The combined forces of globalization and technology have enabled an expansion of international business opportunities the likes of which have never been seen before. It is now easier than ever for companies large and small to achieve a global reach: large multinational companies station employees all over the world, while a single enterprising app developer can reach users in far-flung places due in large part to the increasing prevalence of smartphones in all but the most remote areas of the planet.
However, some national governments are attempting to exert control over the increasingly porous technological barriers between countries. Over the past few years, multiple countries have enacted data localization laws, which are intended to keep citizens’ personal data in-country and subject to local regulation. The implications — as well as the logistical headaches — can be enormous, as many companies previously have developed business models that require them to collect personal data from citizens of a particular country, but to process that data in another part of the world. For example, a company may collect personal data from customers in Germany in order to offer a service or product to those individuals, but may then choose to transfer that data to India for the processing required to fulfill their obligations to their customers. Although at first glance this wave of data localization laws may be viewed as national governments’ futile attempts to assert sovereignty over a borderless medium, the reality on the ground suggests the opposite. Most importantly for companies operating internationally, as data localization laws are gaining momentum the world over, they are being enforced by local authorities.
Many data localization laws are fairly narrow in terms of scope. For example, Nigeria requires government data to be hosted within its borders. Vietnam requires Internet service providers to keep a copy of their data within Vietnam for possible government inspection. Australia’s Personally Controlled Electronic Health Records Act prohibits the transfer of health data out of Australia in some situations. Although not explicitly characterized as a data localization law, the European Union’s Data Protection Directive — and its successor, the General Data Protection Regulation — may be viewed as encouraging data localization, as some data controllers may choose to store and process data within the EU in order to avoid the Directive’s strict requirements for transferring personal data to non-EU countries.
However, there is an emerging trend of newer, more comprehensive data localization laws with a global reach. One of the most high-profile data localization laws came into force in Russia in September of 2015. That law attracted attention because of its truly comprehensive scope, as it requires that any personal data collected from Russians must be stored and processed on servers located within Russia. Moreover, it applies with equal force to companies based outside of Russia, meaning that foreign companies must comply or risk incurring significant penalties for violating the law, which include the blockage of an offender’s website within Russia. And it’s clear that the law is not just all bark and no bite: Russia’s communications authority, the Roskomnadzor, has demonstrated its willingness to enforce the law and recently has succeeded in blocking websites belonging to US-based companies that have violated its provisions.
Other countries have enacted their own data localization laws, or broader laws with data localization components. One example of the latter is China's new cybersecurity law, which goes into effect in June 2017. It requires “critical information infrastructure operators” — which could be interpreted to include companies in many sectors, including telecommunications, information services and finance — to store certain personal and business information in China. Foreign companies subject to the law would have to apply for government permission before transferring data out of China, although the law’s ambiguous wording makes it unclear precisely which companies would be required to comply with the localization provisions. Naturally, this leaves many organizations wondering whether they should devote the time and resources required to try to understand and comply with the law, risk noncompliance and its associated penalties, or change their business models to avoid collecting data in China altogether — all unenviable positions for any organization looking to make inroads in the coveted Chinese market.
Despite the possibly negative effects on businesses, data localization laws do carry some advantages for the countries that enact them, at least in theory. A law requiring data to be stored on servers in-country could help persuade a company to open an office (or at least rent servers) in a nation, which in turn could result in more local investment and perhaps more jobs for residents. Furthermore, countries’ privacy laws generally are not enacted in a vacuum; often, they reflect certain nationally-ingrained concerns about the use and abuse of personal data. For example, it has been theorized that European countries tend to have more stringent data protection laws due to a deep suspicion of possible personal data misuse borne out of the World War II era, when fascist governments collected individuals’ personal information in order to pursue those people and send them to camps. Data localization laws therefore allow countries to assert their own national and cultural priorities over the use of citizens’ personal information, especially where there exists a concern that these values would evaporate if the data was transferred to another country. Of course, by the same token, forcing companies to keep personal data stored in-country may make it legally (or perhaps simply logistically) easier for governments to access their own citizens’ personal information. Additionally, some countries have enacted data localization requirements to address what they argue are cybersecurity concerns. The Chinese government, for example, has argued that the data localization provisions in its new cybersecurity law help support the law’s mission of enhancing the country’s data security.
Regardless of any perceived benefits, however, the fact remains that data localization laws are a formidable barrier to companies seeking to expand their international presence, whether through opening new offices abroad or reaching out to customers in foreign markets. Small companies have a particularly difficult time grappling with these laws, as they often lack the personnel, financial and legal resources to develop compliance strategies. Nevertheless, these types of laws may not make exceptions for small or otherwise under-resourced organizations, and entities like startups, app developers and nonprofits may struggle to open their doors in such markets. Expect the struggle between business and national interests to continue if the data localization trend continues to strengthen in the years ahead.
Courtney Bowman is a litigation associate with Proskauer [official website] in their Los Angeles office and a member of Proskauer’s Privacy and Cybersecurity practice group. She is a certified information privacy professional (CIPP) in both the U.S. private sector (CIPP/US) and Europe (CIPP/E) and assists clients in a wide variety of industries with issues related to international privacy law.
Suggested citation: Courtney Bowman, Data Localization Laws: an Emerging Global Trend, JURIST - Hotline, Jan. 6, 2017, http://jurist.org/hotline/2017/01/data-localization-laws-an-emerging-global-trend.php.
This article was prepared for publication by Derek Luke, an Assistant Editor for JURIST Commentary. Please direct any questions or comments to him at