Data localization or data residency law requires

data Data ( , ) are a collection of discrete or continuous values that convey information, describing the quantity, quality, fact, statistics, other basic units of meaning, or simply sequences of symbols that may be further interpreted for ...

about a nation's citizens or residents to be collected, processed, and/or stored inside the country, often before being transferred internationally. Such data is usually transferred only after meeting local privacy or

data protection Data protection may refer to: * Information privacy, also known as data privacy * Data security {{Authority control ...

laws, such as giving the user notice of how the information will be used, and obtaining their consent. Data localization builds upon the concept of data sovereignty that regulates certain data types by the laws applicable to the data subjects or processors. While data sovereignty may require that records about a nation's citizens or residents follow its personal or financial data processing laws, data localization goes a step further in requiring that initial collection, processing, and storage first occur within the national boundaries. In some cases, data about a nation's citizens or residents must also be deleted from foreign systems before being removed from systems in the data subject's nation.

Motivations and concerns

One of the first moves towards data localization occurred in 2005 when the Government of

Kazakhstan Kazakhstan, officially the Republic of Kazakhstan, is a landlocked country primarily in Central Asia, with a European Kazakhstan, small portion in Eastern Europe. It borders Russia to the Kazakhstan–Russia border, north and west, China to th ...

passed a law for all ".kz" domains to be run domestically (with later exceptions for

Google Google LLC (, ) is an American multinational corporation and technology company focusing on online advertising, search engine technology, cloud computing, computer software, quantum computing, e-commerce, consumer electronics, and artificial ...

). However, the push for data localization greatly increased after revelations by

Edward Snowden Edward Joseph Snowden (born June 21, 1983) is a former National Security Agency (NSA) intelligence contractor and whistleblower who leaked classified documents revealing the existence of global surveillance programs. Born in 1983 in Elizabeth ...

regarding United States

counter-terrorism Counterterrorism (alternatively spelled: counter-terrorism), also known as anti-terrorism, relates to the practices, military tactics, techniques, and strategies that governments, law enforcement, businesses, and intelligence agencies use to co ...

surveillance programs in 2013. Since then, various governments in Europe and around the world have expressed the desire to be able to control the flow of residents' data through technology. Some governments are accused of and some openly admit to using data localization laws as a way to surveil their own populaces or to boost local economic activity. Technology companies and multinational organizations often oppose data localization laws because they impact efficiencies gained by regional aggregation of data centers and unification of services across national boundaries. Some vendors, such as

Microsoft Microsoft Corporation is an American multinational corporation and technology company, technology conglomerate headquartered in Redmond, Washington. Founded in 1975, the company became influential in the History of personal computers#The ear ...

, have used data storage locale controls as a differentiating feature in their

cloud In meteorology, a cloud is an aerosol consisting of a visible mass of miniature liquid droplets, frozen crystals, or other particles, suspended in the atmosphere of a planetary body or similar space. Water or various other chemicals may ...

services.

International treaties and laws

After Germany and France either passed or nearly passed data localization laws, the European Union was considering restrictions on data localization laws being passed by member states in 2017. Data localization laws are often seen as

protectionist Protectionism, sometimes referred to as trade protectionism, is the economic policy of restricting imports from other countries through methods such as tariffs on imported goods, import quotas, and a variety of other government regulations. ...

. Consistent with the philosophy whereby trade barriers should be abolished within the EU but erected between the EU and other countries, the EU believes that data localization should be left to the EU to regulate at a pan-EU level, and member states' domestic data localization laws would violate

European Union competition law In the European Union, competition law promotes the maintenance of competition within the European Single Market by regulating anti-competitive conduct by companies to ensure that they do not create cartels and monopolies that would damage th ...

. The EU's

General Data Protection Regulation The General Data Protection Regulation (Regulation (EU) 2016/679), abbreviated GDPR, is a European Union regulation on information privacy in the European Union (EU) and the European Economic Area (EEA). The GDPR is an important component of ...

contains extensive regulation of data flow and storage, including restrictions on exporting personal data outside of the EU. To counter the protectionist impulses of the EU and other countries, a number of regional free trade agreements prohibit data localization requirements and restrictions on cross-border flow. An example is the

Trans-Pacific Partnership The Trans-Pacific Partnership (TPP), or Trans-Pacific Partnership Agreement (TPPA), was a proposed trade agreement between 12 Pacific Rim countries: Australia, Brunei, Canada, Chile, Japan, Malaysia, Mexico, New Zealand, Peru, Singapore, Vietn ...

, which included language that prohibited data localization restrictions among participants, which was carried over to the Comprehensive and Progressive Agreement for Trans-Pacific Partnership. Another example is the

United States–Mexico–Canada Agreement The Agreement between the United States of America, the United Mexican States, and Canada (USMCA)Each signatory has a different name for the agreement—in the United States, it is called the United States–Mexico–Canada Agreement (USMCA) ...

. While both Europe and the US believe that data should flow freely, China has taken an opposing stance and has adopted data localization, but with stricter regulations. This is not a strategy widely used by other countries. Other countries and stakeholders have protested against this Chinese strategy of restricting the free flow of data.

Data localization laws and scope

National laws

National security

Most nations restrict foreign transfer of information that they consider related to national security, such as military technology.

References