Data localization laws are essentially laws that require data to be processed within a particular territory. For example, storing locally – either in a particular country or in a local computing environment rather than in the cloud. There are a growing number of data localization laws and the trend is alarming in that it can create some onerous obligations on organisations that results in significant costs. For example, if the law requires a multinational company to host data about Russian citizens on a server in Russia, it can mean creating a new data centre in Russia. China’s Cybersecurity Law requires critical information infrastructure operators to store data they gather or produce, within China’s borders.

Sometimes, it is not a legal requirements, but rather a contractual requirement. For example, a public body may put out a tender with the condition that the solution be hosted locally in their offices.

What countries have Data Localization Laws?

Russia is the country that most people refer to first. But there are many other countries. We can provide you with a full list of countries that have data localization laws or the data localization laws for a specific country.

Know what data localization laws apply to you

What is the position in South Africa?

South Africa does not have any specific data localization laws. There is no specific provision that states that public bodies have to process data within South Africa only. The Cabinet Policy called MISS (Minimum Information Security Standard) does perhaps have an impact. However, data localization is included in some contracts.

POPI is not a data localization law

Some possibly relevant provisions:

  • Electronic Communications and Transactions Act 25 of 2002 (ECT Act)
    • s31(1) restricts the disclosure of information in cryptography registers to only the “employees of the department responsible for keeping the register.”
    • s55(1)(b) states that the Minister may prescribe minimum standards or prohibitions in respect of access to, transfer and control of critical databases.
  • Intelligence Services Act 65 of 2002 – s10(4)(a) states that the Director-General must take steps as far as reasonably practicable, to ensure “national security intelligence, intelligence collection methods, sources of information and the identity of members of the Intelligence Services or the Academy, as the case may be, are protected from unauthorised disclosure.”

Is it the same as Data Sovereignty?

No, it is a different concept. Data sovereignty refers to the situation where because data is hosted in a particular country, the laws of that country apply to the data. It is the ability of a country to impose their laws on data.

Data localization laws is also a related but different issue to transborder information flows.