Opinion | Between Cyber Sovereignty and Cross-Border Data Flows
Updated: Apr 19
First published in The Jakarta Post (2/12/21).
The dilemma between liberalization and protection of resources has been going on for a long time, especially in developing economies like Indonesia. In the digital era, a similar debate also takes place pertaining to the lifeblood of the digital economy - data.
The nature of the debate between traditional flows of goods and services and data flow is somewhat similar. Developing countries with abundant raw natural resources, for example, tend to limit the extraction of raw natural resources by foreign companies for fear that the economic benefit from merely selling raw resources may not be worth the long-term damages from environmental degradation and underdeveloped domestic technology in resource processing. As such, policies like domestic market obligation, local content requirements, and domestic processing are applied in sectors like mining and energy.
Data as a resource
Data is also a powerful resource that can be processed to understand users’ behavior and preferences. With the right processing, technology companies can use them to provide services deemed valuable by digital consumers. However, data misuse is also a risk that can lead to behavioral and attitude manipulations that not only are damaging to users but also to the state.
As a highly valuable input, governments have the incentives to maintain sovereignty over its data using policies that may appear as barriers to cross-border data flows. Content and data localization, for example, oblige foreign companies to store or process data locally and refrain from offshore transfer. Data mirroring - providing a copy of the data in a local data center - is also mandated for law enforcement and security purposes. These give governments more power to control data at the cost of businesses.
Data localization policies are also present in Indonesia. Regulation of mandated the Minister of Communication and Informatics (MOCI) 20/2016 requires electronic system organizers (ESOs) that provide public services to use data and disaster recovery centers within Indonesia, while MOCI Circular Letter 3/2021.obligates cloud computing companies to used local data centers to store public data.
In the financial sector, Bank Indonesia (BI) requires e-money operators to store data locally and obliges all domestic transactions to go through the National Payment Gateway (NPG). In addition, the Financial Services Authority (OJK) also requires banks and insurance providers to use data centers and disaster recovery centers in Indonesia. All aim to allow the government more control over digital activities in the financial sector.
However, excessive control over data may negatively impact competition, investment, and eventually growth. Cambodia, for example, manifests its internet sovereignty vision by creating a government-controlled single channel for internet traffic in the country, known as a National Internet Gateway (NIG). As a result, some internet service providers (ISPs) there experience higher production cost due to the inability to choose the least costly routing path. This could then be passed to consumers through a higher internet service fee.
Indeed, as with export restrictions in natural resources, economic inefficiency is associated with barriers to data flows. Inward-looking policies on data use prevent companies from processing them where it is most cost-efficient. The European Center for International Political Economy (ECIPE), for example, predicts that heavy requirements for overseas data transfers inhibit imports of data-intensive services, thus negatively affect the GDP. In the case of Indonesia, ECIPE calculates the loss of GDP to stand around -0.5% while the impact on domestic investment is estimated to be around -2.3%.
A centralized internet economy may also compromise citizens’ privacy and freedom of speech. Increased government control over the internet is often associated with unaccountable and unchecked censorship and even surveillance which can create social unrest. In this case, China is a primary example.
Digital data does need to be protected and it is imperative to mitigate risks from harmful online content and activities. However, state overreach may not always be the answer. Safeguarding sensitive users' data cannot be pursued merely by data localization. Rather, advanced cyber security posture - often absent in developing countries - is the key. Providing private sectors with a business climate supportive of technological innovation in the country should therefore be prioritized.
Clear data classification, which is often missing in countries that favor the cyber sovereignty notion, is also crucial to apply specific treatment for each data category. Personal data varies from name and identification number to health records and financial information and the security risks from collecting and processing these data are different depending on how sensitive the information is. As such, requiring data localization for all types of data may not be a wise policy.
In many countries, a comprehensive personal data protection law is expected to address some of these crucial issues. Unfortunately, in Indonesia, long-dragging discussions at the parliament signals that a clear data classification, accountable data collection and processing that are also supportive of hassle-free cross-border data flows may not be happening in the near future.
In conclusion, a blind pursuit of cyber sovereignty could easily turn into a self-defeating action both economically and socially. While data needs to be protected, policy makers need to realize the downsides of excessive barriers to cross-border data flow. At the end of the day, data needs to be used to increase the livelihoods of consumers, and if strict limitations on cross-border data flows are not supportive of this goal, reconsideration is a must.