On March 31, 2026, the Office of the U.S. Trade Representative released its annual National Trade Estimate Report on Foreign Trade Barriers, and South Korea drew unusually pointed attention. The report singled out two restrictions on cross-border data flows: Korea's long-standing ban on exporting high-precision location and map data, and the data-localization mandates buried inside its Cloud Security Assurance Program (CSAP). On the first, USTR's characterization was blunt — Korea is, in its words, the only major market in the world that maintains such location-data export limits.
The timing is striking, because one of those two barriers had just come down. The other has not.
A 19-year standoff, resolved by negotiation
Google first asked Seoul to export the country's 1:5,000-scale digital map data in 2007. It was rejected then, rejected again in 2016, and only on February 27, 2026 did Korea's Ministry of Land, Infrastructure and Transport conditionally approve a third request, ending a dispute that had run for 19 years. Apple had filed a parallel request in 2025.
Crucially, the approval was not a capitulation. It came wrapped in five security conditions: raw data must be processed on domestic servers run by a local partner; coordinates for sensitive sites must be removed or restricted on global services; satellite, aerial, and street-view imagery must obscure military facilities; contour data is excluded entirely; and Google must build a "red button" emergency mechanism and station a dedicated officer in Korea. That is what proportionate regulation looks like — a negotiated settlement that lets a global service operate while preserving the specific national-security interest at stake.
The strongest case for Seoul's caution
It is worth stating Korea's case fairly, because it is not frivolous. Korea remains technically at war with North Korea, and detailed terrain data has obvious military value to an adversary across a 250-kilometer border. As one Korean industry source put it, map data "is a national security asset," and the principle that "security cannot be treated as a matter of trade" is a defensible one. A government that hands fine-grained contour maps of its own territory to servers it cannot reach in a crisis is taking a real risk, not an imagined one. No serious analyst should pretend that concern away.
The question is never whether a security interest exists, but whether the chosen instrument is the least trade-restrictive way to protect it. And here the map deal itself is the proof. The five conditions — obscured military sites, excluded contour data, a domestic processing partner, an emergency kill-switch — protect exactly the sensitive interest Seoul cited, while still letting Google and Apple deliver navigation and autonomous-driving services that depend on the 1:5,000 data. The blanket export ban was never necessary to achieve that. Nineteen years of refusal protected nothing that the 2026 conditions do not.
The cloud rules are the harder problem
If the map dispute shows the system working, CSAP shows it failing. The U.S. government's own country guide describes a regime that requires cloud providers serving the public sector to build physically segregated facilities, localize cloud systems and backups inside Korea, station all operations and management personnel within Korean territory, and use only domestically certified encryption (ARIA or SEED). The Information Technology and Innovation Foundation concludes the framework "effectively shuts U.S. cloud firms out of public sector contracts," producing "a procurement system where only domestic firms can qualify" — among the most restrictive public-sector cloud rules in the developed world.
The personnel-localization rule is the tell. Since the January 2023 amendment, even low-tier certification requires that the people operating a cloud system physically sit in Korea. Data localization can at least be rationalized as keeping records on home soil. Requiring a multinational to relocate staff to qualify for a government contract is not a security measure; it is an industrial-policy moat dressed as one. Modern cloud security depends on encryption, access controls, and audited operational practice — not on the latitude of the engineer on call.
Why proportionality should win
The pro-innovation objection to CSAP is not that Korea should ignore the confidentiality of government data. It is that the localization mandates impose heavy costs — market fragmentation, exclusion from "globally leading cloud, cybersecurity, and AI capabilities," higher prices for Korean agencies — without a security payoff that lighter-touch certification could not deliver. Singapore, the UK, and the EU all certify foreign hyperscalers for sensitive workloads without demanding that their staff move countries.
Washington's leverage here is real but should be used carefully. USTR has reportedly warned it could raise reciprocal tariffs on Korea from 15% back to 25% absent progress on non-tariff barriers. Tariff threats are a blunt instrument that risk poisoning an alliance relationship; the map settlement, reached at a November 2025 bilateral summit rather than at gunpoint, is the better model.
The lesson of 2026 is that Korea can protect genuine security interests and open its market — it just did exactly that on maps. CSAP should follow the same logic: keep the certification, drop the localization. Security is a condition to be engineered, not a market to be reserved.