In the Middle East, cyber sovereignty hampers economic diversification

Rapid and unprecedented transformation in the Middle East, whether political, social, or technological, is forcing governments to reckon with enormous changes. Many governments are responding by attempting to pursue two contradictory paths forward — cyber sovereignty and digital transformation — and they might end up not achieving either.

Since its start a decade ago, the Arab Spring has changed the Middle East's geopolitics and tech landscape. Regional governments were not ready to deal with the budding, tech-savvy millennials in the streets of Cairo, Benghazi, and Sana'a. The Twitter- and Facebook-empowered generation ended the multi-decade-long reigns of Egypt’s Hosni Mubarak, Libya’s Moammar Gadhafi, and Yemen’s Ali Abdullah Saleh. The removal of these long-serving autocrats sent shockwaves across the region and made its capitals much more attentive to technology's influence on their societies. Realizing the importance of cyber sovereignty, especially when it comes to keeping citizens' data within national boundaries, known as “data localization,” governments began issuing laws mandating international and local companies to house their data locally.

Recently, MENA governments appear to be eschewing the U.S. approach to data privacy in favor of the European General Data Protection Regulation (GDPR) model as the region enacts a new spate of regulations regarding the treatment of consumer data. Egypt, for instance, approved the Personal Data Protection Law No. 151 in February 2020, which prohibits the transfer of personal data to recipients located outside Egypt except with the permission of the Egyptian Data Protection Center. Also, in 2020, the Saudi National Cybersecurity Authority (NCA) released a draft document for Cloud Cybersecurity Controls (CCC), which sets the minimum cybersecurity requirements for cloud computing. As part of the UAE's National Cybersecurity Strategy, the Emirates is set to launch a GDPR-like national data law, expected to drop within the coming months. The Dubai International Financial Center (DIFC) and Abu Dhabi Global Market (ADGM) free zones have already implemented data protection laws similar to the GDPR.

But whereas EU regulators convincingly communicated that the GDPR was intended to protect European citizens’ privacy across jurisdictions, safeguarding privacy has not traditionally been a focus for Middle Eastern governments. The cyber-sovereignty-centric approach to data regulation could be used for law enforcement activities, however.

Saudi, Emirati, and Egyptian approaches

While pursuing a sovereignty-centric approach to data governance, Saudi Arabia, the UAE, and Egypt — the biggest regional economies in that order — have also emphasized their goal of implementing massive digital transformation strategies.

Under Vision 2030, Saudi Arabia’s long-term economic development plan, the kingdom implemented a national transformation strategy to diversify its economy and shift it from being oil-powered to digitally-powered. The kingdom’s ambition is to become a global tech leader and digital hub in the Middle East. To prove its seriousness, Riyadh has: a) introduced legal frameworks, legislation, and various strategies that cover cloud computing and artificial intelligence (AI); b) forged partnerships with global technology companies; c) led international tech efforts and initiatives; and d) embraced the high-tech smart city future via its planned $500 billion NEOM city along the Red Sea.

The UAE is a leading digital economy in the region as a result of years of investing in digital infrastructure, forging international partnerships, and positioning Dubai and Abu Dhabi as the go-to regional hubs for international technology companies. So when COVID-19 caught the world by surprise, the UAE emerged as one of the most digitally-empowered economies with the ability to mobilize to meet the digital requirements of the pandemic, i.e., a swift transition to remote working and schooling, implementation of advanced contact-tracing mechanisms, and a digitally-enforced lockdown.

Unlike Saudi Arabia and the UAE, Egypt went through years of political upheaval that made Cairo lag behind its regional peers, especially in technology. For instance, Egypt rolled out 4G network infrastructure in 2017, while Saudi Arabia and the UAE introduced it in 2011 and 2012, respectively. After achieving relative political stability, the government now aims to make up for lost time. Guided by Egypt's ICT 2030 Strategy, it plans to transform the country into a regional and international tech center, benefiting from Egypt’s demographics with a population of 100 million and its geographic location central to both Asia and Europe. Furthermore, Egypt is introducing much-needed regulatory frameworks, building and transforming smart universities, working to host Huawei's first cloud data platform in Africa, and building its first smart city, "The Administrative Capital." Egypt is among the very few emerging markets that has grown during the COVID-19 pandemic, which might incentivize more tech companies to consider entering the market in the post-COVID-19 era.

Saudi Arabia, the UAE, and Egypt did considerable work to upgrade their digital infrastructure, invest in their digital workforce, forge partnerships with big tech companies, and build smart cities to position themselves as regional and international tech hubs. However, simultaneously, the three countries embraced a cyber-sovereignty-centered approach to data regulations based on their treatment of cyberspace as a fundamental pillar of state sovereignty. This has been largely driven by fear of external political influence, rooted in the tumult of the Arab Spring and the political experience of the past decade, as well as a fear of external control of local data. The need for protecting citizens' data is legitimate, but the over-emphasis on restrictive cyber-sovereignty-centered data regulations could hurt their ambitions to become tech hubs in the short term.

Resource depletion

Extreme versions of data localization requirements would hurt international tech companies operating in these markets by shifting their resources from efficiently moving data across borders toward instead spending millions to establish local cloud centers. Typically, big tech companies hold user data in large cloud-connected data centers in strategic locations in closer proximity to their customer base and internet exchange points. These new requirements could raise costs for corporations by obligating them to build new data centers in every market without a meaningful payoff to users.

Isolationism from the world

The impact of data localization is not only limited to putting added pressure on corporate resources though. Restrictions on the movement of data across borders also limit access to capital and investment and diminish the ability of banks and governments to assess borrowers’ creditworthiness and ban fraudulent activities. For instance, Mastercard’s Chief Product Officer Michael Miebach said that data localization laws in India take “away the capability to see the broader world,” meaning a lender in one market wouldn’t be able to access financial records from another, making it difficult to make an informed lending decision.

Negative impact on remittances

Saudi Arabia and the UAE are a major source of remittances for Egypt, and there is an increasing effort to expand country-to-country mobile money services with the aim of boosting trade among the three nations. Between January and September 2020, the Egyptian diaspora, mainly in the GCC, sent home a total of $22.1 billion. Traditionally, the remittances are sent through bank transfers or in cash. Country-to-country mobile money services are one of the drivers for Saudi Telecom’s (STC) efforts to buy a stake in Vodafone Egypt, Egypt’s biggest telecommunications company and a major player in the growing mobile payment business. The Egypt-Saudi country-to-country mobile money service efforts will be correlated with the facilitation of data transfer across nations, and sovereignty-centric data localization would prove to be an eventual obstacle.

Halting innovation

In Saudi Arabia, the UAE, and Egypt, data localization requirements might hinder local firms and startups' abilities to harness the power of data analytics — by moving their data freely across borders — to enhance their products, improve user experiences, and boost their competitiveness. Additionally, the data localization requirements will likely dampen international companies' interest in the three markets and limit customers' access to leading digital services and technologies. As a result, the protectionist approach to data could ultimately stand in the way of the three countries' plans and ambitions to encourage innovation, and eventually become regional and global tech centers.

Saudi Arabia, the UAE, and Egypt have been aggressively working on implementing a large-scale digital transformation, attracting international tech companies, building high-tech smart cities, and investing heavily in their technology-based human capital. In a parallel track, the three governments have joined a growing global trend of data localization, which is required to safeguard citizens' personal data and ultimately create a regional and international framework on data processing. The cyber-sovereignty-centric approach to data limits innovation and economic growth, contributes to the balkanization of the internet, and will ultimately impede the three countries’ efforts to diversify their economies.

By pursuing both cyber sovereignty and digital transformation simultaneously, regional governments might fall short of achieving either.

Mohammed Soliman is a non-resident scholar with the Middle East Institute’s Cyber Program. His work focuses on the intersection of technology, geopolitics, and business in the Middle East and North Africa. The views expressed in this article are his own.

Photo by KARIM SAHIB/AFP via Getty Images