Data localization laws can be a challenge for some and nearly nothing for others. After all, everything depends on where you are located and which sector you are making the data localization for due to some countries being more specific about it.
It’s good to see that an increasing number of countries adopt data localization and sovereignty laws because they are a step to a better protection of personal data. We should all care about it because everyone using a computer sends this data out. According to the Australian Government’s guides, the personal data covered by such laws include:
- First/last name, addresses, phone numbers, emails
- Date of birth
- Credit information
- IP addresses
- Sensitive information such as racial and ethnic origin, religious beliefs, political views, criminal records and even sexual orientation
- Facial recognition biometrics
- Location information
Clearly, we’re all in this together and our governments should protect our right to privacy and confidentiality. Educating self on how they’re ensuring this – or if they’re doing anything at all – is definitely a good first step in this direction.
So, here’s everything you should know about data localization laws around the world.
What Is Data Localization and Why Are Data Localization Laws Important
To put it simply, data localization laws are special regulations enforcing how data can be processed and transferred in a certain territory. It’s different from data sovereignty but both of them are a reflection of cloud adoption readiness.
For example, China’s Cybersecurity law is an excellent example of data localization. Specifically, article 37 requires IT infrastructure operators to store all personal information they collect from users (sales, marketing, accounting, etc.) within the country’s mainland territory. This makes IT operators and owners of data hubs plan accordingly when operating in China.
In an era where the Internet drives economic growth, data localization laws can have a major impact on the global economy. Data localization laws add restrictions on where and how data can be stored or transferred. This makes these laws a threat to the free flow of information across the borders as well as the maintenance of global supply chains.
These regulations will impact everything from email communications and personal records to social media services and other outlets. Besides, they will also limit the access to information that the service and manufacturing economies depend on.
Data localization laws are constantly growing and the biggest fear of many business people is that they will create obligations that will cost a lot for their organizations. Another problem is that companies cannot instantly determine which data can be stored locally and which should be moved abroad.
Data Localization Laws vs. Data Sovereignty vs. Data Residency
Data sovereignty deals with data being hosted in a particular country where the country’s or state’s laws apply. Data sovereignty also makes sure that a country will not lose control or sovereignty over the processing of personal data that concerns data subjects from that country.
It also states that the information which has been stored in digital form follows the laws of the country in which it is located. Consequently, controlling trans-border data flow means upholding data sovereignty.
In Australia, for example, data sovereignty is ensured by Australian Privacy Principles (APPs) law. All businesses operating in the country must follow APPs’ standards and obligations around data collection, storage and processing.
Data residency pertains to the geographical location specified by a business, government, or industry body where their data is stored. Usually, this is done for the policy or regulatory reasons. As you can see, data localization laws, data sovereignty and data residency are all different but still connected with each other.
Laws in Brunei, China, Indonesia, Nigeria, Russia and Vietnam
Data localization laws are actually quite hard to categorize and are constantly changing. However, these groups can give you a general idea of what data localization laws are like in each particular region.
The laws in Brunei, China, Indonesia, Nigeria, Russia and Vietnam are perhaps the strictest of all. They have specific requirements that state that the data must be stored on servers within the country itself.
As noted by JD Supra, “On June 13, 2019, a bill of law entered Russian State Duma to introduce to the Code of Administrative Offense administrative fines for failure to comply with the requirements for localization of processing of personal data of the Russian citizens.”
The fines range from 2 million to 18 million Russian rubles (approximately $30-280 thousand). The localization laws themselves were introduced back in 2015 though and contained no administrative sanctions until recently. If the law requires a multinational business to host data for Russian citizens on a server in Russia, this will result in regular costs for creating and managing a new data center in Russia.
China also has very strict laws with regard to data localization. For certain industries and data types, there are laws that ensure that data is stored on servers with the Republic of China. However, company data is not discouraged from being stored somewhere else in the world.
Laws in the European Union
The best example of data localization laws in the European Union is GDPR (General Data Protection Regulation). GDPR was enacted in 2016 and governs data protection and privacy of EU citizens as well as regulates the transfer of data outside the borders of the EU and the European Economic Area.
Laws in Belarus, India, Kazakhstan, Malaysia and South Korea
Laws in Belarus, India, Kazakhstan, Malaysia and South Korea regarding data localization are only partial. They have a wide range of measures that include regulations that apply only to certain domain names and regulations that require the consent of an individual before data about them can be transferred internationally.
Laws in Argentina, Brazil, Colombia, Peru and Uruguay
Data localization laws in Argentina, Brazil, Colombia, Peru and Uruguay are quite mild. There are restrictions that apply to international data transfers. However, these restrictions act only in certain conditions.
Laws in Australia, Canada, New Zealand, Taiwan, Turkey and Venezuela
Laws in Australia, Canada, New Zealand, Taiwan, Turkey and Venezuela regarding data localization are only specific to certain industries. They are usually tailored to certain sectors such as telecom, healthcare, national security, and finance.
Laws in Other Countries
There are no known data localization laws in all other countries.
According to IAPP, way back in 2017, some companies in the United States were fighting with foreign governments so the latter ones would relax their data localization laws. The companies are concerned that their intellectual property may be stolen overseas. Moreover, the cost of storing data in other countries is expensive for small and medium-sized businesses.
What Should Be Your Further Actions
Now that you know the basics of data localization laws, you are somewhat ready to continue with the business. Here’s what you should do:
- Do Your Research: Seek out relevant information yourself. Think of which countries you will be dealing with and what data localization laws will be standing on your way.
- Hire a Professional: Find an expert in the field and consult them. You need to know all the ins and outs of such laws so that you don’t get in trouble later on.
- Take Action: Start acting after you have all the relevant knowledge with you. Be prepared to face unexpected challenges though.
In conclusion, data localization laws around the world are appearing and maturing, and IT operators as well as individual users should follow them. They are not as disruptive for businesses as they may seem at first sight, so it is possible to continue doing business without breaking them.
Bridgette Hernandez is a Master in Anthropology who is interested in writing and is planning to publish her own book in the near future. She works with professional writing companies such as TrustMyPaper and GrabMyEssay as a writer and editor.