What Is Data Localization? Meaning and Laws Explained

image article

As part of our digital transformation, we create tons of data every day.

Every person on the globe currently generates 1.7 megabytes of data per second – which equals 146.88 GB a day – in 2020.

Based on estimates, we will accumulate 44 zettabytes (44 trillion gigabytes) of data by the end of 2020, with 90% of all data produced in the last two years.

Organizations are taking advantage of this exponential increase to learn more about their (future) customers.

Therefore, it’s no surprise that the big data analytics market is expected to reach $103 billion by 2023 with a Compound Annual Growth Rate (CAGR) of 11%.

Realizing the real value of citizen data, governments worldwide are increasingly introducing measures to control, restrict, limit, or even ban the international flow of data by implementing data localization laws.

Data localization is a controversial concept, which we will thoroughly cover in this article.

What Is Data Localization?

Data localization refers to the concept of keeping data created in a certain nation within that country’s borders.

Let’s see an example for better understanding.

Imagine a world where all countries are united. Here, you can travel without restrictions from one nation to another. There are no border checks, and you have complete freedom regarding where you go.

Although there are great benefits, bad actors can easily exploit this lack of supervision over world travel, leading to a potential increase in criminal acts.

Governments decide to move to a more restrictive system, implementing measures that restrict how and whether someone can enter a specific country.

While some nations have implemented only the essential measures to protect their citizens from crime, others have introduced overly strict laws disallowing residents from leaving the countries’ borders.

What Is the Purpose of Data Localization Laws?

Data localization laws are mostly applied to creating and storing personal information.

The goal of data localization laws is to help governments maintain their citizens’ data privacy by implementing some restrictions on how and whether their sensitive information can leave the country.

In most cases, governments use data localization rules that require organizations to keep only the primary copy of the data within the nation’s borders.

The above data localization measures make it easier for a country’s authorities to audit their citizens’ personal information (if there’s a valid case) without cooperating with other governments or complying with the data privacy laws of other nations.

Some nations have data localization controls in place for only certain – often very sensitive and valuable – information (e.g., healthcare and government records).

On the other hand, some nations have enacted very strict laws, preventing organizations from transferring most of their data outside the country’s borders.

These governments often claim that their goal with the restrictive rules is to protect citizens. However, critics argue that their real motivation is to secure a market advantage for local service providers.

In any case, while reasonable data localization laws can provide benefits to citizens, applying excessively harsh rules to the international flow of data does more harm than good.

Such practices prevent individuals, businesses, and governments from reaping data’s full potential while contributing to the so-called “digital factionalism” and the “splinternet.”

What’s the Difference Between Data Localization, Data Sovereignty, and Data Residency?

Apart from data localization, it’s important to mention two other concepts: data residency and data sovereignty.

Although they are indeed connected and are often used interchangeably, they refer to different concepts.

Data Residency

Let’s start with the least restrictive concept, which is data residency.

Data residency simply refers to when an organization specifies the geographical location it has chosen to store its data.

In most cases, organizations establish data residency for either regulatory or policy-related reasons. For example, a business ensures that a significant part of its core business activities remains within a nation’s borders to gain tax benefits.

Data Sovereignty

Data sovereignty rules come with more responsibilities and requirements for companies.

Instead of solely ensuring that a business’s data is stored at a specific location, data sovereignty refers to the principle that the information is subject to the country’s laws and regulations where it is stored, collected, and processed.

As a result, organizations have to comply with the nation’s data protection rules and laws to avoid punishment.

Data Localization

From all three, data localization is the strictest concept.

As you may already know, data localization laws require organizations to store – either the original records or their copies – all or certain types of data within a nation’s borders, restricting or limiting the international flow of data.

Data Localization Laws Around the World

Now that you know the basics let’s look at how some nations have implemented data localization in practice.

Note: we have grouped the countries into three categories based on how restrictive their data localization laws are.

Nations With Lax Data Localization Laws

Australia

Australia only has data localization laws set up for personal health records, requiring organizations to store them within the nation’s borders.

Canada

Unless organizations fulfill certain conditions, based on Nova Scotia’s and British Columbia’s data localization laws, they must store the data of public bodies (e.g., schools and hospitals) in Canada, making it accessible exclusively in the nation.

New Zealand

As per the Internal Revenue Act, companies in New Zealand have to store their business records in local data centers.

Nations With Moderate Data Localization Laws

Germany

While Germany has a rather open approach to global trade, the European country’s views on the international flow of data are very different.

Based on Germany’s Commercial Code, except for multinational companies, all persons and organizations liable to the nation’s taxes must store accounting documents and data locally.

In addition to nationwide rules, some German states have implemented their own data localization laws. For example, Brandenburg requires resident data to be stored within the state.

France

France shares similar views on data localization with Germany, promoting an infrastructure of local data centers.

In France, it’s illegal to store public administration data at foreign cloud providers, requiring organizations to process and keep such information within the European country.

The French government also made it illegal to transfer data involved in legal proceedings across the nation’s borders.

South Korea

In addition to requiring companies to obtain consent from consumers before exporting their data overseas, with some exceptions, the South Korean government prohibits ecommerce businesses from storing citizen credit card data abroad.

Furthermore, it’s illegal to store mapping data outside South Korea while the nation’s organizations have to maintain separate cloud computing networks for serving public bodies and the general public.

Nations With Strict Data Localization Laws

China

China features a comprehensive list of strict data localization laws.

To start with, as part of the Golden Shield program (often referred to as the “Great Firewall of China”), the Asian nation restricts access for its citizens to specific services and websites.

The nation’s most important data localization laws include:

  • The nation’s cybersecurity law requires several companies to store user data and important business information in China.
  • Providers of “critical information infrastructure” like telecommunication and internet firms are required to provide encryption keys to Chinese authorities while storing their data on national servers.
  • All servers of online publishing services – such as app stores, online gaming, and digital literature databases – must be located within the Asian country.
  • Unlike in South Korea where mapping data has to be stored within the nation’s borders, Chinese regulations force all organizations involved in digital mapping services to store all their information locally.
  • The servers of digital banking services must be located in China, while health records and medical information have to be kept locally.
  • It’s illegal to analyze, process, or store the personal financial information of Chinese citizens abroad.

Russia

Along with China, Russia also favors restrictive data localization measures.

Based on the Personal Data Law, all data operators collecting personal data on the nation’s citizens have to “record, systematize, accumulate, store, amend, update and retrieve” that information using Russia-based data centers. Organizations may only transfer the data overseas after first storing it in Russia.

From 2016, organizations in Russia are required to store the actual telecommunications data of users – including metadata, media, text messages, and voice data – for six months.

Furthermore, telecommunication companies and Internet service providers must refuse to provide services to users who fail to respond to law enforcement identity checks.

Data Localization: Strict Laws Do More Harm Than Good

Governments worldwide implement data localization laws for multiple reasons.

The original – and most important – goal is to protect citizen data by setting up rules on how organizations can interact with residents’ personal information while protecting sensitive data from leaving the nation.

However, enacting overly strict data localization laws can easily backfire as they hurt consumers’ ability to own and monetize their data more than offer protection against potential personal information-related misuse.

Fortunately, private companies can also contribute to the effort to prevent misuse or exploitation of user data.

Powered by blockchain technology, Permission.io is a next-generation advertising model where users have full control and can securely monetize their data while engaging with the web as they normally do.

In contrast to tech giants that harvest and sell user data without consent, Permission.io rewards its users in ASK cryptocurrency for interacting with advertisers and giving businesses permission to target them with ads based on their volunteered data.

Consumers can hold, exchange, or spend the ASK they earn on the Permission.io Store, Because advertisers ask permission for engagement, they build long-term relationships based on transparency and trust.

The model enables a free-flowing data economy that puts users at the center by enabling them to control and earn from their full data set.

And the best part? You can earn 100 ASK now only by signing up for the Permission.io platform!

Benjamin Vitaris
About the Author
Benjamin Vitáris is a freelance content writer for Permission.io. He has a keen interest in a wide range of business and technology topics, including cryptocurrency, blockchain, fintech, ecommerce, digital marketing, privacy, and cybersecurity. Benjamin has been working with several fast-growing tech and finance companies, such as Bitcoin.com, CCN.com, CEX.IO, AAX, DEVAR, Adv.Cake, STICPAY, and Bitaccess.
follow icon
en English
zh-CN Chinese (Simplified)en Englishko Korean