When It Comes to Data, Local Safeguards and Global Hosting Don’t Have to Conflict

Last week, CGD and ACET (The African Center for Economic Transformation) co-hosted an event on rules that limit the cross-border transfer of digital data. The basis for the discussion was David Medine’s recent paper for CGD “Data Localization: A Tax on the Poor,” and the group involved experts and policymakers from across the region.

We began with a presentation of the paper by David, with commentary by Faiza Adam Seidu (Data Protection Supervisor at Ghana Link Network Service Ltd.) and Blaise Bayuo (ACET Senior Fellow). Rob Floyd of ACET moderated the discussion. The video for that is available on the event page and below. After that, the broader group explored the policy challenges related to data localization, under Chatham House Rules. I learned a huge amount from the day and I’m very grateful to the participants.

My central takeaway was that where data resides is the wrong question for policymakers. The real questions are around data security, data privacy, and data access. Governments need to ensure that commercial, individual, and government data meets national standards with regard to security and privacy, and that (not least) the government itself can access the data it needs to carry out regulatory, policing, and national security functions. That needs to happen if the data is held at home or abroad, and where the data is held isn’t usually the determining factor as to how it is done.

Take banking: governments have a responsibility to help ensure citizen financial data is kept secure, as well as having regulatory, policing, and national security interests in being able to access that data. But the data doesn’t need to be kept in the home country to satisfy those interests. Look at Ghana: before financial institutions can store data abroad, they have to satisfy the Bank of Ghana that the data host meets national standards. What makes the use of overseas cloud data storage and manipulation more straightforward is that Ghana’s data regulations are very similar to others in the region and in Europe. Further regional coordination on data security, privacy, and access concerns could certainly help make it even easier to meet national standards while benefiting from the economies of scale and security that come from regional cloud services. As David Medine’s paper points out, the very low marginal cost associated with secure cloud computing is what allows online financial institutions like South Africa’s Tyme Bank to offer a bank account to any customer who applies.

Data = Oil? Boo!

The big problem appears to be that too many in government see their role with data to be “collect and protect,” not “collect, protect, and use.” In part, I blame all those who, like The Economist, trumpeted British Mathematician Clive Humby’s line that data was the new oil. Of course politicians would read that and think governments shouldn’t let data be sent overseas willy nilly. But data has no value if it isn’t used, and data localization limits that use—likely at a cost to security, and with higher costs of storage. Hopefully the growing role that regional bodies like the African Union are playing in coordinating and harmonizing rules around cross-border data will help the region both better exploit the data it has and build up regional capacities in data storage and manipulation. And as participants made clear, this isn’t something that has to wait on better global data governance: the African market is quite big enough by itself.