Localization apparently actually accomplished and accomplishes quite a bit then.
"Governments should reject short-sighted policies, such as data localization requirements, that do little to improve security but distort markets and lend themselves to protectionist tendencies."
"Do little" he says.
[I added the numbering below.]
"1. IBM has not provided client data to the National Security Agency (NSA) or any other government agency under the program known as PRISM.
2. IBM has not provided client data to the NSA or any other government agency under any surveillance program involving the bulk collection of content or metadata.
3. IBM has not provided client data stored outside the United States to the U.S. government under a national security order, such as a FISA order or a National Security Letter."
Analysis:
1. Denial only covers PRISM.
2. Denial only covers bulk collection.
3. Denial only covers data that was localized to a foreign country.
In other words what US law forces IBM to do is results in a privacy benefit to foreign governments, foreign companies and foreign private citizens who localize their country's data within their own country, or at least localized anywhere but the USA.
Localization apparently actually accomplished and accomplishes quite a bit then.
Probably the only downside of localization is that it hurts the bottom line of large multinational storage and cloud providers.