Data Localization Laws: Case Studies

Goals

To find case studies of companies that have successfully navigated the data localization laws in a country with strict requirements and companies that did not properly follow the laws in one of those countries.

Early Findings

Apple

  • China has one of the strictest data localization laws in the world. The Cybersecurity Law in China is a data localization law.
  • Apple's investment in China included the building of a data center in Guizhou province to store the cloud data of Chinese users. This was in compliance with China’s Cybersecurity Law which has data localization requirements and required "critical information infrastructure (CII) providers to store personal information within mainland China".
  • Apple addressed cybersecurity concerns by assuring users that the government would not have back door access to data stored within China.
  • Apple partnered with Guizhou-Cloud Big Data Industry Co Ltd (GCBD), a local government-backed third-party data center service provider to build the data center.
  • Hosting servers within China is necessary to help Apple and other companies to prevent network constraints and offer more reliable services in China.


Proposed next steps:

You need to be the project owner to select a next step.
We propose continued research to provide additional (1) 2-3 case studies of companies that have successfully navigated the data localization laws in a country with strict requirements; and (2) 2-3 case studies of companies that did not properly follow the laws in one of those countries. For each case study we will provide the company name, the country or countries they were operating in, how they successfully navigated the laws (or what they did wrong in the case of companies that ran into trouble), and what the outcome was.
Additionally, we propose finding 5-7 insights regarding data localization laws in countries with strict requirements. This would include their reasons for adopting strict data localization laws, the impact of such laws on the ease of doing business, as well as the impact of such laws on cybersecurity.