Article

Data Localization: A Complete Overview

Scientists predict that by 2025, the world will produce a staggering 463 exabytes of data each day. That’s the amount of data you’d accumulate if you initiated a video call right now and let it run for the next 110 million years.

Of course, we’ve been producing vast amounts of data for quite some time, so that should hardly come as a surprise. It’s because of this, and the rise of cloud computing more generally, that regulators, privacy advocates, and consumers are all becoming increasingly concerned with how that data is stored and who has access to it. In response, there’s been a dramatic uptick in the number of data localization laws around the world.

Underscoring the point, between 2017 and 2021, the number of data localization controls in place around the world increased from 67 to 144, while the number of countries with such controls on the books rose from 35 to 62. Importantly, what this trend reveals is that not only did more countries introduce regulations pertaining to their data, many of those that already had controls in place also added new ones.

Let’s take a closer look at data localization to understand what it is, how it’s being implemented in different countries, and what steps companies can take to ensure they’re compliant.

What is Data Localization?

Data localization refers to a mandatory legal or administrative requirement directly or indirectly stipulating that data be stored or processed, exclusively or non-exclusively, within a specified jurisdiction. In other words, data localization laws restrict the cross-border transfer of data. So if your business collects data from customers in another country, depending on the laws in place, you may need to keep that data there rather than transferring it back home — or anywhere else — for processing.

There are two main types of data localization:

  1. Absolute data localization is when data can never leave the jurisdiction in which it resides, even temporarily. When a country has absolute data localization laws in place, as India is about to have for critical personal data, it’s impossible for businesses in other countries to transfer customer data out.
  2. By contrast, relative data localization is when data is permitted to leave its jurisdiction under a predetermined set of circumstances. This is a far more common form of data localization. While this does allow for the cross-border transfer of data, entities seeking that data have to jump through significant regulatory hoops to make it happen.

It’s also important to distinguish between data localization and data transfer. Data localization laws pertain to the location where personal data is stored. By contrast, data transfer laws regulate the ability to disclose copies of personal data outside the borders of a country or region without requiring local storage.

What is the Purpose of Data Localization?

Now that we have a foundational understanding of what data localization is, let’s consider some of the reasons why governments put them in place. Fundamentally, countries use data localization to:

  • Enforce compliance with data protection laws. It’s far easier for countries to impose fines and other punitive measures if parties aren’t adhering to broad data protection laws, like GDPR, when they have data localization controls in place in their own individual jurisdiction.
  • Promote the use of data among local businesses. Largely a protectionist measure, the thinking here is that if data can’t leave a particular jurisdiction, companies will have to rely on local data centers and other providers to store, manage, and process that data.
  • Enhance law enforcement’s access to data. If the data a particular country has about its citizens is always within its jurisdiction, it’s much easier to compel data holders to provide it to law enforcement should they ever want to issue a warrant for it.
  • Make citizen surveillance easier. While certainly controversial, some governments support data localization because when their citizens’ data is stored locally, it’s easier to intercept.
  • Mitigate against potential sanctions. If the United States wanted to prevent an adversary or its citizens from using a particular tool or platform it had created, it would be much harder to do if all of the data associated with it resided in the country in question.

Whether justified or not, data localization requirements are on the rise, creating huge challenges for businesses looking to remain compliant.

Data Localization Laws by Country

When it comes to data localization, there’s no single approach – laws differ dramatically from one country to the next. While many data localization laws restrict the cross-border transfer of data, for example, others like the California Consumer Privacy Act (CCPA) do not. Oftentimes, laws don’t just differ from country to country, but even within individual jurisdictions.

The EU’s General Data Protection Regulation (GDPR) includes restrictions on data transfer, which have data localization effects. This is because the GDPR allows for the transfer of personal data to locations outside of the European Economic Area, provided they have adequate protections for that data. Therefore, EU data can only be transferred if adequate safeguards are in place, and enforceable data subject rights and effective legal remedies for data subjects are available. Similarly, China’s Personal Information Protection Law restricts the cross-border transfer of personal data unless a set of conditions are met.

Meanwhile, Russia has broad localization laws that require a copy of the data to be stored on local servers, but cross-border transfers are permitted under certain exceptions, such as data subject consent. For its part, Japan mandates that medical care records be stored within the country, while India requires licensed banks and payment system providers to retain their information locally, but allows it to be stored outside of the country if certain criteria are met.

There are often sectorial requirements for cross-border transfers. In Australia, for example, sensitive personal health record data cannot be transferred to another jurisdiction for either processing or storage. Likewise, in Indonesia, there are restrictions on the transfer of data used to deliver public services. As mentioned, India has similar controls for sectors with significant national interest in data use, such as payments, healthcare, and insurance.

Simply put, there are many data localization laws, each with its own nuances and stipulations.

How to Comply with Data Localization Laws

With so many different data localization laws to be aware of, figuring out how to remain compliant with the ones relevant to your business is essential. The best way to do so is to adopt tools and technology that will help you with:

Sensitive Data Discovery and Classification

It’s important to stay on top of all the data you have in the cloud. By identifying and classifying sensitive attributes across your cloud data platforms and standardizing your tagging, you can achieve universal data access control and visibility into sensitive data. Automating the sensitive data discovery process helps avoid manual processes and the risk of sensitive data slipping through the cracks.

Attribute-Based Access Control and Purpose-Based Restrictions

Next, you’ll want to create policies to govern your cloud data use in a way that’s dynamic and responsive to nuanced localization requirements. Doing so will help you scale user adoption, eliminate approval bottlenecks, and build trust with compliance and governance teams. Attribute-based access control helps ensure that data policy enforcement is context-based and scalable, while purpose-based restrictions can help adhere to data security compliance laws and regulations that require data to only be used for specific approved purposes.

Dynamic Data Masking Capabilities

To accelerate data sharing use cases, a best practice is to mask and anonymize sensitive data using dynamic data masking techniques. Here, k-anonymization is a particularly effective approach to data masking that’s backed by mathematical guarantees.

Automated Policy Enforcement and Auditing

Finally, to ensure your data teams can easily keep track of security and compliance with rules and regulations, it’s important to establish automatic data policy enforcement on every data query. On-demand auditing helps ensure data access controls are working as they should and that data is being used compliantly.

Perhaps most important of all, find a technology partner that can help guide you through the data localization challenges your business may face and help you automate key aspects of data localization law compliance.

Dive deeper into data localization laws and five strategies for incorporating data localization into your data architecture. Get the white paper for free here.

Ready to build your own policies in Immuta? Try it out in our walkthrough demo.