1. Reads
  2. Deep Dives

What is Data Localisation? Why is Facebook Threatening to Exit Europe?

Feb 16, 2022 7:59 AM 6 min read

Accelerating customer churn, subpar quarterly numbers and serious doubts about Facebook’s metaverse pivot aren’t the only things currently ailing Mark Zuckerberg’s mind.

Last Thursday, Meta Platforms made a brow-raising claim in its annual report: If European regulators move to restrict the transfer of European users’ data across the Atlantic to Menlo Park, Meta would “likely be unable to offer…Facebook and Instagram in Europe”.

The point of contention was the European Union’s ongoing overhaul of legislation governing cross-border data flows. There are widespread expectations that Brussels will restrict the transfer of user data, requiring the same to be stored and processed within the EU itself.

For its part, Facebook fears that barriers to accessing user data impinges on its most critical avenue for revenue-generation - targeted ads. Given that Apple’s move last year to give users more leeway in tackling app-tracking is already hurting Meta’s margins, the last thing the social media giant needs is an EU-sized obstacle.

That said, it is highly unlikely that Meta will actually exit a market as large and lucrative as Europe. However, this episode does shed light on one of the most divisive areas of the evolving international digital law scene - that of data localisation. In terms of controversy, it is perhaps second only to the question of cross-border taxation of digital companies (India’s tryst with that debate is currently in a state of uneasy limbo, after it reached an understanding with Washington to impose its equalisation tax only till FY24).

Brouhaha in Brussels

The Meta-EU case dates back to 2013, when the Edward Snowden revelations - that US intelligence agencies spied on European leaders and citizens - catalysed concerns over American tech companies’ repositories of European citizens’ data.  

This set the ball rolling, culminating in the 2015 judgement by the European Court of Justice (ECJ) that cited EU law prohibiting the transfer of Europeans’ data to jurisdictions adjudged to be non-compliant with EU standards, a list to which the US was added. This ended a 15-year status quo called “Safe Harbour”, which enabled seamless transatlantic data flow.

Safe Harbour was the backbone of several industries on both sides of the Pond. To avoid large-scale disruptions, officials quickly negotiated a new set of rules called “Privacy Shield” in 2016. This had added privacy protections, but in the coming years EU data legislation expanded and matured, most notably since the implementation of the General Data Protection Regulation (GDPR) in 2018. 

Multiple legal challenges and Trumpian outbursts later, the ECJ declared the Privacy Shield as invalid too (in 2020). Which is why European regulators are now coming up with new, updated rules - rules that have Menlo Park on edge.


A Global Issue

The EU-Meta case may be dominating tech headlines but, much like data itself, concerns over cross-border data flows know no borders.

They are a political talking-point in Indonesia. They have propelled Russia to enact some of the most stringent data localisation statues outside China. Australia, one of the stalwarts in the fight against Big Tech largesse, recently reworked its data governance laws. 

And India, while still in the process of drafting its personal data protection law, is witnessing a lively debate on the issue - which is warranted considering it's the world’s second-largest digital economy and the largest “free” one, knowing how zealously China hides large swathes of the internet from its citizens. (But TBF, China is a ridiculously low bar vis-a-vis civil rights and “free” is a strictly relative term considering that we also ominously lead the world in internet shutdowns and Twitter takedowns.)


But What is Data Localisation, Anyway?

It’s become a cliche to say that data is the new oil. But underlining just how crucial data has become to the global economy today is still exhilarating: Between 1992 and 2017, global internet traffic jumped from a mere 100 GB/day to 46.6 TB/second. This year, this number is expected to rocket further up to a stunning 150.7 TB/second!

“Data localisation” is a catch-all term for the policies that govern how data generated from one jurisdiction can be stored and processed by a company in another jurisdiction. Specifically, it endeavours to ensure the domestic storage and processing of data, especially data considered sensitive or critical. 

It’s a simple premise, really. In the Digital Age, the internet - and, therefore, data - doesn’t recognise borders. The law, however, does. As such, data localisation is antithetical to free cross-border data flow. A Great Data Firewall, if you will.

Data localisation itself comes in many forms. Broadly, “soft” (data stored in the same country but can be processed elsewhere after permission is granted) and “hard” localisation (storage and processing both required to be done locally, with no scope for data mirroring). There are also unconditional (rules for all/most kinds of data) and conditional localisation (rules for only some kinds of data).


Data and the Republic

Data localisation entered Indian mainstream discourse in 2018, when the RBI issued a directive asking all companies to store payments-related data locally. Around the same time, the Srikrishna Committee tabled the first draft of the Data Protection Bill (which is yet to be tabled in Parliament). 

That said, even though we don’t have an all-encompassing data law yet, cross-border data flows are still regulated in many areas. The telecom industry, for instance, already requires subscriber information to be stored and processed locally. The argument for a single umbrella data law is to prescribe regulations for data governance across sectors as opposed to the current system of a myriad of criss-cross sector-specific rules.

Speaking of arguments… 


Data Localisation: What Proponents Say

The rationale behind data localisation is fairly simple. GoI cites four reasons in particular: (1) economic growth, (2) law enforcement, (3) preventing foreign surveillance, and (4) user data protection.

Entire industries are built on data; stemming data flows to American firms might give a leg up to domestic players (a win for “Atmanirbharta”). 

Existing cross-border flows are governed by bilateral treaties (“mutual legal assistance treaties”). It’s a cumbersome process for law enforcement officials, with data acquisition taking as long as ten months in some cases. 

As for protecting citizens’ data from bad players, data localisation may prevent spying of the like leaked by Snowden in 2013, but some nuance may be necessary here. Which brings us to…


Data Localisation: What Opponents Say

Who’s against data localisation? American tech companies, naturally. And their lobbyists and business interests. But also many digital rights enthusiasts, who fear a profusion of national data protection laws could lead to a “splinternet”: distinct and impenetrable silos where the free exchange of information is no longer the basis of the internet as we know it.

There’s also the market-purist argument that requiring localisation is anti-competitive and will only further aid in the consolidation of the tech industry. After all, the likes of Facebook and Alphabet can afford to build different data centres in different countries. Smaller rivals cannot. Also, domestic tech firms looking to expand outwards could find their own progress stifled by data barriers.

Significantly’ there’s also the warning that data localisation is not a panacea for data security. Simply replacing Meta with the Union Government doesn’t mean individual privacy will be protected; it merely adds more safeguards. The threat of Government misuse of consumer data and violation of privacy rights remains (case in point: Pegasus). 


Looking Ahead

All said and done, the general movement among countries seems to be towards data localisation, despite frantic protests from Uncle Sam and Big Tech. This trend might provide added security to user data - and it might also very well change the way the internet operates.

As for Meta’s objections, the new European standards are expected in the first half of 2022. EU regulators’ pedantry can be forgiven. The GDPR, while not impeccable, is still widely regarded as the gold standard for data protection legislation. And if the Brussels effect is any indication, expect the EU’s new rules to be an invaluable trendsetter for the rest of the world. In particular, India.


Congratulations! You've made it to the end. Looking for more takes on Business, Finance, Markets and Investing? Subscribe to TRANSFIN. E-O-D for informative and insightful daily news updates