German data storage laws 'threaten free trade'

Germany is up there with Russia, China, Turkey, and Indonesia on a list of countries that pursue protectionist policies that damage global technological innovation, according to a leading US think tank.

The Information Technology & Innovation Foundation (ITIF) released a report this week arguing that Germany's data storage law, which was updated in 2015 to tighten cybersecurity, was a potentially damaging hindrance to free trade.

The 2015 law change forced telecom companies to store metadata locally in Germany, rather than anywhere else - even in the European Union. This amendment "potentially violates rules that protect the freedom of services...  and the free flow of personal data" protected by EU laws, the ITIF said in its report entitled "The Worst Innovation Mercantilist Policies of 2016."

But some German economists were skeptical. Barbara Engels, digitization specialist at the Cologne Institute for Economic Research (IWK), seemed surprised by the ITIF's accusation. "I don't see a problem the way this institute does," she told DW. "I don't really see exactly how it should hinder innovation."

The importance of moving data

Dirk Dohse, of the Kiel Institute for the World Economy (IfW), was also a little nonplussed. "I can see what they mean, but I still think it's a little outlandish," he told DW. "The argument of this think tank seems to be that foreign companies are being denied access to the German market, and that is a form of mercantilism. I think they've made it a little sensationalized."

Nevertheless, the ITIF insisted that companies needs to be able to move data. "The ability to move data across borders is a critical component of value creation for companies in the United States, Europe, and other nations around the world," the report's author Nigel Cory told DW in an email. "Fully half of all global trade in services now depends on access to cross-border data flows."

"Inhibiting the flow of this data, for both modern and traditional businesses which increasingly rely on data," he added, "undermines their ability to leverage economies of scale in global markets to use to invest in further research and development."

The ITIF report pointed out that other countries, like Australia and the UK, have similar data retention rules, but do not stipulate where that data has to be kept. Similarly, most EU member states have resisted local storage requirements, and half of them even signed a letter calling on the European Commission to remove all barriers to data flows. The Organization for Economic Cooperation and Development (OECD) has also called the free flow of data a "vital condition for the globally distributed data ecosystem as it enables access to global value chains and markets."

Meanwhile, more authoritarian countries - the ITIF named Russia, Turkey and China in its report - all have localized data storage regulations like Germany's, though the report admits that these countries' rules have much bigger privacy implications: in Russia, for instance, telecom companies are required to retain the actual content of users' communications for six months.

Under German law, companies must store metadata (but not content) of their customers' communications for 10 weeks and location data for four weeks. But Germany is certainly not the only European country with similar local data storage rules, and Dohse wondered why France, for example, had not made it onto the ITIF's list.

Stricter doesn't mean more secure

Cory dismissed the notion that data localization helps maintain security, since access is more important to security forces than location. "The geography of where the data is stored should not matter as telecommunication companies that store data outside of Germany are still required by law to provide access to it," he said.

"These arguments here aren't totally valid," countered Dohse. "Of course, free trade is a very important principle. But on the other hand I think it's legitimate for a country to protect its data and the data of its citizens. If a company is based in China, for example, and stores data there, then it will only be subject to law there. Also, if you make a firm locate in Germany, you have better possibilities for sanctioning it." 

The German Economy Ministry dismissed the accusation that the law amounted to protectionism, arguing that localizing data storage was essential to protecting personal data from abuse and unauthorized access. "Only inside Germany can high demands be comprehensively guaranteed and regularly checked," the ministry said in a statement to DW. "By storing data abroad it can't be ruled out that the foreign state will gain access to the data by dint of its interior law."

Dohse also found it odd that the US wasn't on a list of countries with protectionist policies. "The US is the country that earns the most from protecting intellectual property rights - the so-called TRIPS agreement, which all countries have to abide by that join the World Trade Organization. This TRIPS agreement was brought about essentially by the US, because they have the most intellectual property to protect. Maybe [the ITIF] is being a bit one-sided."

For Engels, meanwhile, Germany's strict data protection actually presents more of a problem for businesses than data storage. "I completely agree that we have very tough data protection laws, and that they could partially obstruct innovation," she said. "It's a problem that in Germany it's different from in the EU, where the regulations are generally laxer. When companies want to upscale, they find themselves subject to different data protection laws."