Abstract

This paper provides the first systematic analysis of the types of risks that data localization creates for cybersecurity management. Rather than protecting cybersecurity, data localization often creates obstacles to integrated management of cybersecurity risks, reduces the effectiveness of purchasing cybersecurity-related services, and systematically disrupts information sharing.

Part II introduces key concepts. The importance of data localization has risen rapidly in recent years, including in China, the EU, and India. This paper focuses on the effects of “hard” data localization, where transfer of data is prohibited to other countries. The focus is also on defensive cybersecurity — effects on the ability of organizations such as corporations and government agencies to identify, protect, detect, respond, and recover in the face of cyber-attacks.

Part III examines privacy and non-privacy reasons driving localization laws. This discussion concludes that in general the rationale for localization does not alter the analysis of cybersecurity risks.

Part IV addresses the research methodology. In addition to a traditional literature review, we review approximately 200 comments recently submitted to European regulators concerning data transfers. Next, we analyze International Standards Organization (“ISO”) 27002, to systematically examine the effects that localization rules for personal data would have on that widely-used set of cybersecurity management controls. 

Part V provides a new categorization of the effects of data localization on cybersecurity. First, our analysis shows that data localization would threaten an organization’s ability to achieve integrated management of cybersecurity risk. By examining each control (and important sub-controls), we show that 13 of the 14 ISO 27002 controls would be negatively affected by localization of personal data. Second, data localization pervasively limits provision of cybersecurity-related services by third parties, a global market of roughly $300 billion annually. Notably, a region requiring localization would cut its organizations off from best-in-class cybersecurity services, thereby making its organizations easier targets for attackers. Third, localization undermines information sharing for cybersecurity purposes. For each of these effects of data localization on cybersecurity, we will briefly examine the primary counter arguments to our position. Part VI is the conclusion.

How to Cite:

Peter Swire & DeBrae Kennedy-Mayo, The Risks to Cybersecurity from Data Localization — Organizational Effects, 8 Ariz. L. J. Emerging Tech. no. 3 (2025), https://doi.org/10.2458/azlawjet.7523