The nature of the debate between the traditional flow of goods and services and the flow of data is somewhat similar. Developing countries with abundant natural resources, for example, tend to restrict the extraction of raw materials by foreign companies for fear that the economic benefits from merely selling raw resources may not be worth the long-term damage from environmental degradation and underdeveloped domestic technologies in resource processing.

As such, policies like the domestic market obligation, local content requirements and domestic processing are applied to sectors like the mining and energy sector.

Data is also a powerful resource that can be processed to understand user behavior and preferences. With the right processing, technology companies can use data to provide services deemed valuable by digital consumers. However, data misuse is also a risk that can lead to manipulating behavior and attitudes that are damaging not only to users, but also to the state.

As a highly valuable resource, governments have an incentive to maintain sovereignty over its data through policies that may appear as barriers to cross-border data flow. Content and data localization, for example, oblige foreign companies to store or process their data locally and refrain from transferring the data offshore. Data mirroring, which leaves a copy of the data in a local data center, is also mandated for law enforcement and security purposes. These measures give governments more power to control data at the cost of businesses.

Data localization policies also exist in Indonesia. Communication and Informatics Ministerial Regulation No. 20/2016 requires “electronic system organizers” (ESOs) that provide public services to use data and disaster recovery centers in Indonesia, while Communication and Informatics Minister’s Circular No. 3/2021 obligates cloud computing companies to store public data at local data centers.

In the financial sector, Bank Indonesia (BI) requires e-money providers to store data locally and obliges all domestic transactions to go through the National Payment Gateway (NPG). In addition, the Financial Services Authority (OJK) requires banks and insurers to use data centers and disaster recovery centers in the country. All aim to give the government more control over digital activities in the financial sector.

However, excessive control over data may negatively impact competition, investment and eventually growth. Cambodia, for example, has manifested its internet sovereignty vision through a single government-controlled channel for internet traffic, known as the National Internet Gateway (NIG). As a result, some internet service providers (ISPs) there are experiencing higher production costs due to their inability to choose the least costly routing path. The increased costs could then be passed on to consumers in a higher internet service price.

Indeed, as with export restrictions for natural resources, economic inefficiency is associated with barriers to data flow. Inward-looking data use policies prevent companies from processing them where it is most cost-efficient.

The European Centre for International Political Economy (ECIPE), for example, finds that heavy requirements for overseas data transfers inhibit imports of data-intensive services, and thus negatively affect gross domestic product (GDP). In Indonesia’s case, the ECIPE has estimated GDP loss of around 0.5 percent and a negative impact on domestic investment of around 2.3 percent.

A centralized internet economy may also compromise citizens’ privacy and freedom of speech. Increased government control over the internet is often associated with unaccountable and unchecked censorship and even surveillance, which can create social unrest. China is a primary example of this.

Digital data does need to be protected and it is imperative that risks from harmful online content and activities are mitigated. However, state overreach may not always be the answer. Safeguarding sensitive user data cannot be pursued merely by data localization. Rather, the key is advanced cybersecurity posture, which is often absent in developing countries. Providing the private sector with a business climate supportive of domestic technological innovations should therefore be prioritized.

Clear data classification, which is often missing in countries that favor the notion of cyber sovereignty, is also crucial in applying specific treatments for each data category. Personal data vary from name and identification number to health records and financial information, and the security risks from collecting and processing these data are different depending on the level of sensitivity of the information. As such, requiring data localization for all types of data may not be a wise policy.

In many countries, a comprehensive personal data protection law addresses some of these crucial issues. Unfortunately in Indonesia, long drawn-out discussions at the legislature signal that clear data classification, accountable data collection and processing that are also supportive of hassle-free cross-border data flow may not be happening in the near future.

In conclusion, the blind pursuit of cyber sovereignty could easily become self-defeating, both economically and socially. While data needs to be protected, policymakers need to realize the downsides to excessive barriers to cross-border data flow.

At the end of the day, data use is necessary to improve the livelihoods of consumers. If strict limitations on cross-border data flow are not supportive of this goal, reconsideration is a must.

***

The writer is a researcher at the Center for Indonesian Policy Studies (CIPS). The views expressed are personal.