Data Localization Laws

Goals

To provide an overview of (1) countries with the strictest data localization laws; (2) countries where citizen consent is required to transfer data; (3) countries where certain conditions must be met for the laws to kick in; and (4) countries where the laws are industry-specific; and provide brief insights on their data localization laws, any consequences, and impact on companies.

Early Findings

Countries With The Strictest Laws

  • "The data localization laws in Brunei, China, Indonesia, Nigeria, Russia, and Vietnam are among the strictest."
  • They have specific requirements that state that the data must be stored on servers within the country itself.
  • Russia, specifically, introduced the "Code of Administrative Offense administrative fines if companies fail to comply with the requirements for localization of processing personal data of Russian citizens. The fines range from 2 million to 18 million Russian rubles (approximately $30-280 thousand)."
  • Russia introduced the localization laws in 2015 but only recently added administrative sanctions.
  • "If the law requires a multinational business to host data for Russian citizens on a server in Russia, this will result in regular costs for creating and managing a new data center in Russia".
  • Another example of data localization is China’s Cybersecurity law. One requirement is for "IT infrastructure operators to store all personal information they collect from users in the country’s servers. This makes IT operators and owners of data hubs plan accordingly when operating in China. However, company data is not discouraged from being stored elsewhere in the world."

Countries Where Citizen Consent is Required

  • "Laws in Belarus, India, Kazakhstan, Malaysia and South Korea regarding data localization are only partial."
  • "They have a wide range of measures that include regulations that apply only to certain domain names and regulations that require the consent of an individual before data about them can be transferred internationally."
  • India currently does not have any specific data protection legislation. However, it does have legislation and policies which partially address data protection.
  • The data localization laws in India "mainly encompass data collected from local citizens when using applications and other related technology. "
  • "There is no central data collection entity (public or commercial) being governed by Indian data protection laws, rather laws that apply to data collected by private and public entities. "
  • However, the "data collected by India's government agency Aadhar is stored in fully secured servers in data centers located within India."
  • Several companies, such as Google, Facebook, MasterCard, and Twitter, have taken advantage of their ability to collect the data of India’s citizens due to the absence of relevant regulation.
  • The Indian government has "expressed the need to exercise greater control over how the data is acquired, stored, and shared."

Summary

  • For the initial hour, we were able to identify some early insights on countries with the strictest data localization laws, as well as early insights on countries that need citizen consent, with more specific examples for Russia, India, and China. We can continue the research to identify more insights specific to Indonesia and Belarus if these countries are of interest.
  • We can also continue the research to identify more country-specific insights on data localization laws for Brazil, Peru, Australia, and Canada, as these countries either have milder data localization laws or need to meet certain conditions; or are countries where the laws are industry-specific.
  • Feel free to add or select an option below.

Proposed next steps:

You need to be the project owner to select a next step.