Measures restricting data flows outside one's borders, including mandatory data/server localization measures, are not only a barrier to trade, but also largely ineffective in achieving better internet security or trust. Nevertheless, governments deploy such measures, primarily on grounds of cybersecurity and privacy, potentially violating their obligations under the General Agreement on Trade in Services (GATS). In this article, I investigate whether GATS-inconsistent measures may be justified under GATS Art. XIV when aimed at ensuring privacy or cybersecurity, and, if so, whether GATS Art. XIV effectively balances trade and internet policy. As the internet governance framework is complex and somewhat ambiguous, applying GATS Art. XIV to cybersecurity/privacy measures necessitates balancing of trade liberalization principles and domestic internet policy. This exercise can be effective in weeding out data localization measures disguised as privacy/cybersecurity measures, particularly by employing relevant technical and factual evidence. However, given the lack of binding international law/norms on these issues, GATS Art. XIV has a limited role, particularly in cases involving direct conflict between multistakeholder/transnational internet norms and domestic internet policies, or where the measures are founded on contentious standards/benchmarks on privacy/cybersecurity. Ultimately, ensuring free and secure data flows requires a multidimensional policy response, including strengthening linkages between trade law and internet governance.