Data localization laws are regulations enforcing how data can be processed in a certain territory. This is different than data sovereignty, which refers to data being hosted in a particular country, whereby the country or state laws applies. Data localization laws and data sovereignty are a reflection of cloud adoption readiness. According to the 2016 BSA Global cloud computing scorecards, most countries have made healthy improvements in their policy and regulations for cloud adoption.
Data localization regulations can have significant impact on the global economy, especially in an era where the Internet drives economic growth and is the key enabler for trading across several global industries. By adding restrictions on how and where data is stored or transferred, data localization poses a fundamental threat to the free flow of information across borders and the maintenance of global supply chains. Such regulations impact email communication, personal records, and social media services, in addition to limiting access to information that the manufacturing and the service economies depend on.
There are a growing number of data localization laws and the alarming trend is that they can create some onerous obligations on organizations that results in significant costs.
As of late, most people refer first to Russia. For example, if the law requires a multinational company to host data for Russian citizens on a server in Russia, it can mean occurring costs for creating and maintaining a new data centre in Russia.
In contrast, South Africa does not have any specific data localization laws. There is no provision stating that public bodies have to process data within South Africa only.
However in China, there are very strict compliances and policies for data regulations. Even in 2016, there is not one comprehensive law that regulates data transfers across borders. For certain data types and industries (especially those of national security involving national secrets), there are laws to ensure data is stored on servers within the Republic of China. On the other hand, company data is not discouraged to be stored elsewhere in the world.
The requirements for data localization is rapidly evolving and has been recently enforced in many countries including: Vietnam, Indonesia, Brunei, Iran, China, Brazil, India, Australia, Korea, Nigeria and, most recently, Russia. Some of these countries impose a blanket ban on the transfer of all categories, whereas others such as Australia and South Korea, impose specific restrictions on the transfer of data in very specific sectors such as health and finance on grounds of protecting citizens’ sensitive data. For some countries, including Malaysia and the Philippines, strict consent requirements and regulatory approvals for overseas data transfer exist. Those policies tend to slow down the operational processes, often resulting in forced data localization. Some countries such as India also require foreign companies to enter into local partnerships to provide various IT services.
One of the basic problems for companies complying with data localization laws is the difficulty in determining which categories of data need to be locally stored and which can be moved abroad.
As cross-border trade increasingly moves towards e-commerce and relies on the use of internet technologies such as cloud computing and big data, data localization policies pose a major threat to the economy and businesses’ bottom line.
GLOBAL SPREAD OF DATA LOCALIZATION
*Data localization laws, by their nature, are difficult to precisely categorize and are constantly changing. This map is ASG’s best assessment of current regulations at the time of publication.