It might be too early to call them a “trend” but local data residency laws are certainly on the rise. Russia’s new local data residency law, which came into force on 1 September, is the most prominent example, but other countries have considered enacting data residency laws. In this post, we equip you with the basics you need to know about data residency laws.
Recent developments regarding data residency laws can be attributed to Edward Snowden’s 2013 revelations about extensive NSA surveillance and data collection activities. Around the world, these revelations were met with calls for further privacy protections. Governments responded by pushing for data residency laws, seemingly to shield data from access by intelligence services.
2. Key Requirements
In essence, data residency laws require local and foreign companies to store and process personal data they collect about citizens of a country within that country. For example, the Russian data residency law requires companies around the world to store and process personal data about Russian citizens on databases located on Russian territory. Whether this requires all data processing activities in relation to the local data to take place on local soil or whether a duplication of local data for processing abroad is permitted following the initial collection and storage of data, depends upon the scope of the relevant law (and, in the case of Russia, is still unclear).
3. Rationale and Effect on Data Protection
Local data residency requirements ensure government access to data. While they are usually incorporated into data privacy laws and “sold” as data protection measures, in reality, they compromise data protection rather than enhance it. They are very different from data transfer requirements which limit companies’ abilities to transfer data out of a jurisdiction and are driven by the desire to protect personal data even when transferred abroad. They are also different from data retention requirements which require certain types of data (such as tax, accounting and corporate records) data to be kept for a certain minimum period of time but do not prescribe the location of the data. See below for an infographic illustrating the different concepts of data residency, data retention and data transfer requirements:
4. Impact on businesses
Data residency laws could potentially have a huge impact on multinational providers and users of cloud and other hosted technologies. By dictating where certain data is to be held and processed, local data residency requirements fundamentally counteract many of the benefits of cloud technologies which inherently involve the sharing, processing and centralising of data across borders. As long as Russia remains the only country with broad data residency requirements, multinationals can develop one-off solutions in respect to Russia. If more countries follow Russia’s example, businesses will need to reconsider their IT architectures more seriously. See below for an infographic on compliance options for cloud service providers in light of local residency requirements:
5. Global trends and outlook
Countries other than Russia have considered, or are in the process of, enacting local data residency laws. For example, China has published a draft new cybersecurity law with limited local data residency requirements requiring key infrastructure providers to store certain “important” or “critical” data collected in China on Chinese territory. However, so far, no country other than Russia has enacted a broad and explicit requirement to store and process all personal data locally. In Europe, these requirements would likely be incompatible with free trade and information flow principles within the EEA. So, for now, there is still hope that these anti-privacy requirements will not expand beyond Russia!
Contributors – Anna von Dietze