Forced data localisation measures are on the rise around the world, fragmenting the Internet and increasing costs for businesses and consumers. Until the year 2000, only 15 measures were imposed globally. By 2007, the number of measures doubled and it more than doubled again until today.
The study has identified 22 data localisation measures where European Union Member States impose restrictions on the transfer of data to another Member State. The most common restrictions target company records, accounting data, banking, telecommunications, gambling and government data. In addition, there are at least 35 restrictions on data usage that could indirectly localise data within a certain Member State.
A real EU Single Market on data storage is yet to come into function in practice: Two-thirds of all demand for “ICT-related” services (consulting, hosting, development) are sourced locally within each Member State, while only 18% is sourced from the rest of the EU. Meanwhile, the cost difference of operating data centres can be considerable amongst the EU Member States, with the most expensive country being twice as expensive as the cheapest.
Data localisation measures create a major misallocation of resources and threaten the continent’s productivity and competitiveness. If data can be stored and processed anywhere within the EU, the move would boost the commitment to achieve a true Digital Single Market and send a clear political message that Europe is open for business.
If existing data localising measures are removed, GDP gains are estimated to up to 8 billion euros per year (up to 0.06% of GDP), which is on par with the gains of recent free trade agreements (FTAs) concluded by the EU. These gains approximate the impact of a fully price-transparent “industrial” DSM.
Even more striking gains from a ban on data localisation will stem from the ratchet effect – preventing EU Member States from imposing harmful data localisation measures in the future. The economic loss generated by full data localisation by each of the Member States would lead to a loss of EU-wide output by 52 billion euros per year (0.37% of GDP). This number will increase with further digitalisation of the European economy.
ECIPE gratefully acknowledges the support for this paper from Computer & Communications Industry Association Europe (CCIA Europe).
1. EU Regulatory Framework on Data
Access to foreign markets through trade liberalisation and globalised supply chains are major sources of growth, job creation and new investments. Given the nature of today’s interconnected economy, Member States’ policies that increase data storage and processing costs have an economic impact beyond telecoms and the internet. Manufacturing and exports are already, and increasingly, dependent on having access to a broad range of services at competitive prices – such as logistics, retail distribution, finance or professional services, which in turn are heavily dependent on secure and efficient access to data across a reasonably large area. When data must be confined within a Member State (that are mostly small or mid-sized economies), it does not merely affect internet-related services, but potentially any business that uses the internet to produce, deliver, and receive payments for their work, or to pay their salaries and taxes.
Many current restrictions are non-regulatory in nature, i.e. organisational decisions by individual firms rather than laws. For example, a bank or a public hospital may decide that its application vendors must store all its data on the premises, although there are no such obligations legally. However, the scope of this study is on those regulations which affect cross-border flow of data within the Single Market – in other words, law and decrees that blocks data transfers internally within the EU.
Many of today’s restrictions are related to what certain EU Member States consider to be its vital national and fiscal interests, and uneasiness about data not being made available to its law enforcement or tax authorities upon request. Given that outright blockages to transfer of data would contravene EU’s Four Freedoms and existing EU disciplines, several of today’s intra-EU restrictions relate to the national security exception, granting national security as “a sole responsibility of each Member State”. However, the Court of Justice of the European Union (CJEU) has reiterated in several rulings that such exception should be applied strictly and that the Member State requesting such exception should “prove that is necessary to have recourse to that derogation in order to protect its essential security interests”. While data localisation measures relating to public security, defence and state security clearly fall outside of the scope of EU law, such objectives cannot be used routinely or carte blanche to get out of Single Market commitments.
Another policy objective for localisation relates to data protection. The EU has a common set of data protection rules since 1995. In recent months, the GDPR was adopted by the European Parliament and will enter into force by mid-2018. Given the harmonisation of privacy legislation across the EU under the GDPR, privacy can no longer be a concern for intra-EU data flows. The current and coming data protection regime in the EU remains quite diverse, yet – at least on paper – data should be allowed to flow freely within the Single Market. Nonetheless, Member States have imposed a series of additional requirements – most of which predate the 1995 European Data Protection Directive.
 See note 5.
 Art. 4 (2) TFEU.
 See ECJ, European Commission v Italy, C-239/06, 15.12.2009, para 50; ZZ v UK Secretary of State of the Home Department, C-300/11, para 61, 4.6.2013.
 European Commission v Italy, para 46; ZZ v Secretary of State of the Home Department, para 45.