Introduction
The exponential growth of internet users and their activities on platforms like Facebook, Instagram, and Amazon has resulted in vast amounts of user data being collected. In a single minute, approximately 4.5 billion internet users generate a staggering number of interactions, including 41 million WhatsApp messages, 13 million video or voice calls, and the upload of 147,000 pictures on Facebook. Footnote 1 These platforms utilize this data to offer personalized and profitable services to their users. However, within the context of geopolitical and technological competition, data takes on a completely different significance. The current international landscape is witnessing the rise of technonationalism, wherein states strive to lead and dominate in emerging technology sectors. Footnote 2 In particular, data is viewed as a strategic asset by many states, capable of providing a competitive edge in the field of artificial intelligence (AI). Footnote 3 The debate revolves around whether a large quantity of data or a highly refined and precise dataset is more instrumental in the development of AI as a training set. While a large volume of data enables AI systems to quickly identify patterns and derive insights, Footnote 4 high-quality data, characterized by accuracy and relevance, is essential for AI to make decisions that complement human judgment. Footnote 5
Irrespective of this debate, it is indisputable that well-trained AI models, powered by data, have far-reaching implications for both domestic and international arenas, spanning civil and military applications. The influence of AI, driven by data, extends to national strategies, shaping human nature and influencing perceptions of the international structure. Footnote 6 Its impact transcends boundaries and permeates various aspects of society, making it a critical consideration for policymakers and researchers alike. In this regard, it is understandable that states seek to safeguard their data from exploitation or unauthorized extraction by external actors. Notably, China has implemented some of the most stringent regulations on data, a measure that has contributed to its economic growth and technological advancement. Footnote 7 Data localization, which requires businesses to establish new data centers within a country’s borders, not only strengthens national data security but also generates economic benefits at both the national and local levels. The construction of data storage facilities contributes to the overall economy and has positive spillover effects on local communities. Footnote 8 Consequently, data localization serves as a multifaceted strategy that addresses security concerns while simultaneously fostering economic development.
Though China’s approach to data localization is unique, driven by its vast population and long-standing pursuit of the party’s objectives. Footnote 9 Drawbacks of data localization often outweigh the benefits. One significant concern is the negative impact on economic development. Empirical research demonstrates that data localization can hinder national economies, leading to declines in gross domestic product, investments, and trade. Footnote 10 This approach has been criticized for impeding economic growth and innovation by restricting the free flow of data across borders. Footnote 11 82 percent of large firms and 52 percent of small and medium-sized firms, based on the survey in the digital communication sector, considers data localization as a constraint. Footnote 12 Moreover, data localization imposes unexpected burdens on businesses. The costs associated with building new data centers or transitioning to local data storage can pose significant barriers, particularly for entities seeking to enter new markets. Footnote 13 In situations where local or international cloud service providers are limited, platforms may be compelled to establish their own data centers or rely on less qualified local providers with limited digital infrastructure. Another concern is the potential compromise of data security. By mandating data storage within national borders, without duplication outside, the recovery of data in the event of a cyber attack or natural disaster becomes challenging. Footnote 14 Lastly, data localization does not guarantee complete isolation from external access, as the nature of data transcends physical boundaries. Footnote 15
The adoption of data localization measures has increased significantly in recent years, with the number of countries implementing such policies more than doubling since 2017. Footnote 16 In fact, approximately 80 percent of nations now have data protection legislation or drafts in place. Footnote 17 This raises an intriguing question: why do states choose to localize data for all the negative impacts it can have on their interests? To address this question and provide a coherent and theoretical explanation, this paper applies the concept of economic statecraft. Footnote 18 Data localization is seen as an economic means derived from digital technology that serves political objectives. Given the broad applicability of data and its role in driving economic development and innovation, states view data localization not merely as a remedial measure but as a form of economic statecraft. The emergence of the platform economy further accentuates this question by challenging the perceived locus of value and authority between platforms and states. Footnote 19 By perceiving data as a driver of economic growth, states impose barriers that restrict the flow of data, thereby controlling the economic benefits it can generate. Footnote 20 Mandating the localization of data storage is a sophisticated and highly articulated approach to regulating data, as it underscores a state’s sovereign power. Consequently, data localization offers a unique perspective on data as an economic instrument with implications for security.
Data localization encompasses various definitions and degrees of restrictions imposed by states on data. Footnote 21 For the purpose of this paper, data localization is defined as a policy implemented by a state that requires entities to store data within its sovereign territory. This definition emphasizes the role of the state as the primary actor responsible for enforcing such requirements on private entities. An example of this policy is when foreign entities are compelled to establish local data centers in the region. Footnote 22 The term “platform” in this context refers to an entity that acts as an intermediary, connecting consumers and services in accordance with the definition of a transaction platform. Footnote 23 The data under consideration in this paper is the data generated by users within these platforms, excluding data with direct military applications.
This paper aims to examine the motivation and mechanism underlying data localization, with a particular focus on its connection to economic statecraft. The subsequent section investigates the relationship between states and three key data-relevant categories: individual referents, platforms, and structural characteristics. Moving forward, the paper presents a theoretical mechanism that emphasizes the need for a comprehensive and heuristic understanding rather than a one-sided approach. This mechanism establishes the significance of both network perception and security externality as essential factors in data localization. Network perception pertains to a state’s perception of the positive network effect generated by platforms, while security externality refers to a state’s consideration of the security implications in relation to the economic benefits derived from the positive network effect, serving the national interest in domestic and/or international contexts. To substantiate these theoretical propositions, the paper employs a comparative case study approach, utilizing process-tracing methodology and primary sources. Vietnam, Singapore, and Indonesia are selected as empirical cases, and the findings from the case study support the theoretical mechanism. In conclusion, this research bridges the concept of economic statecraft with digital technologies, fosters interdisciplinary discussions, and offers practical implications for policymakers.
Motives: why states localize data
States have varying motivations for implementing data localization policies, which can be categorized based on their interactions with three key actors: individual referents, platforms, and the structural characteristics of data itself. Footnote 24 The first category focuses on a state’s responsibility to safeguard individuals’ rights and privacy from potential encroachments by platforms. The second category highlights data localization as a tool for states to impose economic burdens on foreign platforms and nurture the growth of domestic platforms. The third category, highlighting the structural standpoint, examines the inherent constraints of data at the national level through intuitive thought experiments despite some caveats. It is important to note that these categories are not mutually exclusive but rather represent distinct driving forces behind the adoption of data localization policies.
The first motivation behind states implementing data localization measures is the protection and security of individuals’ digital rights. Despite individuals having the ultimate decision-making power over providing their data to platforms or third parties, these rights are often violated in practice. Platforms engage in excessive surveillance of users in order to gather as much data as possible. Footnote 25 This issue is exemplified by the Cambridge Analytica scandal, where improperly obtained data was used to create voter profiles for the 2016 US presidential election. Footnote 26 Such incidents have strengthened the public’s demand for the protection of their data rights. Data localization serves to reinforce a state’s belief that it can provide more explicit protection for these rights. It also contributes to the enhancement of rights protection by imposing specific obligations on platforms. Footnote 27 Since the regulations implemented by a state are influenced by its perception of the relationship between users and platforms, the “Rights of the data subject” outlined in the European Union’s General Data Protection Regulation (GDPR) facilitates users’ access to platform data applications and establish punitive measures for non-compliance. Footnote 28
Data localization serves as a means to address the dominance of a few US platforms and incentives the development of domestic platforms and capabilities. The nature of platform businesses makes them susceptible to a winner-takes-all or oligopolistic market structure. The larger the user base of a platform, the more data it accumulates, enabling it to provide better-tailored services based on the collected data. Footnote 29 This network effect creates a virtuous cycle that allows dominant platforms to maintain a significant market share. The widespread international presence of these dominant US platforms can raise concerns about consumer welfare in foreign countries, as their options become limited. Consequently, government intervention becomes necessary to protect consumer interests. The focus on enforcing antitrust laws in the United States and the ongoing legal battles between the US federal government and platform companies highlight the need for comprehensive socio-economic regulations. Footnote 30 Thus, data localization can be seen as a measure that enables states to address the skewed market dynamics and promote a more balanced ecosystem.
In addition, data localization measures can lead to discrimination between domestic and foreign platforms, providing advantages or protection to domestic platforms. This aspect of data localization aligns with the discussions on strategic trade policies in the 1970s, which aimed to protect domestic industries from external markets while stimulating the domestic market. Footnote 31 Through simulations, it has been observed that data localization encourages local users to prefer domestic platforms by creating barriers for foreign platforms. Footnote 32 Moreover, data localization can enhance the competitiveness of domestic platforms by familiarizing them with data regulations in other states and enabling them to adapt more easily. The economic burden of data localization on foreign entities, particularly those that need to comply by establishing local data centers or contracting with local storage providers, can significantly increase data hosting expenses by 30 to 60 percent. Footnote 33 However, the extent of this burden varies depending on factors such as the existing business infrastructure and the market size of the respective states. It is important to distinguish between mandatory data localization requirements imposed by regulatory authorities and voluntary market-driven decisions. Platforms are not necessarily required to store all local data within local storage facilities; instead, they often operate regional data centers to cover regional demands rather than catering solely to a single local market. Considering data storage facilities as critical infrastructure entails taking into account various factors. Footnote 34 The burgeoning demand for data localization by states within the same or neighboring regions can disrupt platforms’ existing portfolios and business plans, imposing significant economic burdens.
The final perspective on data localization emphasizes the structural constraints imposed by the characteristics of data itself. Data is considered a quasi-public good, possessing a non-rivalrous nature with partial excludability, meaning that it can be perpetuated but it is challenging to distinguish between non-paying and paying users and deny access to the service. Footnote 35 This structural constraint of data underscores the regulatory power of domestic policies rather than the establishment of international data governance agreements, hindering the creation of a comprehensive global framework. Footnote 36 Given the nature of data, effective mechanisms for regulating its access and application need to be established at the national level. Although the interplay and strategies between states are complex and influenced by various factors such as the bilateral relationship, the number of players, economic and market power, repetition of rounds, and information sharing possibilities, simple thought experiments using scenarios can provide an intuitive understanding of data localization as a structural restraint.
The structural constraints inherent in data significantly influence the way states perceive and subsequently decide on whether to engage in cooperation or exploitation in the context of data localization. The perception between states, including the level of trust they have in each other, introduces a different dynamic. Footnote 37 Let us consider a scenario in which countries have commensurate sizes of internet-relevant indicators and are faced with a decision between enabling the free flow of data or implementing data localization. If the two countries engage in a single-game decision-making process, data localization emerges as the optimal choice for both countries. This can be illustrated using a prisoner’s dilemma-like game. Exploiting others’ data without exchanging one’s own data yields the highest payoff. If one country decides to localize data while the other opts for free flow, the regulating country can exploit data generated by both countries. In a game played between trusted partners who view each other as reliable, however, pursuing the free flow of data leads to the highest payoff. Nevertheless, even if both countries choose data localization, it is likely to result in compatible data policies between the partners by increasing the similarity of data regulations. As the legal institutions become more aligned, facilitating information sharing between the two countries, Footnote 38 data localization within a cooperative game can strike a balance between the interests of the two states. Ultimately, a state’s decision is intricately linked to its perception of the actions taken by another state, as illustrated in both hypothetical scenarios.
Localization mechanism
The multifaceted nature of data localization is reflected in the various motives associated with individuals, platforms, and structural constraints, highlighting it as a strategic choice made by states to pursue specific goals. However, it is important to avoid a narrow perspective that solely focuses on a single driver or discrete understanding, as it fails to fully explain the increasing trend of states adopting data localization measures and the underlying motivations behind their strategic decisions. As demonstrated in the previous section, no single motivation—referents, platforms, and structure derived from data—explains the entire calculation of data localization. This is because states engage in a calculated assessment and employ their own criteria when considering data localization. This is substantiated by the recent US withdrawal of the e-commerce rule proposal to the World Trade Organization, which aimed to “provide enough policy space for those debates.” Footnote 39 To capture this strategic dimension, which can be viewed as a form of economic statecraft derived from digital technology, a theoretical mechanism is proposed that incorporates the concepts of network perception and security externality in a heuristic way. By treating network perception and security externality as independent variables, the mechanism highlights their role as driving forces behind data localization, the dependent variable.
Network perception
In the realm of platform businesses, the significance of the data-driven network effect cannot be overstated. The network effect, defined as the impact of the number of agents taking equivalent actions on the net value of an action, holds particular relevance in this context. Footnote 40 When more users join a specific telecommunication vendor, for example, the vendor is compelled to enhance its service and coverage to meet the growing user demands. This improved quality of service then attracts additional users to join the vendor, creating a positive network effect. Conversely, if a network service vendor experiences an overwhelming influx of users, it can lead to a decline in the quality and speed of the network, prompting users to switch to alternative vendors. These scenarios, referred to as positive and negative network effects respectively, demonstrate the significant influence of network structure and performance on network value, in addition to user numbers. Footnote 41 In platform businesses driven by data, the value of a platform network is directly linked to the data network effect which is positive network effect. This effect manifests as the platform’s ability to provide personalized and tailored services based on the data it collects from users, thereby increasing its attractiveness and drawing in more users. Footnote 42 Consequently, users often find it challenging to refrain from using these services once they have become accustomed to them.
The decision to implement data localization is influenced by a state’s ability to harness and leverage the gains and benefits derived from the positive network effect. Platforms, with their control over user data and the ability to extract value from it, play a pivotal role in shaping the regulatory and political landscape of a nation. Footnote 43 This skewed relationship between states and platforms allows states to assess whether the network effect generated by platforms aligns with national interests and whether they can effectively utilize the resulting benefits. This relationship serves as an independent variable in driving data localization.
Network perception in this vein refers to a state’s perception of the positive network effect generated within and/or by platforms. This network perception can be classified as either positive or negative. Positive network perception occurs when a state views the network effect as an opportunity or a contribution to its national interests. In other words, when a state can exploit and benefit from the network effect generated by local and/or foreign platforms, it is considered advantageous, particularly from an economic standpoint. Conversely, negative network externality arises when a state perceives the positive network effect as a form of dependence or vulnerability, unable to effectively utilize the value generated by it. If platforms that align with a state’s objectives benefit from this network effect, it engenders a positive perception because these benefits ultimately contribute to the state’s interests. However, if platforms are difficult to malleable, the state’s perception becomes negative.
The presence of negative network perception reinforces the implementation of data localization, especially in the context of dominant foreign platforms in the market. The lopsided relationship between states and platforms contributes to a sense of vulnerability as foreign platforms increase domestic users’ dependence on them. The winner-takes-all nature of the platform market and the notion of vulnerability Footnote 44 highlight the susceptibility of states to the influence of dominant foreign platforms. Once these platforms solidify their dominant position, both users and states incur costs or face limitations in trying to disengage from their services. The extraterritorial nature of dominant foreign platforms further limits the impact of state policies on societal influence. In response, data localization emerges as a strategic solution to alleviate negative perceptions and enable states to internalize the economic benefits and advantages derived from data localization. By doing so, states can impede foreign platforms and enhance their capacity for internalization, safeguarding their domestic capabilities and preventing foreign competitors from exploiting domestic assets. Footnote 45
Security externality
Platform business using data encompasses not only economic considerations but also security implications. One such implication arises when a government seeks or presumably possesses unrestricted access to the data accumulated by influential platforms. In an anarchic international system characterized by uncertainty, states may anticipate indefinite access to data and its potential military applications by potential adversaries. The concept of an informational-industrial complex, which highlights the possible collaboration between platform businesses and governments, further emphasizes the security dimension of data. Footnote 46 Within the context of the relationship between a host country and foreign platforms, states contemplate the worst-case scenario that foreign platforms might share the collected data with adversarial actors, given the dual-use nature of data. Footnote 47
Furthermore, the increasing power wielded by platforms amplifies the security concerns of states. Data, being an inexhaustible resource that fuels innovation in both commercial and military realms, holds immense value. Footnote 48 Platforms, by aggregating vast amounts of data, simulate a domestic legal and regulatory capacity that is typically the purview of states. This grants them significant influence over other sectors and allows them to exert regulatory power in the absence of state authority. Footnote 49 Additionally, the era of “surveillance capitalism” epitomizes the transfer of influential power to platforms, as they amass and store extensive data for their lucrative purposes. Footnote 50 Platforms, due to their significant power and influence, have a direct and complex relationship with various aspects of national security, encompassing both narrow and broad interpretations of the concept. Footnote 51 This convergence of data-driven power and platform dominance further underscores the security implications for states.
The security implications associated with data localization serve as another significant driver for its adoption. These security considerations stem from the interplay between economic interactions and national security interests, particularly in relation to dual-use technologies and trade. Security externality, as a byproduct of economic gains from the positive network effect, manifests in two forms: internal and external. Both types can be classified as either positive or negative. Internal security externality pertains to the security ramifications of economic interactions within a nation’s domestic affairs and political landscape. The introduction of platforms can have a profound impact on a country’s internal dynamics. Domestic platforms, for instance, can empower domestic audiences, leading to outcomes that can be either positive or negative. This situation can present opportunities for certain states, as it reinforces democratic values and principles. However, it can also pose challenges for others by amplifying public voices that may be viewed as detrimental to national interests. Footnote 52 External security externality, on the other hand, relates to the international environment and a state’s perception of international relations and geopolitical environments. Collaboration with platforms and data sharing can enhance cooperation with foreign states, facilitating the free exchange and secure flow of data without restrictive conditions. However, it can also potentially expose a state to vulnerabilities by bolstering the material and innovative capabilities of other countries, thus creating an asymmetrical power dynamic.
The platforms, particularly foreign entities operating beyond a nation’s domestic jurisdiction, can pose challenges to a country’s domestic security objectives, resulting in negative internal security externality. In contrast, domestic platforms that operate within a state’s jurisdiction are more manageable for governments to control and influence. Footnote 53 Consequently, certain states may impose their domestic security requirements such as data localization on foreign platforms or assert their sovereign power over cyberspace as a means to counter the influence of these penetrated platforms. This discussion on digital sovereignty reflects the national efforts to safeguard the independent and monopolistic power of states, although it may also provide justification for censorship and surveillance activities by governments. Footnote 54 It is also worth noting that internal security externality can be particularly relevant in the context of authoritarian regimes, where such regimes are inclined to maintain control over domestic discourse and information flow. In these cases, governments may harbor concerns about losing control over domestic security, thereby exacerbating internal security externality. Footnote 55
The exchange of data facilitated by platforms or driven by regional demands can give rise to negative external security externality, particularly when it involves hostile states. In the context of adversarial relationships, the benefits derived from trade with non-allied states can generate negative security externality with the recipient state. Footnote 56 Data plays a crucial role in informing intelligence and national security decisions, although not all data possesses equal value for prediction and analysis purposes. Footnote 57 In the specific context of power competition between an incumbent leading state and a rising state, negative security externality in the military realm arises when two conditions are met: the potential for conflict with the rising power and its advancement of power through technological innovation and acquisition. Footnote 58 Data, in this sense, becomes instrumental in increasing the likelihood of conflict and enhancing the rising power’s capabilities. The issue of data localization—magnified by the claim on digital sovereignty—in turn serves as a balancing measure to address the security threats emanating from external environment, aligning with the discussions surrounding “mercantile realism” and how states balance against each other in economic and technological realms. Footnote 59
Figure 1 encapsulates the underlying mechanism of data localization, which involves domestic users generating data within platforms. This data contributes to the positive network effect, resulting in increased value and gains. Consequently, both network perception and security externality emerge as significant factors influencing the decision to implement data localization. In order for data localization to occur, both negative network perception and negative security externality must be present as a necessary condition. It is significant to recognize the intertwined nature of security and economic aspects within data localization, as no single variable can fully explain its occurrence. A complete explanation for why states pursue data localization over numerous other policy options cannot be solely derived from either network perception or security externality alone. Negative network perception arises when a state perceives dependence, vulnerability, and an inability to benefit from its platform market. On the other hand, negative security externality arises when platforms are seen as hindering domestic affairs (internal) or exposing the nation to security threats from external actors (external). For security externality to have an impact on data localization, either internal security, external security, or both are necessary. Moreover, the prevalence of foreign platforms further amplifies the negative impact of both network perception and security externality. It is this negativity that drives states to strategically implement data localization measures.
Figure 1. Theoretical mechanism.
Case selection
The selection of Singapore, Vietnam, and Indonesia as case studies is based on their similar geographical location and market characteristics. In order for states to effectively leverage their domestically produced data with platforms, it is essential for them to have a large number of internet users and a sizable platform market. Footnote 60 Platforms are unlikely to find a state with a small user base attractive for market penetration. In Southeast Asia, where the digital, internet services, and platform markets are experiencing exponential growth, Footnote 61 Singapore, Vietnam, and Indonesia exemplify this trend.
Table 1: Case observation
The three countries (Table 1) also provide variations in terms of their approach to data localization. Vietnam was the first to introduce data localization measures in 2012, while Singapore does not have explicit data localization requirements. Indonesia initially implemented data localization in 2012, similar to Vietnam, but later revoked it in 2019. Furthermore, Singapore stands out for its well-established digital infrastructure, positioning it as a more advanced digital economy. However, according to the Digital Intelligence Index, both Vietnam and Indonesia exhibit potential for further development, presenting comparable conditions to Singapore. Footnote 62 Thus, the cases of Vietnam, Singapore, and Indonesia offer insights into both cross-country and within-country variations in data localization practices.
Based on the binary approach of data localization, Vietnam and Indonesia with data localization are expected to exhibit negative network perception and security externality. On the other hand, Singapore and Indonesia without data localization are anticipated to demonstrate positive network perception and security externality. Although Singapore ostensibly prohibits the transfer of personal data outside its jurisdiction, this case further supports the notion that states consider various factors, including their own strategic interests and perceptions, when making decisions related to data localization. As the further section will discuss, Singapore’s actual implementation of these regulations nevertheless reflects a strategic pursuit of promoting the free flow of data rather than strict data localization. In addition to its role as a regional digital hub, Singapore strategically chooses to avoid data localization measures. The case of Singapore emphasizes the importance of the perceptual aspect in understanding data localization decisions.
The case study highlights the significant role of network perception and security externality in relation to US platforms, and by extension, the US per se. The affiliation or headquarters of a platform further amplifies the impact of network perception and security externality. When a foreign platform dominates the market in a particular state, it becomes challenging for that state to fully exploit the benefits gained by the platform, particularly if the platform is under the jurisdiction of a hostile country. Footnote 63 Figure 2 illustrates the global landscape of platform popularity, revealing a clear predominance of US platforms. Out of the top 15 platforms, eight are US companies, while the remaining six Chinese platforms are primarily popular within their domestic market and have limited global influence, which makes China a unique case. This dominance of US platforms poses a challenge for users who seek to circumvent their influence, despite the multi-homing effect where users may engage with multiple platforms rather than remaining loyal to a single one. Footnote 64
Figure 2. Most popular social networks as of January 2023 (monthly active users in millions).
Source: Statista, https://www.statista.com/statistics/272014/global-social-networks-ranked-by-number-of-users
The comparative case study conducted in this paper adopts a process-tracing methodology, which involves the careful selection of specific cases to establish and substantiate the causal mechanism underlying data localization. Footnote 65 Process-tracing is a qualitative approach that leverages contextual evidence to identify the key factors influencing the desired outcome. Footnote 66 In addition to secondary sources, this paper examines contextual evidence from various government-published documents, ministerial and diplomatic statements, press releases, media interviews with senior-level officials, and opinion submissions to international bodies. By incorporating these primary sources of information, the research ensures a thorough examination of the relevant contexts and perspectives surrounding the issue of data localization and statecraft. Employing process-tracing in conjunction with comparative analysis, this study effectively combines empirical analysis of the selected cases with theoretical propositions derived from observing the causal process. Footnote 67 This integrated approach provides a robust framework for examining the intricate interplay between variables within the realm of data localization and statecraft.
Case study
Vietnam
Negative network perception
The history of data localization in Vietnam dates back to Decree 72 (Decree No. 72/2013/ND-CP of July 15, 2013) in 2013 and its amendments in 2018. Decree 73 stipulates that social network entities have at least one server system in Vietnam. Moreover, entities which utilize Vietnamese information facilities or have at least one million monthly internet users have to establish a branch in Vietnam in addition to storing data locally. The first cybersecurity law in 2018 consolidates regulatory regimes, which delineates the type of data entities should store and of entities subject to this law albeit still equivocally defined. A significant development in the context of data localization is the issuance of Decree 53 (Decree 53/2022/ND-CP) in August 2022. This decree serves as a supplement to the existing cybersecurity law and provides further clarification regarding the obligation of foreign entities to store data locally. Footnote 68 Specifically, Article 26 of the Decree stipulates that both domestic enterprises and nearly all internet and digital-related foreign services are required to maintain local data storage.
Vietnam recognizes the significant role of the network effect in platform business and seizes the opportunity it presents. The Vietnamese government has approved the National Strategy on the Development of the Digital Economy and Digital Society to 2025 (Decision No. 411/QD-TTg 2022). This strategy highlights the importance of data as the “lifeblood of the digital economy and digital society” and identifies digital platforms as essential “soft infrastructure.” Footnote 69 Building on this strategy, it aims to leverage national digital platforms to provide more tailored services and cater to specific demands from Vietnamese users. Consequently, the strategy emphasizes the need for the swift completion of a legal framework on data and data governance. Footnote 70 However, Hanoi’s approach to data localization is not hasty. Deputy Minister of Information and Communications (MIC), Nguyen Huy Dung, emphasizes the importance of data sharing being in compliance with domestic regulations and laws. Footnote 71 This cautious approach reflects Vietnam’s commitment to striking a balance between harnessing the benefits of data and ensuring adherence to regulatory frameworks.
Data localization serves as a strategic interest for Vietnam, driven by the goal of internalizing benefits and promoting national development. The introduction of Circular 38/2016/TT-BTTT by MIC demarcates the boundaries for foreign entities operating in Vietnam and mandates compliance with Vietnamese legislation. Footnote 72 In a similar vein, the scope of the third draft version of the Cybersecurity Administrative Sanctions Decree encompasses foreign platforms and internet services, subjecting them to monetary penalties. Footnote 73 These recent regulations demonstrates the vulnerability posed by foreign platforms and aims to level the playing field. The MIC report highlights the significant revenue disparity, with foreign platforms generating $370 million compared to the largest local platform’s earnings of $7 million. Footnote 74 In line with data localization efforts, the implementation of physical infrastructure, including local offices and data storage facilities, creates additional hurdles for foreign platforms, acting as barriers to their business activities. The recent issuance of Decree 53 has prompted platforms like Google and Facebook to contemplate their response to the sweeping data regulations imposed by the Vietnamese government. Footnote 75 Consequently, business interest groups have raised objections, criticizing the extraterritorial jurisdiction imposed on foreign-headquartered platforms and calling for the revocation of such measures. Footnote 76
Data localization in Vietnam not only serves the strategic interest of internalizing benefits but also empowers domestic platforms to capitalize on positive network effects. The platform market in Vietnam is dominated by Facebook and Zalo holding over 90 percent of the market share. Footnote 77 The recently approved National Cybersecurity and Safety Strategy (Decision 964/QD-TTg) underscores the importance of developing endogenous platforms in Vietnam. It emphasizes the need to create a digital platform that is utilized by both Vietnamese and international citizens and highlights the capacity for self-reliance to safeguard national sovereignty in cyberspace. Footnote 78 Recognizing the significance of local platforms, the Vietnamese government has set a target of having 50 percent of local users using domestic platforms by 2030. Zalo, along with two other domestic platforms, is identified as a major player in the country’s domestic platform ecosystem. Footnote 79
Negative security externality: internal
When examining security externality, the focus of Hanoi’s analysis lies primarily on negative internal externality rather than external factors. The main concern revolves around the potential loss of control by the Vietnamese Communist Party in the digital realm. This is evident in various cybersecurity-related decrees, regulations, and strategies, all of which emphasize the significant role of the Party. The Cybersecurity and Safety Strategy, for instance, prioritizes “Strengthening the leadership of the Party and management of the State over cybersecurity” as a top priority in the strategy. Footnote 80 Additionally, Decree 13/2023/ND-CP on personal data protection places a greater emphasis on the involvement of the Ministry of Public Security, requiring entities to notify the Ministry for cross-border data flows. Footnote 81 These actions collectively demonstrate Hanoi’s concern for internal security and the consequential negative internal security externality it perceives.
Vietnam has a history of suppressing internet freedom and implementing internet censorship since the early days of the internet. The country’s cybersecurity definition places importance on preventing activities that could harm social order and safety, with party leadership as the top priority. However, despite its Communist Party system, Vietnam’s regulatory environment for data localization shares similarities with other states, distinguishing it from other communist countries that aim for complete control and prohibition of non-conforming foreign entities. Vietnam acknowledges the conflict between communist values and the development of the digital economy, demonstrating an awareness of the limitations of its regulatory approach.
Vietnam understands the challenges of completely rejecting foreign platforms and the potential diplomatic issues that may arise by recognizing that it is neither desirable nor feasible to ban all foreign platforms or impose oppressive censorship measures. Footnote 82 Furthermore, Vietnam is a rapidly growing digital market, with a digital economy valued at approximately $14 billion in 2020 and projected to experience 30 percent growth until 2025. Footnote 83 Sustaining this growth solely through endogenous efforts is challenging. Additionally, Vietnam’s regulatory environment in the ICT sector is evolving, recognizing the significance of foreign investment. Regulatory data shows a shift from the most restrictive G1 group to the more inclusive G3 group, which promotes competition in services and implements measures to protect against public monopolies in regulation. Footnote 84 This improvement reflects Vietnam’s efforts to develop its regulatory framework and create an environment conducive to attracting foreign investors.
Vietnam’s motivation for data localization is primarily driven by internal security concerns, rather than external security considerations. The Vietnamese Communist Party seeks to maintain control and restrict the flow of domestic information, which amplifies the demand for data localization alongside the network externality. This is evident through a range of policies aimed at controlling the domestic flow of information, as well as the cooperative relationship between the Vietnamese technology conglomerate and the Communist Party, which serves internal security interests. Footnote 85 While Vietnam recognizes the importance of market competitiveness in the digital economy, the internal purpose of data localization and the government’s intention to utilize it to serve its own interests remain decisive factors. However, the influence of external security considerations on data localization is relatively limited, considering the dominant position of US platforms in Vietnam compared to the limited influence of Chinese platforms. It is worth noting that Vietnam’s cooperation with the United States has evolved due to increased Chinese assertiveness in the region, given Vietnam’s tenuous relationship with China. Footnote 86
Singapore
Positive network perception
Singapore’s data regulations have evolved since the introduction of its first data protection law in 2012, known as the Personal Data Protection Act of 2012 (No. 26 of 2012, PDPA). Section 26 of the PDPA, known as the Transfer Limitation Obligation, outlines the conditions for transferring personal data outside of Singapore. Unlike data localization approaches, Singapore allows data transfer under certain conditions without imposing restrictions on local data storage or processing. Subsequently, significant updates to data-related regulations were implemented after 2020, including the introduction of the Personal Data Protection Regulation 2021. This new regulation, enacted in 2021, provides further clarification on the conditions under which data transfers are permitted. Under this framework, the transferring entity bears the responsibility of ensuring that the foreign data recipient maintains comparable protection measures to those in Singapore. Furthermore, an amendment to the PDPA was introduced in November 2020 to strengthen user rights and enhance the accountability of entities handling personal data. This amendment emphasizes users’ rights to inspect the usage of their data and aims to improve the responsibility of data-handling entities, while also seeking more effective enforcement mechanisms.
Singapore recognizes the potential of the platform ecosystem and aims to leverage its benefits for economic development. Similar to the Vietnamese market structure, where US platforms dominate without strong endogenous platforms, Footnote 87 the Singapore government seeks to establish an accountable and robust foundation for platforms, enabling “the legitimate use of data.” Footnote 88 In Singapore, the fundamental principle underlying data regulation is accountability, wherein organizations are held responsible for the data under their possession or control. Footnote 89 This principle fosters a trustworthy environment where platforms in Singapore embrace private-led responsibility, rather than relying solely on government-led initiatives. By promoting accountability, Singapore aims to create a conducive environment for platforms to thrive and contribute to economic growth.
Although Singapore does not impose a legally binding requirement for data localization, the data transfer restrictions outlined in the PDPA can be seen as a form of data localization in a different format. The “raison d’etre” of the Transfer Limitation Obligation is to safeguard personal data in Singapore from foreign entities over which Singapore has limited jurisdiction and sovereign power. Footnote 90 However, the implementation of the Transfer Limitation Obligation is done in a limited and flexible manner to promote the development of the digital economy. For instance, Singapore has chosen to recognize the Asia Pacific Economic Cooperation’s Cross-Border Privacy Rules (CBPR) and Privacy Recognition for Processors (PRP) programs as legally equivalent to its PDPA. This recognition exempts member states of the PRP program from the Transfer Limitation Obligation. The condition for cross-border data transfer, as specified in the article, is simplified as a requirement for reciprocal and equivalent measures to PDPA. This provision highlights Singapore’s strategic decision to provide support and establish a reliable foundation based on the perceived reliability of the entities themselves. By adopting this approach, Singapore aims to facilitate the smooth flow of data while maintaining strong data protection standards.
Singapore has positioned itself as a frontrunner in promoting cross-border data transfers and views it as an opportunity rather than a vulnerability. The national strategy known as Smart Nation Singapore, which focuses on harnessing technologies, emphasizes the role of digitalization as a driver for economic growth and societal transformation. Within this strategy, data is recognized as a fundamental asset that is essential for achieving exponential growth in the digital economy. “Singapore’s data protection ecosystem facilitates an increase in data sharing activities… for the increased competitiveness of Singapore’s economy.” Footnote 91 Josephine Teo, the Minister for Communications and Information, highlights the importance of international cross-border data flows as “The free flow of data across borders enables our business to digitally serve many markets, creating efficiencies and driving innovation.” Footnote 92 She further underscores the challenges businesses face when operating in multiple jurisdictions, stating that it would be impractical to meet all the requirements of different jurisdictions while maintaining efficient business operations. Footnote 93 By promoting the free flow of data across borders, Singapore aims to create an environment that supports seamless business operations and fosters innovation.
In tandem with all the endeavors, Singapore actively promotes the principle of the free flow of data internationally under the principle of “choose where they can store their data.” Footnote 94 As a founding state of Digital Economy Partnership Agreement (DEPA), it accentuates cross-border data flows and aims to enhance connectivity and promote a free and open internet environment. Given Singapore’s position as a central node in the international flow of data, DEPA aligns with the goal of prohibiting data localization and promoting interoperability of outbound data transfers in accordance with the PDPA. Footnote 95 At the same time, DEPA upholds the concept of enabling the free cross-border transfer of data while recognizing the need for regulatory measures. It also discourages arbitrary and unjustifiable demands for computing facilities in foreign territories as a condition for conducting business. This approach is consistent with Singapore’s recent digital partnership with the European Union and the Memorandum of Understanding on data cooperation with the United Kingdom. Footnote 96
Positive security externality
Singapore’s approach to data localization distinguishes it from countries characterized by negative internal and external security externalities. Singapore, as a democratic nation, does not emphasize internal security externality. Instead, it has established the Personal Data Protection Commission (PDPC) under the Personal Data Protection Act (PDPA) to safeguard personal data and enforce data protection obligations on businesses. Unlike Vietnam, there is no explicit emphasis on government control over platforms and markets. The regulatory framework places the responsibility for data protection on private entities, reducing the need for state surveillance and enhancing Singapore’s appeal as a favorable location for data-related business activities. On the other hand, as a result of its market structure, with dominant US platforms, Singapore prioritizes cooperation on data transfer with the United States and actively seeks partnerships with like-minded countries. In this regard, Singapore has established individual digital economy agreements with three states, demonstrating its commitment to fostering collaborative coalitions in the digital realm.
As an early mover in Asia, Singapore entered into a free trade agreement with the United States that included a “groundbreaking” e-commerce section. Footnote 97 This section serves as a model for other trade agreements by establishing principles of nondiscrimination and the prohibition of duties on e-commerce services and items. The cooperative relationship between Singapore and the United States has expanded to encompass data cooperation in sensitive areas such as financial services. Both countries have committed to “oppose generally applicable data localization requirements.” Footnote 98 In a more recent development, Singapore and the United States have initiated a Partnership for Growth and Innovation (PGI), which prioritizes the free flow of data as part of Singapore’s Smart Nation strategy. This partnership further underscores the commitment of both countries to facilitate the movement of data across borders for the benefit of economic growth and innovation. Footnote 99
Singapore actively promotes an open and secure international environment for data transfer, focusing on international partnerships beyond its ASEAN counterparts. The country’s cybersecurity strategy, particularly the second strategy published in 2021, emphasizes the cultivation of such an environment. Singapore takes proactive measures to advocate for the free flow of data in various international forums. Notably, it has established the Global Cross-Border Privacy Rules (CBPR) forum in collaboration with six other countries. All member countries of the CBPR forum recognize the importance of trusted cross-border data flows and believe that such flows contribute to improving lives. Footnote 100 Additionally, Singapore, the United States, and Japan are leading the Joint Initiative on e-commerce within the World Trade Organization, with the goal of promoting free and secure data transfer. Footnote 101 These efforts highlight Singapore’s commitment to creating a conducive global environment for the exchange of data.
Indonesia
Negative network perception
In 2012, Indonesia introduced data localization requirements through Government Regulation No. 82 (GR 82) without providing a clear definitions. GR 82 forces “operator for the public service” to build “the data center and disaster recovery center in Indonesia territory for the purpose of… enforcement of national sovereignty to the data of its citizen.” Footnote 102 Despite this ambiguity surrounding the definition, Indonesia had implemented such data localization since 2012. The Minister of Communication and Informatics (MCIT) emphasized the significance of data localization for law enforcement purposes, noting that “if the data centers are located overseas… [law] enforcers cannot gain physical access.” Footnote 103 Consequently, the Indonesian government urged foreign service providers like Google and BlackBerry to store data locally, highlighting the construction of a data center in Indonesia as the remaining requirement. Footnote 104
Indonesia’s adoption of a stringent data localization policy can be attributed to its aspirations for sovereignty and independence, primarily due to the country’s heavy reliance on foreign platform firms. Footnote 105 The MCIT criticizes foreign entities such as Google and Facebook for extracting revenues from the Indonesian population without reciprocating in a fair manner. Footnote 106 The Defense White Paper of 2008 highlights Indonesia’s dependence on foreign products and technologies, which raises concerns about potential technological threats and the erosion of Indonesia’s position in the global landscape. Footnote 107 The 2015 Defense White Paper reiterates this concern and underscores the importance of economic independence by advocating for the development of strategic sectors within the domestic economy. Footnote 108 These assessments indicate that Indonesia perceives the dominance of foreign platforms in its market as a negative network perception that could compromise its autonomy and national interests.
Positive network perception
The Indonesian government has undergone a shift in its stance on data localization, as reflected in the implementation of new regulations and laws. Government Regulation No. 71 (GR 71), introduced in 2019, replaced the previous regulation (GR 82) and provided clearer definitions regarding data localization. GR 71 distinguishes between the public and private domains, categorizing entities related to the government or governmental agencies as part of the public domain, while private entities providing electronic services to the public fall under the private domain. As a result, different standards are applied, whereby service providers in the public domain are still obligated to localize data, while private providers, with the exception of financial data, are no longer required to adhere to localization measures. Footnote 109 This change provided a more precise framework for data localization in Indonesia.
Furthermore, the enactment of the Personal Data Protection Law (PDPL) in 2022 marks a significant milestone in Indonesia’s data transfer process. This law is expected to facilitate data transfers between countries, albeit with the requirement that the recipient countries offer data protection measures that are equivalent to those outlined in Singapore’s regulations. While the PDPL retains the need for compliance with cross-border data transmission requirements, it ensures a secure transfer as long as the recipient countries provide adequate data protection measures in line with Singapore’s standards. Footnote 110 The PDPL signifies a new era in data protection legislation in Indonesia and is anticipated to streamline the data transfer process while maintaining data security. Footnote 111
The prevalent perception in Indonesia now leans towards maximizing the benefits derived from foreign platforms, leading to a rescindment of data localization. The significant contribution of the digital economy sector, which attracts approximately 10 percent of foreign investment annually (around $20-25 billion), has shifted the perception of dominant foreign platforms in Indonesia from a vulnerability to an opportunity for developing the country’s digital infrastructure and economy. Footnote 112 Recognizing the importance of developing its own digital economy and infrastructure, the Indonesian government introduced its first e-commerce roadmap in 2016, aiming to create a “safe and open” e-commerce industry. The roadmap acknowledged the significance of learning from advanced e-commerce countries such as China and the United States to advance Indonesia’s national e-commerce sector. Footnote 113 It positioned e-commerce as a crucial component of the national economy and identified it as a “backbone of the national economy.” Footnote 114
In line with the Making Indonesia 4.0 strategy in 2018 emphasizing inclusive digital infrastructure, the recently unveiled 2021-2024 Digital Indonesia roadmap, highlighted by Minister of Communication and Informatics Johnny Plate, also underscores the importance of inclusive digital infrastructure to expedite Indonesia’s transformation in the digital economy and trade sector. Footnote 115 Indonesia acknowledges that restrictions on cross-border data flows present obstacles to its development. Footnote 116 In various negotiation and analytical documents, including those released by governments, Indonesia’s efforts to eliminate data localization measures are evident. By promoting unencumbered data transfer, Indonesia aims to stimulate economic development for service providers and attract more investors. Footnote 117 In a similar vein, Indonesia has designated the digital economy as one of the strategic pillars during its ASEAN chairmanship in 2023, emphasizing its commitment to creating a favorable environment for foreign investment. Footnote 118 These initiatives collectively reflect Indonesia’s determination to leverage the opportunities presented by foreign platforms and cross-border data flows to foster economic growth and development.
Negative security externality: internal
Indonesia’s notion of security is grounded in the integrity of a single nation due to its historic vulnerability and diverse cultural heritage. The country’s perception of national security is linked to data localization, which is deemed crucial for national integrity. The national law on electronic information and transaction (No. 11 of 2008) emphasizes the importance of supporting “religious and social-cultural values of the Indonesian society,” maintaining national unity, and protecting the nation’s dignity, degree, and sovereignty. Footnote 119 This law is supported by the MCIT regulation, which mandates that wireless broadband service providers include a proportion of local content of up to 50 percent. Footnote 120 The enforcement of data localization serves as a measure to exert national regulatory power over foreign entities and protect national integrity by addressing internal security concerns. The secessionist movement that emerged after Timore-Leste’s referendum in 1999 has been a primary domestic security concern. During Yudhoyono’s presidency from 2004 to 2014, securing internal security to tackle separatist actions became a policy priority, and his efforts led to successes such as the Helsinki agreement on the Aceh region. Footnote 121
Compared to internal security externality, there is little evidence that negative external security results in data localization before GR 71 promulgates. Yudhoyono administration pursues a “zero enemies, a million friends” stance in tandem with “dynamic equilibrium” where Indonesia takes centrality within the ASEAN to prevent external powers and promote regional cooperation. Footnote 122 His national strategy supports a robust relationship with the United States with the successful consolidation of democracy in Indonesia. It elevates the bilateral relationship to Comprehensive Partnership in 2010 and both defense ministers pledges to foster defense cooperation from maritime to global threats. After President Jokowi takes the office, Indonesia displays a robust relationship with the United States by highlighting both regional and global cooperation in various areas while distancing from China. Indonesian Foreign Minister evaluates US commitment to the region and Indonesia as “very noticeable” in the midst of increasing tension with China, demonstrating a robust and positive security externality. Footnote 123
Negative security externality: internal and external
The security externality in Singapore is further augmented by negative external security externality resulting from reciprocity between states, in addition to the existing negative internal one. Even after the inauguration of the Jokowi administration, which expanded foreign policy to encompass more diverse agendas, the internal security driver remains significant. The government of Indonesia prioritizes regulating platform businesses to safeguard digital sovereignty and protect the state from “negative contents that can destroy unity and ruin national digital sovereignty.” Footnote 124 The implementation of the PDPL is seen as an opportunity to “strengthen the role and authority of the government” in data governance. Footnote 125 The temporary interdiction on foreign platforms reflect the government’s commitment to safeguarding the public from disruptive online content. Footnote 126 Indonesia recognizes that data is intertwined with national sovereignty and geopolitical interests, prompting a consideration of the structural aspects and geopolitical ramification of data localization. Footnote 127 In contrast to the 2019 G20 Summit, Indonesia expands the scope of its agenda to encompass cross-border data flows, emphasizing the principle of reciprocity. By advocating for interoperability and appropriate policy measures in cross-border data flows, Indonesia’s actions highlight the negative external security externality generated by the international and geopolitical environment surrounding data and digital trade.
Despite outweighed positive network perception leading to abolishing data localization concerns regarding asymmetry with foreign platforms linger. Officials have highlighted the reliance of Indonesians on foreign platforms and the advantages enjoyed by companies “who are far away there.” Footnote 128 This perception underscores the need for greater data sovereignty and control. For instance, a senior official in the ministerial coordinating group said, “If you have a nationalist spirit, then move your data to Indonesia.” Footnote 129 The enactment of PDPL is viewed as an attempt to establish a virtual border that safeguards individual rights and protects data sovereignty. Footnote 130 The National Strategy for AI envisions a prosperous Indonesia in 2045 driven by “the sovereignty of Indonesian data for the benefit of Indonesia,” ensuring that it is not controlled by foreign entities. Footnote 131 In the context of international discussions, Indonesia underscores the principles of sovereignty and data security. During the G20 Summit, Minister Plate affirmed Indonesia’s commitment to these principles and proposed the inclusion of lawfulness, fairness, and transparency as guiding principles for data flows. Footnote 132 This approach reflects Indonesia’s aspiration to exercise sovereign power over its data while advocating for reciprocal guarantees of free data flow from other nations. The aim is to strike a balance between safeguarding national interests and promoting international cooperation in data governance.
Indonesia’s approach to data localization as a result demonstrates a cautious balance between internal integrity, international reciprocity, and digital sovereignty. As Minister Plate claims, “Data sovereignty is important so that the movement of values and data flows both nationally and globally can be managed properly.” Footnote 133 He positions Indonesian digital sovereignty as “the third phase in Indonesia’s struggle,” following its struggle for decolonization and the establishment of its archipelagic state identity. Footnote 134 This consistent message highlights Indonesia’s considerations of both internal and external security factors. The Digital Economy Minister’s report during Indonesia’s presidency in 2022 further exemplifies the disparity between positive network perception and negative security externality. While acknowledging the role of free data flows as a key driver for economic growth and development, Indonesia simultaneously incorporates the concepts of the free flow of data across borders and data sovereignty. Footnote 135 Similarly, the National Strategy for AI outlines practical implementations of data localization and provides explicit guidelines for data sharing practices. Footnote 136
Conclusion
The complex relationship between states and the various dimensions of data, including individual referents, platforms, and structural characteristics, highlights the limitations of a singular and discrete approach in understanding states’ motivations for data localization. Instead, data localization should be viewed as a strategic decision by states to advance their political objectives. This paper argues that data localization is a form of economic statecraft that arises from the intersection of digital technology, proposing a nuanced mechanism that integrates network perception and security externality—both at domestic and international levels. Through an examination of three Southeast Asian states, it asserts that data localization is driven by a state’s comprehensive understanding of the network effect, rather than being influenced by a single factor. Specifically, the state’s perspective on the economic impact and security implications of data localization is crucial. The decision of states to implement data localization finds a comprehensive explanation only through the synergy of both network perception and security externality—rather than reliance on either alone. This comprehensive perspective is essential, given the array of strategic options available beyond data localization and its interwoven nature within the domains of economy and security.
This paper makes significant contributions to the existing literature in international relations, particularly within the fields of international political economy, international security, and technology. It extends the concept of economic statecraft to encompass the realm of digital technology. Footnote 137 While data has always been present, the recent advancements in digital technologies have transformed its value and generated new opportunities that were previously unimaginable. While traditional concepts and theories in international relations still hold relevance, this paper delves into how data, as the core element of digital technology and AI, operates within the context of economic statecraft.
Furthermore, this paper advances the discussion on the interconnectedness of international political economy and international security. Recognizing that statecraft inherently combines foreign economic and security policies, the development of technology creates new avenues for statecraft to manifest in economic, military, and societal domains. Footnote 138 Drawing from theoretical approaches in both disciplines, this paper emphasizes the necessity of integrating and considering both perspectives in the theoretical mechanism. It highlights that neither perspective alone but both can provide a comprehensive understanding of the complex dynamics at play. After all, data in digital technology serving as a vital resource for training AI is an economic means that emerges from the network effect, comprising both economic aspects and security ramifications.
In practice, data localization is not merely an autonomous decision but a representation of strategic calculation. This understanding is crucial in assessing partners’ responses to data localization in bilateral and multilateral relations. For example, the US Trade Representative openly characterizes data localization as a foreign trade barrier. Footnote 139 In order to address the growing number of countries implementing data localization measures, the United States needs to develop a strategy that reframes these measures as opportunities rather than vulnerabilities, while also alleviating security concerns. In other words, the decision to implement data localization not only impacts other states but is also influenced by the policies and strategies of those states vice versa. As a result, this dynamic interplay underscores the need for nuanced and delicate countermeasures in response to data localization.
Acknowledgements
I would like to thank Jon Lindsay, Peter Swire, Milton Mueller, Katharina Fleiner, and Vagisha Srivastava for reading the earlier draft. I am also thankful to Alasdair Young, Ahmed Said, Katharina Kuhn, Hyunsu Kim, participants from the ISA 2023 Virtual Conference, the 22nd Workshop on the Economics of Internet Security (WEIS), the 2023 Cybersecurity Summer Institute, the Graduate Students in International Political Economy (GSIPE) 5th mini-conference, Nunn School Writer’s Nest, and IR Salon, as well as anonymous reviewers and the editors at Business and Politics.
Open access
