with an “adequate level of protection”. In the second case, even when the recipient country is not deemed adequate, data can be transferred and processed overseas if the transferee fulfils certain conditions.
The most common condition is the consent of the data subject for cross-border transfer. This condition, as is also the case for most of the conditions, can be more or less strict, and its interpretation or enforcement may vary. For example, the General Data Protection Regulation (GDPR) requires that the data subject has “explicitly” consented to the data transfer abroad, while the previous EU directive allowed controllers to rely on an “unambiguous” consent by the data subject.
Alternative means to fulfil the conditions under EU law and other conditional regimes include the use of Binding Corporate Rules or the condition that the transfer is necessary to complete the contract concluded with the data subject. There are also exceptions for cases where a transfer is necessary for medical treatment for the data subject, or where transfers serve the public interest; or when a transfer falls within the scope of international judicial cooperation. Also, the information transferred may already be in the public domain – e.g. already published and available legally on the internet. Any of the alternatives listed in the regulatory texts on data flows can be used by an entity as a legal basis for transferring data abroad.
A particular condition imposed in certain jurisdictions with conditional flow regimes is the infrastructure requirement. When this requirement applies, the firm must build a server locally in order to operate in the country. An example of this condition is in Vietnam, where any company that wants to process data is required to build at least one server in the country “serving the inspection, storage, and provision of information at the request of competent state management agencies”. Also in this case, the regime could easily turn into a local processing requirement if the server has to be used to process all information managed by the data controller or data processor.
 Obviously, when service suppliers offer to keep their customer’s data locally based on commercial reasons, these do not qualify as a trade restriction.
 In certain cases, it is not easy to discern whether a measure is a ban to transfer, a local processing requirement or a conditional flow regime. In fact, often cases of a ban to transfer and local processing requirements have certain exceptions which could be interpreted as a conditional flow regime.
 For example, a measure which applies to a specific set of accounting data would usually be less restrictive for companies than a measure that applies to all personal data.
 Bokföringslag (1999:1078). December 1999.
 Federal law 21.07.2014 №242-FZ “On the amendment of certain legislative acts of Russian Federation concerning the procession of personal data in computer networks”. July 2014. See ECIPE (2015).
 Section 77 of the Personally Controlled Electronic Health Record Act of 2012. Act No. 63, 2012. June 2012.
 Freedom of Information and Protection of Privacy Act, R.S.B.C. 1996, c. 165, s. 30.1.
 Personal Information International Disclosure Protection Act, S.N.S. 2006, c. 3, s. 5(1). November 2006.
 The European Union is currently updating its data protection regime by replacing the Directive 95/46/EC with the General Data Protection Regulation (GDPR). The GDPR will enter into force in May 2018.
 As of today, 12 jurisdictions have been deemed to have an adequate level of protection: Andorra, Argentina, Canada, Faroe Islands, Guernsey, Jersey, the Isle of Man, Israel, New Zealand, Switzerland and Uruguay. In addition, the EU/US Safe Harbour acted as a self-certification system open to certain US companies for the data protection compliance, until its invalidation by the European Court of Justice in October 2015. The system has now been replaced by the Privacy Shield.
 Article 49 of the General Data Protection Regulation, Regulation (EU) 2016/679. May 2016.
 Article 26 of the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
 These requirements would be referred to as ‘performance requirements’ under investment law.
 Decree No. 72/2013/ND-CP of July 15, 2013, on the Management, Provision and Use of Internet Services and Online Information.