Mapping Data Localisation Measures
As data becomes a growing part of economic and social interactions, governments have become increasingly concerned about its use and misuse. Indeed, data raises specific challenges across a number of policy areas, including privacy and data protection, national security, digital security, intellectual property protection, regulatory reach, competition policy and industrial policy. These challenges are exacerbated when data crosses international jurisdictions; while the internet is, in many ways, borderless, regulations are not. 
As a result, governments have been updating and adapting their data policies, which has led to a rising number of regulations which either condition the movement of data across international borders, or which mandate that data be stored locally – this last category is also known as local storage requirements or data localisation.
Although there is no single or official definition of data localisation, it is often understood as an explicit requirement that data be stored and/or processed within the domestic territory. Overall, data localisation measures can be grouped into three broad categories.
- The first involves measures that mandate local storage but allow copies to be sent and processing to take place abroad. These measures are often applied in the context of ensuring that regulators do not encounter issues related to jurisdictional reach.
- The second broad category relates to measures which mandate local storage and allow transfer or processing abroad under clearly defined conditions. For example, the Electronic Health Records Act in Australia requires that health record information be stored in Australia but provides for access overseas in cases where access is needed by users (the data subjects) or by registered healthcare providers overseas.
- The third category of measures are those that mandate local storage and processing and prohibit transfers abroad (with ad hoc exceptions). These more sweeping restrictions can apply to a range of data, including banking, telecommunications or payment data, as well as to broader categories of information.
An analysis of existing measures shows that data localisation is on the rise. By 2021, there were a total of 92 data localisation measures in place across 39 countries. More than half of these have emerged over the last five years. Importantly, the measures themselves are becoming more restrictive; by 2021, two-thirds of measures in place involved a storage requirement with a flow prohibition (often implemented by non-OECD countries) – Figure 1.
Figure 1. Data localisation is growing and becoming more restrictive
Note: Data localisation measures are defined as explicit requirements that data be stored or processed domestically.
Source: López González, J., F. Casalini and J. Porras (2022), "A Preliminary Mapping of Data Localisation Measures", OECD Trade Policy Papers, No. 262, OECD Publishing, Paris, https://doi.org/10.1787/c5ca3fed-en.
Data localisation measures apply to a range of different sectors and data types. In terms of sectors, 33% of measures identified are cross-cutting. Half of these (i.e. around 16% of all measures) require that business data be stored domestically for access by relevant authorities (with no flow restriction). However, the other half include prohibitions on transfers in the context of personal or “important/critical” data. Another 23% of measures apply to financial, banking or payments and 15% to public sector data, both of which tend to involve storage requirements with flow prohibitions.
International discussions on data localisation have largely taken place in the context of preferential trade agreements (PTAs). By April 2022, there were 21 agreements with provisions banning data localisation (albeit each with different exceptions).
Although there is wide acknowledgement that data localisation can have negative economic implications, there is very little empirical evidence of the economic and societal implications of these measures. While benefits can be assessed against the stated objectives (e.g. whether the measure increases data or national security, or helps enable access by regulators), costs and the impacts on firm activity are likely to depend on both the nature of the measure and the extent to which firms rely on data to support their economic activities.
There is a need to better understand and monitor the evolving regulatory environment to enable better empirical analysis of the economic and societal implications of data localisation. This will also help in the context of devising rules on data localisation, including in PTAs or in the context of the WTO in discussions at the Joint Statement Initiative on e-commerce.