Data Havens of Greater Concern than Tax Havens

As countries worldwide adopt data governance frameworks and cybersecurity laws, we see rules preventing cyber espionage and guarding data. However, it has also caused chaos and confusion in the foreign business community. Companies are scrambling to understand how it will affect their daily business operations and intellectual property. One part of the law that has particularly riled foreign tech companies in China centers around “data localization” or “data sovereignty.” Even in Turkey, the Parliament has approved personal data protection, causing vast aberrations in the method and compliance regime governing data. For example, after the law was imposed, the e-money operator PayPal withdrew from Turkey, citing “incompatible regulatory requirements” due to data localization. Therefore, we need to examine the need for data protection regulations, cross-border data transfer, and the various questions surrounding the rise of data havens.

The need of strong data regulation

Data regulation is directly related to trading goods and services in the digital economy. Insufficient protection can create an adverse market effect by reducing consumer confidence and restricting business from a business perspective. Therefore, the challenge is to ensure that laws consider the global nature and scope of their application and foster compatibility with other legal data governance frameworks. As a result, it will facilitate international trade and enhance reliance on the Internet. However, the question on the kind of regulation governing data remains.

Diversity in data regulations around the world

The underlying privacy principles are interpreted differently in different jurisdictions. Moreover, the social and cultural norms highlight this difference. In fact, according to this research, some protect privacy as a fundamental right, while others base the protection of individual privacy on other constitutional doctrines or torts. Therefore, we must look forward to knowing the difference between the global interpretation of privacy principles and how they affect individuals, businesses, and international trade.

All users who use Google, Facebook, and WhatsApp enter into contracts with these companies under American law with a dispute resolution clause that requires them to arbitrate disputes with these companies in California. Most users do not even know they are giving up their rights under the local or national regulatory bodies when they agree to use them. Once the new law is enacted, these companies have to change the terms of their user agreement, and they will have to spend a significant amount ensuring compliance. However, let us presume that some foreign data companies decide that the Indian market’s value does not justify the cost of complying with Indian law ”and the penalties that follow,”, especially regarding data localization. This aspect also leads us to consider using services provided by “Data Havens.”

Perception Vs. Reality

Several studies have also tried to estimate the potential impact of data protection requirements that place an unreasonable burden on businesses or disrupt cross-border data transfers. For example, the proposed economy-wide data localization requirements would negatively impact GDP in several countries where such conditions have been considered.

For many countries considering forced data localization laws, local companies would be required to pay 30-60% more for their computing needs than if they could go outside the country’s borders. However, if services trade and cross-border data flows are seriously disrupted between the EU and US, the negative impact on EU GDP could reach -0.8%. However, the data localization policy has also facilitated the domestic IT ecosystem in China. Therefore, the transaction cost economics for cross-border data flows is a critical aspect to solve.

It’s easy for users to take for granted that data collected online can flow between borders, partly because so many different types of data companies can manage and move. For example, when users input their phone number on a foreign social media app, that data might be stored overseas on the company’s servers. Therefore, from an international business perspective, regardless of where they are located, “Where should data be hosted?” And the easy answer – it is wherever the business wants. However, regulation considers the business perspective on data governance and security and the social perspective.

From a business perspective, it makes sense for data collected worldwide to be “centralized” in one location. Businesses have to make arrangements with cloud service providers in the country or build their own data centers; either way, there is a cost involved. Data-driven organizations and companies engaged in cross-border data transactions transport data from one point to another, often using multiple nodes of data transit points scattered throughout the world to relay the information in

the process.

The Internet automatically locates and funnels data through the closest available data node, switching directions and transferring data packets in seconds. These data nodes are located in different countries and are shared by Internet users worldwide. Because the origin and destination points are scattered across every corner of the globe, one single piece of legislation cannot account for all the necessary measures that need to be in place to enforce the protection and privacy of

transferred data.

However, having disjointed or overlapping legislation, especially when dealing with an issue with drastic international repercussions, further exacerbates the already complex problem of trying to figure out a way to deal with the novel challenges of handling data and emerging digital technologies.

Therefore, most businesses choose the centralized system to ease trade and avoid regulatory requirements and compliance costs. However, many researchers point out that regulation contains monopolization and improves healthy competition. However, this increase in regulation is also giving rise to data havens. Therefore, countries with a lenient data-regulatory framework are perceived to be more business-friendly and likely to benefit.

Moreover, in the past decade, we have also seen the rise of data havens simultaneously with the adoption of a data protection regime. To bring this into perspective, a data haven, like a tax haven, is a physical location that offers extra protection and refuge for unregulated data. Data havens are locations with legal environments that are friendly to the concept of a computer network freely holding data and even protecting its content and associated information. Tor’s onion space, HavenCo, and Freenet (decentralized) are three modern-day virtual data models. In 1978, the Data Protection Committee of Britain studied and presented an analysis expressing concerns that different privacy standards in other countries would lead to personal data transfer to countries with weaker data regulation. Today, we see this to be more accurate than ever.

Politisization of the domain

We have seen that international businesses favor lenient data regulation and a centralized data governance system. However, national governments worldwide do not share the view selected by companies that data should live and move wherever they want. Yet the motivations behind these disagreements vary by country, and other regions have taken different approaches to square private and corporate attitudes on data. For example, the EU has made it clear that it believes data belongs to the individual, not the companies that collect it. Therefore, it’s the government’s responsibility to protect it to ensure privacy. And one way to do that is by keeping it inside Europe’s borders. However, it also recognizes that free data transfer is critical for free and fair trade. So it has worked out agreements on how commercial and personal data originating in one region can be protected when it moves to another.

Expected outcome

With the new data protection bill in the parliament, there will hopefully be better coordinated international regulatory policies developed to address certain essential aspects of cross-border data transfer, regulatory framework, and data havens. Such coordination is necessary to prevent an uncontrolled regulatory race to the bottom while at the same time preserving the benefits of privacy-centric applications. Furthermore, the government needs to understand and implement cyber-diplomacy so as to enhance international compatibility in protecting data and privacy, especially concerning international business and trade. Symmetry of the Data Protection Regulation world wide is key to health cyber-governance for a secure cyberspace.