Data localization requirements are increasing around the world, presenting data-intensive businesses with a difficult choice: Establishing IT infrastructure in countries with data localization requirements in effect, or forego processing and transfer of their citizens’ personal information, thereby making business operations in those countries practically impossible.
This article summarizes data localization policies around the world, concluding with the suggestion that technological solutions might serve as cost-effective substitutes for complex legal compliance programs.
Data localization requirements are not new. Prior to 2013, several countries passed laws requiring data to be stored within national borders. However, the data localization mandates gained added impetus — and justification, according to many — following National Security Agency contractor Edward Snowden’s June 2013 leak of classified documents revealing the existence of U.S. government efforts to surreptitiously wiretap telephone calls, access Internet communications, and conduct surveillance on foreign allies.
With news of the Snowden leaks, governments and individuals outside the United States had tangible evidence that communications stored by U.S. technology companies on U.S. soil were not safe from U.S. government surveillance. The result was heightened interest around the globe in taking steps to keep personal information within national borders.
Today, some of the largest countries in the world have enacted data localization measures. Many other countries are actively considering similar restrictions. Global business interests — particularly those in the United States — are pushing back against data localization laws, arguing that they unnecessarily impair electronic commerce and will, in fact, harm the economies of countries that adopt them. However this policy debate turns out, data localization laws promise to be a dynamic and hotly disputed technology policy issue for at least the next decade.
“Data localization” can be defined as the act of storing data on a device that is physically located within the country where the data was created. Data localization requirements are governmental obligations that explicitly mandate local storage of personal information or strongly encourage local storage through data protection laws that erect stringent legal compliance obligations on cross-border data transfers.
Data localization requirements can take several forms:
When justifying data localization measures, many countries cite the need to provide additional assurance of privacy protections for their citizens. The June 2013 leak of classified documents by National Security Agency contractor Edward Snowden, which revealed the existence of widespread U.S. government online surveillance activities and described a cozy relationship between the U.S. government and U.S.-based Internet service providers, contributed to a widespread feeling across Europe that Europeans’ data was not safe on U.S. servers.
The Snowden revelations are widely believed to be responsible for an increased interest in data localization laws though, in fact, many of these laws predated the Snowden revelations.
A second rationale for strong data localization requirements is the need to make data available for easy access in support of law enforcement and national security objectives.
A final rationale for data localization mandates is “data mercantilism,” an overt government policy to promote economic advantage by favoring local industries.
Whatever the justification, data localization requirements present significant operational and legal compliance challenges for companies seeking to serve foreign markets.
An explicit data localization requirement is one that requires entities that process data regarding that country’s citizens to have servers physically located within the country’s borders.
Russia, China, Nigeria, Indonesia, Brunei, and Vietnam, among others, all have laws that contain explicit data localization requirements.
Russia’s data localization law (Russian Federal Law No. 242-FZ, effective Sept. 1, 2015), contains an explicit requirement that companies collecting personal information about Russian citizens must “record, systematize, accumulate, store, amend, update and retrieve” the information using servers physically located within Russia.
China, a country keenly interested in data localization measures, has several data localization laws in effect, with additional restrictions under active consideration. Today, Chinese law:
Additional data localization requirements are looming in China. early drafts of China’s 2015 anti-terrorism law contained data localization mandates; however, these were removed in the final version of the law. Nevertheless, evidence of continuing interest in data localization can be found in the latest draft (English translation by AmCham China) of a proposed Chinese cybersecurity law. The measure would require operators of “key information infrastructure” to store “citizens’ personal information and important business data” on in-country servers. The extent to which the law would create data localization mandates is currently unknown, due to uncertainty surrounding the meaning of key terms and the potential that the law will be modified in response to public comments.
Effective Jan. 1, 2016, an amendment to Kazakhstan’s personal data protection law creates a data localization mandate in that country. The law provides “Storage of personal data shall be carried out by the owner and/ or operator, as well as by a third party in the database, which is kept in the territory of the Republic of Kazakhstan.”
Nigeria does not have a data protection law. However, the National Information Technology Development Agency included data localization requirements in May 2014 guidelines designed to promote local online content development. The Guidelines for Nigerian Content Development in Information and Communications Technology (PDF) require that all information and communications technology (ITC) providers “Host all subscriber and consumer data locally within the country.” The guidelines also require all government data to be hosted within Nigeria.
ITC services are described broadly as “a combination of equipment and services that enables remote gathering, processing, storage, conveyance and delivery of various forms of information.”
In Indonesia, the Information and Electronic Transaction Law requires companies providing online services to residents to physically locate their servers within the country.
Vietnam’s Decree 72 (effective Sept. 1, 2013) states that Internet service providers must store locally at least one copy of all information on Vietnamese citizens, and that organizations and enterprises must have “at least one server system in Vietnam serving the inspection, storage, and provision of information at the request of competent authorities.”
Personal information regarding Malaysian citizens must be stored on local servers. Brunei Companies may lawfully store data collected within Brunei on servers located within the country.
A 2011 Greek law provides, “Data generated and stored on physical media, which are located within the Greek territory, shall be retained within the Greek territory.” The measure appears to be inconsistent with EU data protection laws, but it nonetheless remains on the books.
Several countries impose data localization mandates on specific types of information, such as health information, financial information, and information collected by government agencies.
In Canada, federal law contains no data localization requirements. However, provincial laws in British Columbia and Nova Scotia require that personal information created by public institutions (government agencies, schools, hospitals, and utilities)—be stored on servers located in Canada. These laws also require that the data be accessed from within Canada, creating an additional barrier for companies based outside those provinces.
Turkey mandates that electronic payment services providers process all data within the country. This requirement was recently enforced against PayPal, which lost its license to do business for failure to comply with the localization requirement.
Venezuela has adopted a law that effectively requires in-country processing of domestic payment transactions.
Ukraine is considering a proposal that would exclude foreign networks from providing payment processing services.
In Australia, the Personally Controlled Electronic Health Records Act prohibits the transfer of personal health information outside of Australia.
In New Zealand, the Commissioner of Inland Revenue requires that electronic business and tax records must be stored locally.
Several countries laws with explicit data localization mandates give their citizens an additional measure of control over personal data by prohibiting cross-border transfers without the data subject’s consent. For example, China’s Guidelines for Personal Information Protection within Public and Commercial Information Systems prohibits cross-border transfers of personal information without the consent of the data subject or the government.
In Mexico, the Ley Federal de Protección de Datos Personales en Posesión de los Particulares permits cross-border transfers of personal information, provided that the data subject gives informed, prior consent.
India and South Korea also permit cross-border data transfers, provided that the data subject gives prior consent.
In Hong Kong, Section 33 of the Personal Data Privacy Ordinance prohibits the transfer of personal information outside of Hong Kong under conditions similar to the European Data Protection Directive (e.g., consent in writing, transfer to countries with adequate protection), according to 2014 guidance from the Office of the Hong Kong Privacy Commissioner. Importantly, however, Section 33 has not yet been adopted.
Consent requirements are viewed as undesirable by many online businesses because of the challenges of obtaining a valid consent. National laws frequently require that cross-border data transfer practices be clearly and conspicuously disclosed to the data subject, after which the data subject must unambiguously opt-in to the transfer. Consent, once given, can be withdrawn, creating an additional compliance challenge for businesses.
Within the European Union, there are few explicit data localization mandates. However, companies wishing to do business in Europe must contend with the legal challenges inherent in complying with rapidly changing rules on cross-border data transfers and the further challenge of selling into a market that is increasingly reluctant to store personal data outside Europe.
From July 2000 until October 2015, the US-EU Safe Harbor Agreement was the principal legal mechanism for U.S.-based companies to lawfully transfer and process the personal information of citizens in EU member states. However, on Oct. 6. 2015, the European Union Court of Justice (CJEU) effectively ended the Safe Harbor agreement, finding that the European Commission’s prior determination that it provided an adequate level of protection for EU member state citizen’s personal information was invalid. The specter of U.S. national security agencies spying on Europeans’ personal information loomed large in the CJEU’s opinion.
The CJEU’s ruling undermined the legal basis for U.S.-EU data transfers reliant on the Safe Harbor agreement, so government officials from the U.S. Department of Commerce and the European Commission were forced to come up with a successor agreement that complied with the CJEU’s interpretation of the EU Data Protection Directive’s “adequacy” provisions.
That agreement, the Privacy Shield, was announced by the European Commission on Feb. 2, 2016. In July 12, 2016, the College of EU Commissioners found that Privacy Shield provides an adequate level of protection under EU Data Protection Directive. Beginning Aug. 1, 2016, U.S.-based companies are allowed to request certification under the agreement.
Compared to the Safe Harbor agreement, the Privacy Shield contains several significant changes. Among them: expanded privacy notices, stronger avenues of redress for violations, and greater privacy protections when personal data is transferred to third-party controllers and processors.
With the new EU General Data Protection Regulation (GDPR) set to come into effect in May 2018, the Privacy Shield is a shaky bridge to an uncertain destination. The Privacy Shield will almost certainly attract legal challenges from parties alleging that it — just like the Safe Harbor — fails to provide adequate protection for European’s data. Moreover, agreement will likely require amendments once the GDPR becomes effective across Europe. The GDPR contains numerous new privacy protections not found in the Data Protection Directive, along with stiff penalties for violators.
Many believe that the GDPR will create so many compliance challenges that non-EU businesses will be effectively forced to maintain servers in an EU country of their choice.
Finally, there is the further risk that, several years down the road, the Privacy Shield will be invalidated and businesses will have to create their data protection compliance programs yet again.
Even in places where data localization laws are not on the books, the purchasers of cloud storage solutions believe that location of the datacenter is an important buying consideration. A 2014 NTT Communications’ survey of information and communications technology company decision makers revealed that the location of data storage facilities is an important purchasing consideration. Just 5 percent of the survey respondents believed that the location of data is “unimportant.” Thirty percent of the decision makers in Germany and the United States replied that “location completely matters” when purchasing data storage services.
In Germany, the top three email providers (GMX, web.de, and T-Online) are all based in that country, with Google’s Gmail a distant seventh place, according to a recent survey.
German Chancellor Angela Merkel, stung by news from the Snowden leaks that she had been targeted in U.S. surveillance activities, called for European Internet services to be entirely separated from the United States in 2014. A subsequent survey conducted by NTT Communications indicated that 82 percent of information technology company decision makers agreed with Merkel’s call for deploying European data networks (aka “Schengen cloud”).
In August 2013, Deutsche Telekom launched “E-mail made in Germany,” a service that seeks to route data exclusively through domestic servers. The leading German telco has also called for changes in German law to mandate that Internet traffic “not be unnecessarily routed outside of the EU.”
Similarly, some officials within the French government have declared a goal to “build a France of digital sovereignty.” On May 23, 2016, a bill approved by the French Senate included this provision: “Data shall be stored in a data center located within any EU Member State territory, without prejudice to international agreements to which France and the EU are parties. They cannot be subject to a transfer to a third country.”
The provision was later rejected by the French Parliament and stricken from the legislation.
These examples demonstrate broad public sentiment against overseas storage of personal information, particularly on U.S.-based servers.
With this background in mind, it is not surprising that companies are considering establishing data centers within the countries in which they are operating. Rather than wait for the legal process to sort itself out or risk losing business within markets that are wary of hosting their data on U.S.-based servers, leading online services providers are finding certainty now by setting up data servers in overseas markets.
Facebook, Apple, Google, IBM, Microsoft, and Amazon.com all announced plans to open new data centers in Europe in the wake of the Snowden leaks. That strategy appears to be working. According to the Wall Street Journal, Amazon, Microsoft, Google and IBM nearly tripled their combined cloud-infrastructure revenue in the region to $2 billion by 2016.
Hybrid cloud architectures offer a promising solution for businesses confronting the growing array of data localization demands in overseas markets.
A private cloud operates for the benefit of a single organization, supplying critical and sensitive business functions, and typically hosted in-house or locally based data centers to address security, compliance, connectivity and performance concerns. Public clouds, on the other hand, are designed to serve thousands clients and can offer scalability, and economy of scale, while often being located far away from end-users, often in other countries or even on other continents. Amazon Web Services and Microsoft Azure are two well-known public cloud offerings.
By gluing together locally deployed IT resources providing high performance, compliance and customized architecture with a public cloud’s compelling advantages (mainly price, and scalability), the “hybrid cloud” delivers the best of both worlds. Businesses deploying a hybrid cloud solution are able to take advantage of all that the public cloud has to offer while simultaneously solve performance, and compliance issues and build infrastructure optimized to serve local users (either local employees or clients).
For companies desiring to serve markets with strict data localization mandates, legal compliance via the hybrid cloud is achieved through the use of locally based servers. For those markets, such as countries within the European Union, that permit cross-border transfer of personal information but do so under onerous — and changing — data protection schemes, the heavy compliance burdens associated with those laws can be largely eliminated. In each case, a hybrid cloud architecture allows personal data to be collected, processed and stored within the country where servers are located, while permitting demanding and uneven workloads to be managed at scale by public cloud providers.
Data localization laws present IT strategists with difficult choices. Strict data localization mandates call for a binary decision: establish local IT capacities or be shut out of those markets. In those countries that merely regulate cross-border data flows, the choice boils down to shouldering a heavy regulatory compliance burden and coping with uncertainty versus the expense of establishing hybrid solutions coupling advantages of public clouds with benefits of locally deployed IT solutions.
Businesses can achieve significant benefits by deploying local IT resources within a hybrid cloud IT architecture. A hybrid cloud solution: