Data localization

Data localization or data residency law requires data about a nations' citizens or residents be collected, processed, and/or stored inside the country, often before being transferred internationally, and usually transferred only after meeting local privacy or data protection laws, such as giving the user notice of how the information will be used and obtaining their consent.^[1]

Data localization builds upon the concept of data sovereignty that regulates certain data types by the laws applicable to the data subject or processor. While data sovereignty may require that records about a nation's citizens or residents follow its personal or financial data processing laws, data localization goes a step further in requiring that initial collection, processing, and storage occur first within the national boundaries. In some cases, data about a nation's citizens or residents must also be deleted from foreign systems before being removed from systems in the data subject's nation.^[1]

Motivations and concerns

The push for data localization greatly increased after revelations by Edward Snowden regarding United States counter-terrorism surveillance programs in 2013.^[2]^[3] Since then, various governments in Europe and around the world have expressed the desire to be able to control the flow of residents' data through technology. Some governments are accused of and some openly admit to using data localization laws as a way to surveil their own populaces or to boost local economic activity.^[2]^[4]^[5]

Technology companies and multinational organizations often oppose data localization laws because they impact efficiencies gained by regional aggregation of data centers and unification of services across national boundaries.^[2]^[6] Some vendors, such as Microsoft, have used data storage locale controls as a differentiating feature in their cloud services.^[7]

International treaties and laws

While the Trans-Pacific Partnership included language that would have prohibited data localization restrictions among participants,^[8] the treaty was abandoned and never took effect.

After Germany and France either passed or nearly passed data localization laws, the European Union was considering restrictions on data localization laws in 2017.^[9]^[10] Data localization laws are often seen as protectionist and would thus violate European Union competition law.

Data localization laws and scope

National laws

Australia – health records^[2]^[3]
Canada in Nova Scotia and British Columbia – public service providers: all personal data^[2]^[3]
China – personal, business, and financial data^[1]^[2]
Germany – telecommunications metadata^[11]^[12]
Indonesia – public services companies must maintain data centers in country^[3]
Kazakhstan – servers running on the country domain (.kz)^[2]
Nigeria – all government data^[2]^[3]
Russia – all personal data^[2]^[3]^[13]
South Korea – geospatial and map data^[2]^[3]
Vietnam – service providers usage data^[2]^[3]

National security

Most nations restrict foreign transfer of information that they consider related to national security, such as military technology.

References

^ ^a ^b ^c "Data Localization Laws: an Emerging Global Trend". Jurist. January 6, 2017.
^ ^a ^b ^c ^d ^e ^f ^g ^h ⁱ ^j ^k "Data Nationalism". Emory Law. 2015.
^ ^a ^b ^c ^d ^e ^f ^g ^h "A Primer on Russia's New Data Localization Law". Proskauer. August 27, 2015.
^ "Risky Business: Data Localization". Forbes. February 19, 2015.
^ "Silicon Valley tech execs: Surveillance threatens digital economy". Palo Alto Online. October 9, 2014.
^ "Google Pushes Back Against Data Localization". The New York Times. January 24, 2014.
^ "Will Data Localization Kill the Internet?". eCommerce Times. February 10, 2014.
^ "Trans-Pacific Partnership will ban data localization laws". Fed Scoop. October 5, 2015.
^ "Ansip promises EU rules on data flows by autumn". Euractiv. October 5, 2017.
^ "European Commission eyes an end to data localization in EU". IAPP. January 12, 2017.
^ "Data Residency Requirements Creeping into German Law". Bloomberg Lawdate=April 11, 2016. {{cite news}}: Cite has empty unknown parameter: |1= (help)
^ "German data storage laws 'threaten free trade'". DW. December 1, 2017.
^ "Russia – New data localisation law: Current state of play". December 8, 2014.

[DataLocalizationLaws-1] "Data Localization Laws: an Emerging Global Trend". Jurist. January 6, 2017.

[DataNationalism-2] ^ ^a ^b ^c ^d ^e ^f ^g ^h ⁱ ^j ^k "Data Nationalism". Emory Law. 2015.

[RussiaPrimer-3] ^ ^a ^b ^c ^d ^e ^f ^g ^h "A Primer on Russia's New Data Localization Law". Proskauer. August 27, 2015.

[4] "Risky Business: Data Localization". Forbes. February 19, 2015.

[5] "Silicon Valley tech execs: Surveillance threatens digital economy". Palo Alto Online. October 9, 2014.

[6] "Google Pushes Back Against Data Localization". The New York Times. January 24, 2014.

[7] "Will Data Localization Kill the Internet?". eCommerce Times. February 10, 2014.

[8] "Trans-Pacific Partnership will ban data localization laws". Fed Scoop. October 5, 2015.

[9] "Ansip promises EU rules on data flows by autumn". Euractiv. October 5, 2017.

[10] "European Commission eyes an end to data localization in EU". IAPP. January 12, 2017.

[11] "Data Residency Requirements Creeping into German Law". Bloomberg Lawdate=April 11, 2016. {{cite news}}: Cite has empty unknown parameter: |1= (help)

[12] "German data storage laws 'threaten free trade'". DW. December 1, 2017.

[13] "Russia – New data localisation law: Current state of play". December 8, 2014.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

v t e Privacy
Principles	Right of access to personal data Expectation of privacy Right to privacy Right to be forgotten Post-mortem privacy
Privacy laws	Australia Brazil Canada China Denmark England European Union Germany Ghana New Zealand Russia Singapore Sri Lanka Switzerland United Kingdom United States California, amended in 2020
Data protection authorities	Australia Denmark European Union France Germany India Indonesia Ireland Isle of Man Netherlands Norway Philippines Poland South Korea Spain Sweden Switzerland Thailand Turkey United Kingdom
Areas	Consumer Digital Education Medical Workplace
Information privacy	Law Financial Internet Facebook Google Twitter Email Personal data Personal identifier Social networking services Privacy-enhancing technologies Privacy engineering Privacy-invasive software Privacy policy Privacy software Secret ballot Virtual assistant privacy
Advocacy organizations	American Civil Liberties Union Center for Democracy and Technology Computer Professionals for Social Responsibility Data Privacy Lab Electronic Frontier Foundation Electronic Privacy Information Center European Digital Rights Future of Privacy Forum Global Network Initiative International Association of Privacy Professionals NOYB Privacy International
See also	Anonymity Cellphone surveillance Data security Eavesdropping Global surveillance Identity theft Mass surveillance Panopticon PRISM Search warrant Wiretapping Human rights Personality rights
Category