The Effects of Data Localization on Cybersecurity

Article Source: Georgia Tech Scheller College of Business Research Paper, No. 4030905, 2022
Publication Date:
Time to Read: 3 minute read
Written By:

 DeBrae  Kennedy-Mayo

DeBrae Kennedy-Mayo



Data localization policies prohibit the transfer of data to foreign countries. Data localization affects the ability of organizations to prevent and respond to cyberattacks, increasing cybersecurity risks.


Policy Relevance:

Localization measures add to security risks. Policymakers should consider allowing exemptions when risk is high.


Key Takeaways:
  • Policies calling for data localization, that is, prohibitions on the transfer of data to foreign countries, have proliferated; sometimes the goal of localization is to protect privacy, but protectionism, national security, or government's desire to control the Internet also motivate localization measures.
    • China's data security act requires data localization for critical infrastructure.
    • India requires data localization for financial transactions.
  • Europe has embraced data localization.
    • Europe's Data Protection Board requires de facto localization of personally identifiable information.
    • EU may expand localization policies to connected machines and devices.
  • Privacy and security will conflict if a privacy measure increases the risk of unauthorized access to data; for example, data localization policies intended to protect privacy might reduce the ability to identify perpetrators of cyberattacks.
  • Localization hinders integrated management of cybersecurity risks; if only one region requires localization, security management can be centralized there, but if many countries require localization, security functions cannot be centralized at all.
  • International Standards Organization (ISO) 27002 provides cybersecurity management controls to support organizations in managing security risks.
    • Localization interferes with 13 of 14 ISO 27002 security control categories.
    • The only unaffected control set is physical security, which is often managed locally.
    • Localization complicates managing and tracking assets, employees, and portable devices, which may move across jurisdictions.
    • Localization hinders global policies for oversight, training, compliance monitoring, and access limitation.
  • Globally, the market for cybersecurity-related services is about $200 billion; the United States is the market leader in cloud and cybersecurity services.
    • Services such as intrusion detection often access and report detailed client data.
    • Localization requires organizations to keep cybersecurity work in-house or hire only local providers.
    • Localization limits access to top providers.
  • Some cybersecurity services offer "follow the sun" customer and engineering support, where rotating teams come on duty during their local daytime, providing 24-hour coverage worldwide; localization would block use of these services, and prevent firms from developing their own global service.
  • Locally-grown cybersecurity services are unlikely to offer a satisfactory solution.
    • Until the local industry is established, attackers will target weakened jurisdictions.
    • Small countries will struggle to achieve the necessary scale and expertise.
    • Few local markets are large enough to support a wide range of security services to fill every niche where specialized services are needed.
  • Localization undermines information sharing for cybersecurity purposes.
    • Investigation of cybercrimes, which often originate in other countries, will be impeded.
    • Attackers hop jurisdictions to evade detection, and forensic investigators work across borders.
    • Training of security algorithms on global data improves systems that use machine learning.
    • Credit card companies, insurers, and ecommerce site share data worldwide to detect fraud.



Peter Swire

About Peter Swire

Peter P. Swire is Professor of Law and Ethics and the Elizabeth and Thomas Holder Chair at the Scheller College of Business at the Georgia Institute of Technology. Professor Swire is Associate Director for Policy of the Georgia Tech Institute for Information Security and Privacy. He has appointments by courtesy with the College of Computing and School of Public Policy. He is also Senior Counsel with Alston & Bird, LLP. Professor Swire has been a leading privacy and cyberlaw scholar, government leader, and practitioner since the rise of the Internet in the 1990’s.