The Rise of Data Havens Due to Data Regulation

As countries worldwide adopt and implement data governance, and regulatory frameworks, including cybersecurity laws, the rules aim to prevent cyber espionage and guard national sovereignty. However, it has also caused chaos and confusion in the foreign business community. Companies are scrambling to understand how it will affect their daily business operations and intellectual property. This is primarily in the context of cross-border data transfers.

One part of the law that has particularly riled foreign tech companies in China centers around “data localization” or “data Sovereignty.” Even in Turkey, the Parliament has approved personal data protection, causing vast aberrations in the method and compliance regime governing data. After the law was imposed, the e-money operator PayPal withdrew from Turkey, citing “incompatible regulatory requirements” due to data localization. Therefore, there is a demand to look into the need for data protection regulations, cross-border data transfer, and the various questions revolving around the rise of data havens.

So, why is data regulation needed?

Data regulation directly relates to trading goods and services in the digital economy. Insufficient protection can create an adverse market effect by reducing consumer confidence and restricting business from a business perspective. Therefore, the challenge is to ensure that laws consider the global nature and scope of their application and foster compatibility with other legal data governance frameworks. As a result, it will facilitate international trade and enhance reliance on the Internet. However, the question remains: what kind of regulation do we require?

Diversity in Data Regulations around the World

The underlying privacy principles are interpreted differently in different jurisdictions. Moreover, the social and cultural norms highlight this difference. In fact, according to this research, some protect privacy as a fundamental right, while others base the protection of individual privacy on other constitutional doctrines or torts. Therefore, we must look forward to knowing the difference between the global interpretation of privacy principles and how it affects individuals, businesses, and international trade.

All users who use Google, Facebook, and WhatsApp enter into contracts with these companies under American law with a dispute resolution clause requiring them to arbitrate disputes with them in California. Most users must learn they are giving up their rights under the local or national regulatory bodies when they agree to use them. Once the new law is enacted, these companies have to change the terms of their user agreement, and they will have to spend a significant amount ensuring compliance. However, let us presume that some foreign data companies decide that the Indian market’s value does not justify the cost of complying with Indian law” and the penalties that follow,” especially provisions like data localization. Isn’t it still possible to use their services? This aspect also leads us to think about using “Data Havens” services.

Perception Vs. Reality

Several studies have also estimated the potential impact of data protection requirements that place an unreasonable burden on businesses or disrupt cross-border data transfers. For example, the proposed economy-wide data localization requirements would negatively impact GDP in several countries where such conditions have been considered. For many countries considering forced data localization laws, local companies would be required to pay 30-60% more for their computing needs than if they could go outside the country’s borders. However, if services trade and cross-border data flows are seriously disrupted between the EU and the U.S., the negative impact on EU GDP could reach -0.8% of that global Internet users have in online platforms trillion of this added value. However, the data localization policy has also facilitated the domestic IT ecosystem in China. There the transaction cost economics for cross-border data flows is a critical aspect to solve.

It’s easy for users to take for granted that data collected online can flow between borders, partly because there are so many types of data companies can manage and move. For example, when users input their phone number on a foreign social media app, that data might be stored overseas on the company’s servers. Therefore, from an international business perspective, regardless of where they are located, “Where should data be hosted?” And the easy answer is – It is wherever the business wants. However, regulation considers the business perspective on data governance, security, and social perspectives.

From a business perspective, it makes sense for data collected worldwide to be “centralized” in one location. Businesses have to make arrangements with cloud service providers in the country or build their own data centers; either way, there is a cost involved. Data-Driven organizations and companies engaged in cross-border data transactions transport data from one point to another, often using multiple nodes of data transit points scattered throughout the world to relay the information in the process. The Internet automatically locates and funnels data through the closest available data node, switching directions and transferring data packets in seconds. These data nodes are located in different countries and are shared by Internet users worldwide. Because the origin and destination points are scattered across every corner of the globe, one single piece of legislation cannot account for all the necessary measures that need to be in place to enforce the protection and privacy of transferred data. However, having disjointed or overlapping legislation, especially when dealing with an issue with drastic international repercussions, further exacerbates the already complex problem of trying to figure out how to deal with the novel challenges of handling data and emerging digital technologies.

Therefore, most businesses choose the centralized system for ease of doing business and to avoid regulatory requirements and compliance costs. However, many researchers point out that regulation contains monopolization and improves healthy competition. However, this increase in law is also giving rise to data havens. The countries with a lenient data-regulatory framework are perceived to be more business-friendly and, therefore, likely to benefit.

Moreover, in the past decade, we have also seen the rise of data havens simultaneously with the adoption a data protection regime. To bring this into perspective, a data haven, like a tax haven, is a physical location that offers extra protection and refuge for unregulated data. Data havens are locations with legal environments that are friendly to the concept of a computer network freely holding data and protecting its content and associated information. Tor’s onion space, HavenCo, and Freenet (decentralized) are three modern-day virtual data models. In 1978, the Data Protection Committee of Britain studied and presented an analysis with expressed concerns that different privacy standards in other countries would lead to personal data transfer to countries with weaker data regulations. Today, we see this to be more accurate than before.

Is the context more political?

We have seen that international businesses favor lenient data regulation and a centralized data governance system. However, national governments worldwide do not share the view selected by companies that data should live and move wherever they want. Yet the motivations behind these disagreements vary by country, and other regions have taken different approaches to square private and corporate attitudes on data. For example, the EU has made it clear that it believes data belongs to the individual, not the companies that collect it. Therefore, it’s the government’s responsibility to protect it to ensure privacy. And one way to do that is by keeping it inside Europe’s borders. However, it also recognizes that free data transfer is critical for free and fair trade. Therefore, it has worked out agreements on how commercial and personal data originating in one region can be protected when it moves to another.

Better coordinated international regulatory policies should be developed to address certain essential aspects of cross-border data transfer, regulatory framework, and data havens. Such coordination is necessary to prevent an uncontrolled regulatory race to the bottom while at the same time preserving the benefits of privacy-centric applications. There is also a need to enhance international compatibility in protecting data and privacy, especially concerning international business and trade.