Security exceptions in international economic law agreements tend to be more expansive than other exceptions, but over on Twitter Geraldo Vidigal pointed out recently that the RCEP security exception for data localization measures has an element that seems to go further than usual, giving any government that invokes the exception complete and total discretion to do whatever it wants in this area. Here's what the obligation and security exception say:
Article 12.14: Location of Computing Facilities
2. No Party shall require a covered person to use or locate computing facilities in that Party’s territory as a condition for conducting business in that Party’s territory.11
3. Nothing in this Article shall prevent a Party from adopting or maintaining:
...
(b) any measure that it considers necessary for the protection of its essential security interests. Such measures shall not be disputed by other Parties.
The language that differentiates it from most security exceptions is "Such measures shall not be disputed by other Parties." If I understand that correctly, and as Geraldo suggested on Twitter, where one party has said it considers a measure to be "necessary for the protection of its essential security interests," other RCEP parties cannot even raise an argument about this, either in bilateral discussions or in a formal complaint. Any disputes about such measures are off the table completely. That's quite a broad security exception! (Although it is only for a limited category of measures, of course -- the RCEP general security exceptions are drafted in a more traditional way).
Geraldo seemed to think that maybe the idea came from India, but I can see how it might catch on with a couple of other governments. That would be a mistake, in my view. But it's something to keep an eye out for nonetheless.