Data localization laws are essentially laws that require data to be processed within a particular territory or location. For example, storing locally – either in a particular country or in a local computing environment rather than in the cloud. There are a growing number of data localization laws and the trend is alarming in that it can create some onerous obligations for organisations that result in significant costs increases. They can prevent you from using the cloud. Many argue that they are the biggest threat to adopting the cloud.
For example, if the law requires a multinational company to host data about Russian citizens on a server in Russia, it can mean creating a new data centre in Russia. China’s Cybersecurity Law requires critical information infrastructure operators to store data they gather or produce, within China’s borders.
Sometimes, it is not a legal requirements, but rather a contractual requirement. For example, a public body may put out a tender with the condition that the solution be hosted locally in their offices.
What countries have Data Localization Laws?
Russia is the country that most people refer to first. But there are many other countries all over the world, including in Africa. We can provide you with a full list of countries that have data localization laws or those of a specific country.
Know what data localization laws apply to you
Data Localization laws can also apply to specific records
Sometimes the law requires just one specific kind of record to be processed in a particular location.
Is it the same as Data Sovereignty?
No, it is a different concept. You can read more about transborder information flows and data sovereignty in our article dealing with cloud compliance.
Actions you can take
- Know which countries require data or records to be stored locally us to identify the applicable laws. We can provide you with a report on the laws in many countries, including in Africa.
- Find out more about cloud compliance.
- Understand global data protection and how it affects you by asking us or attending our GDPR workshop.