Swire & Kennedy-Mayo on The Effects of Data Localization on Cybersecurity

Peter Swire (Georgia Institute of Technology) and DeBrae Kennedy-Mayo (same) have posted “The Effects of Data Localization on Cybersecurity” on SSRN. Here is the abstract:

This paper is the first systematic examination of the effects of data localization laws on cybersecurity. This paper focuses on the effects of “hard” data localization, where transfer of data is prohibited to other countries. Other “softer” versions of data localization also exist, such as where a country requires a copy of data to be stored or mirrored in the country, but transfer of the data remains lawful. The discussion includes both de jure and de facto effects, including China’s explicit laws, recent enforcement actions in the European Union, and proposed privacy legislation in India. The focus is on effects on cybersecurity defense, rather than offensive cyber measures.

Part I provides background. Part II examines privacy and non-privacy reasons driving localization laws, including examining ways that cybersecurity might either reinforce privacy or exist in tension with it. Part III addresses the research for this paper. In addition to a traditional literature review, we reviewed approximately 200 comments submitted to the European Data Protection Board in late 2020 concerning data transfers. Approximately 25% of the comments discussed data localization or a similar concept.

Part IV provides a new categorization of the effects of data localization on cybersecurity. First, our analysis shows that data localization would threaten an organization’s ability to achieve integrated management of cybersecurity risk. 13 of the 14 ISO 27002 controls, as well as multiple sub-controls, would be negatively affected by data localization. As a specific finding, required localization in two or more nations clearly restricts the ability to conduct integrated cybersecurity management.

Second, the analysis explains how data localization pervasively limits provision of cybersecurity-related services by third parties, a global market of roughly $200 billion currently. Notably, data localization laws supported in the name of cybersecurity often undermine cybersecurity – purchasers in the locality are deprived of best-in-breed cybersecurity services, thereby making them systematically easier targets for attackers. Third, data localization threatens non-fee cooperation on cybersecurity defense. Notably, localization undermines information sharing for cybersecurity purposes, which policy leaders have emphasized as vital to effective cybersecurity.

Finally, until and unless proponents of localization address these concerns, scholars, policymakers, and practitioners have strong reason to consider significant cybersecurity harms in any overall analysis of whether to require localization.