Does Data Localization Adequately Balance Privacy and Security?

Palo Alto Networks works towards enhancing global cybersecurity, preventing cyber-attacks, and safeguarding digital lifestyles by establishing reliable strategic partnerships, promoting policy development, and collaborating with organizations and governments at all levels. As a part of these efforts, this Capstone project aimed to contribute to the ongoing discourse on the unintended consequences of data localization policies on defensive cybersecurity, which is another legitimate public policy objective.  

The first part of the project analyzed data localization policies in 12 representative countries and the European Union before April 2023. It scrutinized the impact of data localization policies on cybersecurity through literature reviews, interviews with 16 policy and industry experts, and two case studies. The team found that there are no national policies that explicitly account for sharing cyber threat information and balance privacy protection with cyber threat information sharing needs. Furthermore, the study revealed that data localization policies are still on the rise, with many countries implementing sector-specific data localization policies that primarily target the Financial Services, ICT, Public Sector, and Healthcare sectors. The second part of the study evaluated five regulatory frameworks for cross-border data flows based on five criteria: interoperability, timeliness, persistency, transparency, and enforcement. Based on this analysis, the team recommended an accountability-based regulatory approach, such as the APEC Cross-Border Privacy Rules System, as a pragmatic regulatory framework that balances privacy and security interests, particularly cross-border cyber threat information sharing.