Cross-border data flows: Are restrictive policies stifling growth?
Posted By On February 2, 2018

Online platform development is increasingly recognized by governments in the Asia-Pacific region as a means to promote economic growth and help low- and middle-income countries reach the Sustainable Development Goals developed by the United Nations. However one of the major impediments to ensuring that entrepreneurs are able to realize their vision and potential, are restrictions placed by governments globally on cross-border data flows.

Cross-border data flows are critically important for companies across all sectors of economies and particularly for small- and medium-sized enterprises (SMEs), which account for 98% or more of all enterprises in most countries in Asia.[1] Access to digital products and services, such as cloud applications, provide SMEs with services that will give them a competitive advantage, enabling them to leverage global supply chains and directly access customers in foreign markets in ways that were previously possible only for large corporations.


A 2016 McKinsey report highlights the fact that “global [data] flows have raised world GDP by at least 10 percent; this value totaled $7.8 trillion in 2014 alone. Data flows now account for a larger share of this impact than global trade in goods. Global flows generate economic growth primarily by raising productivity, and countries benefit from both inflows and outflows.”[2]

Restrictions on data flows increase the cost of doing business across borders by either requiring that companies keep data within a certain country or by imposing additional requirements for data to be transferred abroad. These measures are very different in how they are designed and implemented. If data flows have so many economic benefits, what motivates these restrictions?


The increasing reliance on data has raised concerns among policymakers related to privacy and the protection of personal information, cybersecurity, taxation, national security, law enforcement, and industrial development among others. As a result, policymakers have responded by passing legislation that imposes restrictions on how data is handled, stored, and transmitted from point A to point B.

A recent report from the European Centre for International Political Economy (ECIPE) states that while “restrictions on cross-border data flows are not new…they have mushroomed in the last decade. Strict privacy regimes, requests to use local data centers and outright bans to transfer data abroad are a few examples of policies imposed recently that restrict data from crossing national or regional borders.”[3] However, some regulations create a confusing and often restrictive environment for local entrepreneurs and foreign direct investors alike.

A 2017 Information Technology and Innovation Foundation (ITIF) report provides examples of data flow restrictions from various countries in Asia. For example, India has a number of policies that on paper are restrictive, but have not been enforced. In 2011, “India’s Ministry of Communications and Technology enacted data transfer requirements as part of a change to privacy rules that could be (but haven’t been) used to restrict data flows containing personal information. These rules limit the transfer of “sensitive personal data or information” abroad to only two restrictive cases—when “necessary” or when the subject consents to the transfer abroad. Because it is difficult to establish that a transfer of data abroad is “necessary,” this provision would effectively ban transfers abroad except when an individual consents. The ministry clarified that these rules only apply to companies gathering data on Indians and only when the company is located in India.”[4] Further, in 2015, “India released a national telecom machine-to-machine roadmap that requires all relevant gateways and application servers that serve customers in India to be located in India,” however, it has not been enforced.[5]

Also from the ITIF report, “in 2010, Malaysia enacted the Personal Data Protection Act, which came into force in 2013. Personal data cannot be transferred outside Malaysia, unless the action has been approved by the Malaysian government. There are exceptions to this rule if the data subject has given approval, the transfer is part of a contract between the data subject and data user, if reasonable steps have been taken to protect the data, or if the transfer is necessary to protect the data subject’s vital interests. As with other countries, a consent requirement for transfer abroad is a burdensome requirement to satisfy.”

The belief that restrictions to cross-border data flows—including laws and regulations that prevent personal information, emails, and other forms of data from leaving the country—would prevent foreign surveillance and protect citizens’ online privacy is unfounded. As Bauer and colleagues note in a 2014 ECIPE report, “information security is not a function of where data is physically stored or processed. Threats are often domestic, while storing information in one physical location could increase vulnerability. Data localization is not only ineffective against foreign surveillance, it enables governments to surveil their own citizens.”[6] Finally, forced localization is often has a “surreptitious objective of keeping foreign competitors out, or creating a handful of new jobs in e-commerce, data centers or consultancies. However, any job gains as a result of data localization are minuscule compared to losses in terms of jobs and output in other parts of the economy.”[7]


  • Local and cross-border flows of data are essential to supporting emerging technologies including the cloud, the internet of things, and big data analytics. This movement of data has the potential to provide benefits to SMEs in particular.
  • Data and technology localization constrains innovation and often has a negative impact on trade and related services limiting economic growth and social benefits. While there can be certain compelling issues including privacy and security that may form a legitimate basis for governments to place some limits on data flows, “these should only be implemented in a manner that is non-discriminatory, least trade restrictive, and not a disguised restriction on trade”.[8]

By reducing restrictions on cross-border data flows, the Asia-Pacific region will promote opportunities for the development of local entrepreneurship, (including platform entrepreneurship) as well as foreign direct investment, and help maximize the resulting economic and social benefits across the region.






[5] Ibid

[6] The Costs of Data Localisation: A Friendly Fire on Economic Recovery

Published May 2014 by Erik van der MarelHosuk Lee-MakiyamaMatthias Bauer

[7] Ibid


You may also like