Forced data localisation measures are on the rise around the world, fragmenting the Internet and increasing costs for businesses and consumers. Until the year 2000, only 15 measures were imposed globally. By 2007, the number of measures doubled and it more than doubled again until today.
The study has identified 22 data localisation measures where European Union Member States impose restrictions on the transfer of data to another Member State. The most common restrictions target company records, accounting data, banking, telecommunications, gambling and government data. In addition, there are at least 35 restrictions on data usage that could indirectly localise data within a certain Member State.
A real EU Single Market on data storage is yet to come into function in practice: Two-thirds of all demand for “ICT-related” services (consulting, hosting, development) are sourced locally within each Member State, while only 18% is sourced from the rest of the EU. Meanwhile, the cost difference of operating data centres can be considerable amongst the EU Member States, with the most expensive country being twice as expensive as the cheapest.
Data localisation measures create a major misallocation of resources and threaten the continent’s productivity and competitiveness. If data can be stored and processed anywhere within the EU, the move would boost the commitment to achieve a true Digital Single Market and send a clear political message that Europe is open for business.
If existing data localising measures are removed, GDP gains are estimated to up to 8 billion euros per year (up to 0.06% of GDP), which is on par with the gains of recent free trade agreements (FTAs) concluded by the EU. These gains approximate the impact of a fully price-transparent “industrial” DSM.
Even more striking gains from a ban on data localisation will stem from the ratchet effect – preventing EU Member States from imposing harmful data localisation measures in the future. The economic loss generated by full data localisation by each of the Member States would lead to a loss of EU-wide output by 52 billion euros per year (0.37% of GDP). This number will increase with further digitalisation of the European economy.
ECIPE gratefully acknowledges the support for this paper from Computer & Communications Industry Association Europe (CCIA Europe).
The online environment has rapidly become one of the most regulated areas of social and commercial interactions, often surpassing their traditional offline counterparts. Whether the objective is to protect personal data, tax revenues, or essential infrastructure, the sovereign is increasingly active in seeking continued jurisdiction over online activities of their citizens and firms. At times, it is not acting to fill a legal void but using disproportionate means to repatriate consumers and firms who use the internet to trade with or from other countries.
Perhaps one of the most draconian measures is data localisation, where governments are requiring mandatory storage of critical or trivial business data on servers physically located inside their territory. Whether the pretext is “restoring confidence” in the online commercial environment – or just plainly to “level the playing field” between domestic players and foreign competitors – data localisation effectively disrupts cross-border data flows and consumer access to online services. Meanwhile, production chains are increasingly digitalised. Even trade in goods and hard commodities – from cars to raw materials – depend on data access; various types of consumer services that were considered “untradeable” less than a decade ago are now exchanged online.
As the global policy environment inclines towards “data nationalism”, data localisation has become an effective non-tariff barrier (NTB) to trade (Chander, Lê, 2014). Previous literature established also that data localisation results in clear economic costs for the implementing economy, primarily through significant losses in productivity and competitiveness. Europe – as an export-led services economy under considerable competitive pressure – stands more to lose from such losses. Meanwhile, data localisation measures rarely contribute to their alleged policy objectives, as information security is not a function of where the data is physically stored.
Intra-EU Dimensions on Free Flow of Data
Whereas there are strict restrictions on data flows from the EU to other countries, there are fewer restrictions imposed on internal flow of data between EU Member States thanks to the existing Single Market disciplines on services. Nonetheless, a real Single Market on data storage is yet to come into function in practice: Two-thirds of all demand for “ICT-related” services (consulting, hosting, development) are sourced locally within each Member State, while only 18% is sourced from the rest of the EU.
The policy package under the Digital Single Market (DSM) includes consumer-driven initiatives such as a European Cloud as well as the prevention of “unjustified” geo-blocking as well as cross-border content portability. To augment DSM with a ban on “unjustified restrictions on the location of data for storage or processing purposes” as envisaged, would create an industrial dimension to free flows of data, which the DSM strategy currently lacks.
The policy context for such intra-EU discipline on data localisation measures is favourable and timely. An EU-wide discipline against data localisation that would not impair on the protection of personal information – and given the passing of General Data Protection Regulation (GDPR) ought to be depoliticised, or to the extent the issue could ever be in the European discourse. A data localization ban would not change or affect the privacy rules under GDPR, which already asserts free flow of personal data within the EU. Indeed, the current window of opportunity allows the EU to act before the EU Member States enact measures that could hurt other Member States and further fragment the Single Market.
The policy is also a matter of public communication: Despite the efforts of DSM (supplemented even by fiscal measures), the business is not yet fully convinced about the investment climate in Europe. Tech investment in Europe is rapidly catching up, reaching $8bn per year – which is still less than half of what Silicon Valley attracts from venture capitalists alone. A ban on data localisation measures is not only a guarantee that innovators of cloud technologies, big data and other new innovations are able to gain ground and scale up within Europe – it would also restore some of Europe’s credibility as a force to keep the global markets open. If the EU Member States follow the global trend towards data nationalism, then the DSM and the Single Market would have very little value in practice.
An economic assessment of policies on the digital economy are perilous endeavours, fraught with several methodological issues. This study builds on the methodology developed by the authors, which is accepted on methodological grounds, using a computable general equilibrium (CGE) model, which is a well-acknowledged methodology that is frequently used for trade and economic impact assessments by academia and policymakers worldwide as well as the European Commission. The impact of intra-EU data localisation is estimated in two parts: Firstly, the study looks at the liberalisation of existing regulatory data localisation measures (outlined in section two), given that the measures are also reasonably actionable. In addition, the study looks to the impact of economy-wide data localisation requirements imposed by each of the EU Member States to estimate the nominal economic damage that a data localisation ban would prevent.
 See Rentzhog, 2014; 2015.
 Notably ECIPE 2014, 2015; US Chamber of Commerce, 2013.
 General Data Protection Regulation 2016/679 (Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC).
 inter alia Articles 26 (internal market), 49 to 55 (establishment) and 56 to 62 (services) of the Treaty on the Functioning of the European Union (TFEU) and Services Directive (Directive 2006/123/EC on Services in the Internal Market)
 OECD, Trade in Value Added (TiVA) Database, 2015.
 European Commission, Proposal for a Regulation of the European Parliament and of the Council on addressing geo-blocking and other forms of discrimination based on customers’ nationality, place of residence or place of establishment within the internal market and amending Regulation (EC) No 2006/2004 and Directive 2009/22/EC, COM(2016) 289 final 2016/0152 (COD); on ensuring the cross-border portability of online content services in the internal market, COM(2015) 627 final 2015/0284 (COD).
 European Commission, VP Ansip, A Digital Single Market Strategy for Europe, SWD(2015) 100, 6 May 2015
 See note 4.
 Dow Jones Venturesource, 2015.
 van der Marel et al., 2015 and Bauer et al., 2014.
 See, e.g., Economic Impact Assessments conducted by Francois, 2013 and 2007.