Data localization or data residency law requires

data In the pursuit of knowledge, data (; ) is a collection of discrete values that convey information, describing quantity, quality, fact, statistics, other basic units of meaning, or simply sequences of symbols that may be further interpreted ...

about a nation's citizens or residents to be collected, processed, and/or stored inside the country, often before being transferred internationally. Such data is usually transferred only after meeting local privacy or

data protection Information privacy is the relationship between the collection and dissemination of data, technology, the public expectation of privacy, contextual information norms, and the legal and political issues surrounding them. It is also known as data pr ...

laws, such as giving the user notice of how the information will be used and obtaining their consent. Data localization builds upon the concept of

data sovereignty Data sovereignty is the idea that data are subject to the laws and governance structures of the nation where they are collected. The concept of data sovereignty is closely linked with data security, cloud computing, network sovereignty and technol ...

that regulates certain data types by the laws applicable to the data subjects or processors. While

may require that records about a nation's citizens or residents follow its personal or financial data processing laws, data localization goes a step further in requiring that initial collection, processing, and storage first occur within the national boundaries. In some cases, data about a nation's citizens or residents must also be deleted from foreign systems before being removed from systems in the data subject's nation.

Motivations and concerns

One of the first moves towards data localization occurred in 2005 when the Government of Kazakhstan passed a law for all ".kz" domains to be run domestically (with later exceptions for Google). However, the push for data localization greatly increased after revelations by

Edward Snowden Edward Joseph Snowden (born June 21, 1983) is an American and naturalized Russian former computer intelligence consultant who leaked highly classified information from the National Security Agency (NSA) in 2013, when he was an employee and su ...

regarding United States counter-terrorism surveillance programs in 2013. Since then, various governments in Europe and around the world have expressed the desire to be able to control the flow of residents' data through technology. Some governments are accused of and some openly admit to using data localization laws as a way to surveil their own populaces or to boost local economic activity. Technology companies and multinational organizations often oppose data localization laws because they impact efficiencies gained by regional aggregation of data centers and unification of services across national boundaries. Some vendors, such as

Microsoft Microsoft Corporation is an American multinational technology corporation producing computer software, consumer electronics, personal computers, and related services headquartered at the Microsoft Redmond campus located in Redmond, Washing ...

, have used data storage locale controls as a differentiating feature in their

cloud In meteorology, a cloud is an aerosol consisting of a visible mass of miniature liquid droplets, frozen crystals, or other particles suspended in the atmosphere of a planetary body or similar space. Water or various other chemicals may co ...

services.

International treaties and laws

After Germany and France either passed or nearly passed data localization laws, the European Union was considering restrictions on data localization laws being passed by member states in 2017. Data localization laws are often seen as protectionist. Consistent with the philosophy whereby trade barriers should be abolished within the EU but erected between the EU and other countries, the EU believes that data localization should be left to the EU to regulate at a pan-EU level, and member states' domestic data localization laws would violate European Union competition law. The EU's

General Data Protection Regulation The General Data Protection Regulation (GDPR) is a European Union regulation on data protection and privacy in the EU and the European Economic Area (EEA). The GDPR is an important component of EU privacy law and of human rights law, in partic ...

contains extensive regulation of data flow and storage, including restrictions on exporting personal data outside of the EU. To counter the protectionist impulses of the EU and other countries, a number of regional free trade agreements prohibit data localization requirements and restrictions on cross-border flow. An example is the

Trans-Pacific Partnership The Trans-Pacific Partnership (TPP), or Trans-Pacific Partnership Agreement, was a highly contested proposed trade agreement between 12 Pacific Rim economies, Australia, Brunei, Canada, Chile, Japan, Malaysia, Mexico, New Zealand, Peru, Singa ...

, which included language that prohibited data localization restrictions among participants, which was carried over to the

Comprehensive and Progressive Agreement for Trans-Pacific Partnership Comprehensive may refer to: *Comprehensive layout, the page layout of a proposed design as initially presented by the designer to a client. * Comprehensive school, a state school that does not select its intake on the basis of academic achievement ...

. Another example is the

United States-Mexico-Canada Agreement United may refer to: Places * United, Pennsylvania, an unincorporated community * United, West Virginia, an unincorporated community Arts and entertainment Films * ''United'' (2003 film), a Norwegian film * ''United'' (2011 film), a BBC Two f ...

Data localization laws and scope

National laws

National security

Most nations restrict foreign transfer of information that they consider related to national security, such as military technology.

References