Data localization

Last updated

Data localization or data residency law requires data about a nation's citizens or residents to be collected, processed, and/or stored inside the country, often before being transferred internationally. Such data is usually transferred only after meeting local privacy or data protection laws, such as giving the user notice of how the information will be used, and obtaining their consent. [1]

Contents

Data localization builds upon the concept of data sovereignty that regulates certain data types by the laws applicable to the data subjects or processors. While data sovereignty may require that records about a nation's citizens or residents follow its personal or financial data processing laws, data localization goes a step further in requiring that initial collection, processing, and storage first occur within the national boundaries. In some cases, data about a nation's citizens or residents must also be deleted from foreign systems before being removed from systems in the data subject's nation. [1]

Motivations and concerns

One of the first moves towards data localization occurred in 2005 when the Government of Kazakhstan passed a law for all ".kz" domains to be run domestically (with later exceptions for Google). [2] However, the push for data localization greatly increased after revelations by Edward Snowden regarding United States counter-terrorism surveillance programs in 2013. [3] [4] Since then, various governments in Europe and around the world have expressed the desire to be able to control the flow of residents' data through technology. Some governments are accused of and some openly admit to using data localization laws as a way to surveil their own populaces or to boost local economic activity. [3] [5] [6]

Technology companies and multinational organizations often oppose data localization laws because they impact efficiencies gained by regional aggregation of data centers and unification of services across national boundaries. [3] [7] Some vendors, such as Microsoft, have used data storage locale controls as a differentiating feature in their cloud services. [8]

International treaties and laws

After Germany and France either passed or nearly passed data localization laws, the European Union was considering restrictions on data localization laws being passed by member states in 2017. [9] [10] Data localization laws are often seen as protectionist. Consistent with the philosophy whereby trade barriers should be abolished within the EU but erected between the EU and other countries, the EU believes that data localization should be left to the EU to regulate at a pan-EU level, and member states' domestic data localization laws would violate European Union competition law. The EU's General Data Protection Regulation contains extensive regulation of data flow and storage, including restrictions on exporting personal data outside of the EU.

To counter the protectionist impulses of the EU and other countries, a number of regional free trade agreements prohibit data localization requirements and restrictions on cross-border flow. An example is the Trans-Pacific Partnership, which included language that prohibited data localization restrictions among participants, [11] which was carried over to the Comprehensive and Progressive Agreement for Trans-Pacific Partnership. Another example is the United States-Mexico-Canada Agreement.

While both Europe and the US believe that data should flow freely, China has taken an opposing stance and has adopted data localization, but with stricter regulations. This is not a strategy widely used by other countries. Other countries and stakeholders have protested against this Chinese strategy of restricting the free flow of data. [12]

Data localization laws and scope

National laws

National Laws and Scope
Scope
Australia health records [3] [4]
Canada (In Provinces - Nova Scotia and British Columbia)public service providers: all personal data [3] [4]
China personal, business, and financial data [1] [3]
Germany telecommunications metadata [13] [14]
India Payment System Data [15]
Indonesia public services companies must maintain data centers in country [4]
Kazakhstan servers running on the country domain (.kz) [3]
Nigeria all government data [3] [4]
Russia all personal data [3] [4] [16]
Rwanda all personal data, unless authorized by the supervisory authority. [17]
South Korea geospatial and map data [3] [4]
Spain electoral roll, municipal census, fiscal data and data from the National Health System must be processed within the European Union [18]
Vietnam service providers usage data [3] [4]

National security

Most nations restrict foreign transfer of information that they consider related to national security, such as military technology.

See also

Related Research Articles

Consumer privacy is information privacy as it relates to the consumers of products and services.

Information privacy is the relationship between the collection and dissemination of data, technology, the public expectation of privacy, contextual information norms, and the legal and political issues surrounding them. It is also known as data privacy or data protection.

<span class="mw-page-title-main">Data Protection Directive</span> EU directive on the processing of personal data

The Data Protection Directive, officially Directive 95/46/EC, enacted in October 1995, was a European Union directive which regulated the processing of personal data within the European Union (EU) and the free movement of such data. The Data Protection Directive was an important component of EU privacy and human rights law.

The right to privacy is an element of various legal traditions that intends to restrain governmental and private actions that threaten the privacy of individuals. Over 150 national constitutions mention the right to privacy. On 10 December 1948, the United Nations General Assembly adopted the Universal Declaration of Human Rights (UDHR), originally written to guarantee individual rights of everyone everywhere; while right to privacy does not appear in the document, many interpret this through Article 12, which states: "No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks."

<span class="mw-page-title-main">Mass surveillance</span> Intricate surveillance of an entire or a substantial fraction of a population

Mass surveillance is the intricate surveillance of an entire or a substantial fraction of a population in order to monitor that group of citizens. The surveillance is often carried out by local and federal governments or governmental organizations, such as organizations like the NSA, but it may also be carried out by corporations. Depending on each nation's laws and judicial systems, the legality of and the permission required to engage in mass surveillance varies. It is the single most indicative distinguishing trait of totalitarian regimes. It is also often distinguished from targeted surveillance.

A privacy policy is a statement or legal document that discloses some or all of the ways a party gathers, uses, discloses, and manages a customer or client's data. Personal information can be anything that can be used to identify an individual, not limited to the person's name, address, date of birth, marital status, contact information, ID issue, and expiry date, financial records, credit information, medical history, where one travels, and intentions to acquire goods and services. In the case of a business, it is often a statement that declares a party's policy on how it collects, stores, and releases personal information it collects. It informs the client what specific information is collected, and whether it is kept confidential, shared with partners, or sold to other firms or enterprises. Privacy policies typically represent a broader, more generalized treatment, as opposed to data use statements, which tend to be more detailed and specific.

Personal data, also known as personal information or personally identifiable information (PII), is any information related to an identifiable person.

Information privacy, data privacy or data protection laws provide a legal framework on how to obtain, use and store data of natural persons. The various laws around the world describe the rights of natural persons to control who is using its data. This includes usually the right to get details on which data is stored, for what purpose and to request the deletion in case the purpose is not given anymore.

Privacy law is the body of law that deals with the regulating, storing, and using of personally identifiable information, personal healthcare information, and financial information of individuals, which can be collected by governments, public or private organisations, or other individuals. It also applies in the commercial sector to things like trade secrets and the liability that directors, officers, and employees have when handling sensitive information.

Information sensitivity is the control of access to information or knowledge that might result in loss of an advantage or level of security if disclosed to others.

Information technology law(IT law) or information, communication and technology law (ICT law) (also called cyberlaw) concerns the juridical regulation of information technology, its possibilities and the consequences of its use, including computing, software coding, artificial intelligence, the internet and virtual worlds. The ICT field of law comprises elements of various branches of law, originating under various acts or statutes of parliaments, the common and continental law and international law. Some important areas it covers are information and data, communication, and information technology, both software and hardware and technical communications technology, including coding and protocols.

<span class="mw-page-title-main">Axel Voss</span> German lawyer and politician

Axel Voss is a German lawyer and politician of the Christian Democratic Union of Germany who has been serving as a Member of the European Parliament since 2009 and became coordinator of the European People's Party group in the Committee on Legal Affairs in 2017. His parliamentary work focuses on digital and legal topics.

<span class="mw-page-title-main">General Data Protection Regulation</span> EU regulation on the processing of personal data

The General Data Protection Regulation is a European Union regulation on information privacy in the European Union (EU) and the European Economic Area (EEA). The GDPR is an important component of EU privacy law and human rights law, in particular Article 8(1) of the Charter of Fundamental Rights of the European Union. It also governs the transfer of personal data outside the EU and EEA. The GDPR's goals are to enhance individuals' control and rights over their personal information and to simplify the regulations for international business. It supersedes the Data Protection Directive 95/46/EC and, among other things, simplifies the terminology.

<span class="mw-page-title-main">Network sovereignty</span> Effort to create boundaries on a network

In internet governance, network sovereignty, also called digital sovereignty or cyber sovereignty, is the effort of a governing entity, such as a state, to create boundaries on a network and then exert a form of control, often in the form of law enforcement over such boundaries.

The right to be forgotten (RTBF) is the right to have private information about a person be removed from Internet searches and other directories under some circumstances. The concept has been discussed and put into practice in several jurisdictions, including Argentina, the European Union (EU), and the Philippines. The issue has arisen from desires of individuals to "determine the development of their life in an autonomous way, without being perpetually or periodically stigmatized as a consequence of a specific action performed in the past".

Technological sovereignty is a political outlook where information and communications infrastructure and technology is aligned to the laws, needs and interests of the country in which users are located; data sovereignty or information sovereignty sometimes overlaps with technological sovereignty, since their distinctions are not clear, and also refer to subjective information about the laws of the country in which the data subject is a citizen, or the information is stored or flows through, whatever its form, including when it has been converted and stored in binary digital form.

The Data Act is the world's first national data protection law and was enacted in Sweden on 11 May 1973. It went into effect on 1 July 1974 and required licenses by the Swedish Data Protection Authority for information systems handling personal data.

Data sovereignty is the idea that data are subject to the laws and governance structures of the nation where they are collected. The concept of data sovereignty is closely linked with data security, cloud computing, network sovereignty and technological sovereignty. Unlike technological sovereignty, which is vaguely defined and can be used as an umbrella term in policymaking, data sovereignty is specifically concerned with questions surrounding the data itself. Data sovereignty as the idea that data is subject to the laws and governance structures within one nation is usually discussed in one of two ways: in relation to Indigenous groups and Indigenous autonomy from post-colonial states, or in relation to transnational data flow. The latter case is dealt with extensively in a new anthology. With the rise of cloud computing, many countries have passed various laws around the control and storage of data, which all reflect measures of data sovereignty. More than 100 countries have some sort of data sovereignty laws in place. With self-sovereign identity (SSI) the individual identity holders can fully create and control their credentials, although a nation can still issue a digital identity in that paradigm.

<span class="mw-page-title-main">Cybersecurity Law of the People's Republic of China</span> Law of China

The Cybersecurity Law of the People's Republic of China, commonly referred to as the Chinese Cybersecurity Law, was enacted by the National People’s Congress with the aim of increasing data protection, data localization, and cybersecurity ostensibly in the interest of national security. The law is part of a wider series of laws passed by the Chinese government in an effort to strengthen national security legislation. Examples of which since 2014 have included a Law on National Intelligence, the National Security of the People’s Republic of China and laws on counter-terrorism and foreign NGO management, all passed within successive short timeframes of each other.

<span class="mw-page-title-main">Personal Information Protection Law of the People's Republic of China</span> Chinese personal information rights law

The Personal Information Protection Law of the People's Republic of China referred to as the Personal Information Protection Law or ("PIPL") protecting personal information rights and interests, standardize personal information handling activities, and promote the rational use of personal information. It also addresses the transfer of personal data outside of China.

References

  1. 1 2 3 "Data Localization Laws: an Emerging Global Trend". Jurist. January 6, 2017.
  2. Castro, Daniel; McQuinn, Alan (February 24, 2015). Cross-Border Data Flows Enable Growth in All Industries (Report). Information Technology & Innovation Foundation.
  3. 1 2 3 4 5 6 7 8 9 10 11 Chander, Anupam (2015). "Data Nationalism". Emory Law Journal. Emory Law. 64 (3): 677.
  4. 1 2 3 4 5 6 7 8 "A Primer on Russia's New Data Localization Law". Proskauer. August 27, 2015.
  5. "Risky Business: Data Localization". Forbes . February 19, 2015.
  6. "Silicon Valley tech execs: Surveillance threatens digital economy". Palo Alto Online. October 9, 2014.
  7. "Google Pushes Back Against Data Localization". The New York Times . January 24, 2014.
  8. "Will Data Localization Kill the Internet?". eCommerce Times. February 10, 2014.
  9. "Ansip promises EU rules on data flows by autumn". Euractiv. October 5, 2017.
  10. "European Commission eyes an end to data localization in EU". IAPP. January 12, 2017.
  11. "Trans-Pacific Partnership will ban data localization laws". Fed Scoop. October 5, 2015.
  12. Liu, Jinhe (January 2, 2020). "China's data localization". Chinese Journal of Communication. 13 (1): 84–103. doi:10.1080/17544750.2019.1649289. ISSN   1754-4750.
  13. "Data Residency Requirements Creeping into German Law". Bloomberg Law. April 11, 2016.
  14. "German data storage laws 'threaten free trade'". DW. December 1, 2017.
  15. "Reserve Bank of India - Notifications". April 6, 2018.
  16. "Russia – New data localisation law: Current state of play". December 8, 2014.
  17. RISA. "LAW Nº 058/2021 OF 13/10/2021 RELATING TO THE PROTECTION OF PERSONAL DATA AND PRIVACY" (PDF). Archived from the original (PDF) on March 9, 2022.
  18. Law 40/2015, of the Legal System for the Public Sector. Article 46 bis. "BOE.es - BOE-A-2015-10566 Ley 40/2015, de 1 de octubre, de Régimen Jurídico del Sector Público". www.boe.es (in Spanish). Retrieved December 9, 2021.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.