Data localization or data residency law requires data about a nation's citizens or residents to be collected, processed, and/or stored inside the country, often before being transferred internationally. Such data is usually transferred only after meeting local privacy or data protection laws, such as giving the user notice of how the information will be used, and obtaining their consent.[1]

Data localization builds upon the concept of data sovereignty that regulates certain data types by the laws applicable to the data subjects or processors. While data sovereignty may require that records about a nation's citizens or residents follow its personal or financial data processing laws, data localization goes a step further in requiring that initial collection, processing, and storage first occur within the national boundaries. In some cases, data about a nation's citizens or residents must also be deleted from foreign systems before being removed from systems in the data subject's nation.[1]

Motivations and concerns

edit

One of the first moves towards data localization occurred in 2005 when the Government of Kazakhstan passed a law for all ".kz" domains to be run domestically (with later exceptions for Google).[2] However, the push for data localization greatly increased after revelations by Edward Snowden regarding United States counter-terrorism surveillance programs in 2013.[3][4] Since then, various governments in Europe and around the world have expressed the desire to be able to control the flow of residents' data through technology. Some governments are accused of and some openly admit to using data localization laws as a way to surveil their own populaces or to boost local economic activity.[3][5][6]

Technology companies and multinational organizations often oppose data localization laws because they impact efficiencies gained by regional aggregation of data centers and unification of services across national boundaries.[3][7] Some vendors, such as Microsoft, have used data storage locale controls as a differentiating feature in their cloud services.[8]

International treaties and laws

edit

After Germany and France either passed or nearly passed data localization laws, the European Union was considering restrictions on data localization laws being passed by member states in 2017.[9][10] Data localization laws are often seen as protectionist. Consistent with the philosophy whereby trade barriers should be abolished within the EU but erected between the EU and other countries, the EU believes that data localization should be left to the EU to regulate at a pan-EU level, and member states' domestic data localization laws would violate European Union competition law. The EU's General Data Protection Regulation contains extensive regulation of data flow and storage, including restrictions on exporting personal data outside of the EU.

To counter the protectionist impulses of the EU and other countries, a number of regional free trade agreements prohibit data localization requirements and restrictions on cross-border flow. An example is the Trans-Pacific Partnership, which included language that prohibited data localization restrictions among participants,[11] which was carried over to the Comprehensive and Progressive Agreement for Trans-Pacific Partnership. Another example is the United States–Mexico–Canada Agreement.

While both Europe and the US believe that data should flow freely, China has taken an opposing stance and has adopted data localization, but with stricter regulations. This is not a strategy widely used by other countries. Other countries and stakeholders have protested against this Chinese strategy of restricting the free flow of data.[12]

Data localization laws and scope

edit

National laws

edit
National Laws and Scope
Scope
Australia health records[3][4]
Canada (in provincesNova Scotia and British Columbia) public service providers: all personal data[3][4]
China personal, business, and financial data[1][3]
Germany telecommunications metadata[13][14]
India Payment System Data[15]
Indonesia public services companies must maintain data centers in country[4]
Kazakhstan servers running on the country domain (.kz)[3]
Nigeria all government data[3][4]
Russia all personal data[3][4][16]
Rwanda all personal data, unless authorized by the supervisory authority[17]
South Korea geospatial and map data[3][4]
Spain electoral roll, municipal census, fiscal data and data from the National Health System must be processed within the European Union[18]
Vietnam service providers usage data[3][4]

National security

edit

Most nations restrict foreign transfer of information that they consider related to national security, such as military technology.

See also

edit

References

edit
  1. ^ a b c "Data Localization Laws: an Emerging Global Trend". Jurist. January 6, 2017.
  2. ^ Castro, Daniel; McQuinn, Alan (February 24, 2015). Cross-Border Data Flows Enable Growth in All Industries (Report). Information Technology & Innovation Foundation.
  3. ^ a b c d e f g h i j k Chander, Anupam (2015). "Data Nationalism". Emory Law Journal. 64 (3). Emory Law: 677.
  4. ^ a b c d e f g h "A Primer on Russia's New Data Localization Law". Proskauer. August 27, 2015.
  5. ^ "Risky Business: Data Localization". Forbes. February 19, 2015.
  6. ^ "Silicon Valley tech execs: Surveillance threatens digital economy". Palo Alto Online. October 9, 2014.
  7. ^ "Google Pushes Back Against Data Localization". The New York Times. January 24, 2014.
  8. ^ "Will Data Localization Kill the Internet?". eCommerce Times. February 10, 2014.
  9. ^ "Ansip promises EU rules on data flows by autumn". Euractiv. October 5, 2017.
  10. ^ "European Commission eyes an end to data localization in EU". IAPP. January 12, 2017.
  11. ^ "Trans-Pacific Partnership will ban data localization laws". Fed Scoop. October 5, 2015.
  12. ^ Liu, Jinhe (January 2, 2020). "China's data localization". Chinese Journal of Communication. 13 (1): 84–103. doi:10.1080/17544750.2019.1649289. ISSN 1754-4750.
  13. ^ "Data Residency Requirements Creeping into German Law". Bloomberg Law. April 11, 2016.
  14. ^ "German data storage laws 'threaten free trade'". DW. December 1, 2017.
  15. ^ "Reserve Bank of India - Notifications". April 6, 2018.
  16. ^ "Russia – New data localisation law: Current state of play". December 8, 2014.
  17. ^ RISA. "LAW Nº 058/2021 OF 13/10/2021 RELATING TO THE PROTECTION OF PERSONAL DATA AND PRIVACY" (PDF). Archived from the original (PDF) on March 9, 2022.
  18. ^ Law 40/2015, of the Legal System for the Public Sector. Article 46 bis. "BOE.es - BOE-A-2015-10566 Ley 40/2015, de 1 de octubre, de Régimen Jurídico del Sector Público". www.boe.es (in Spanish). Retrieved December 9, 2021.