What is Data Residency?

As globalization has come to dominate our economic and consumer worlds, so too have the international flow of data and the borders associated with this global digital phenomenon. The rising influx of digital expressions of individual and corporate activities has made it increasingly important, not simply for cyber hackers out to illegally monetize or exploit all types of data, but for nation states out to protect what they consider to be their own valuable information. This, as well, accompanied by growing recognition that data serves as a nation’s leading-edge innovation advantage. After all, for many companies and industries , what may have started out as business intelligence and customer relations management now incorporates the most personal of information — everything from private identifiers to biometrics – and with it the power that giant mounds of information provide. For these reasons, there has been an increase in legislations and regulations mandating data residency. What countries are increasingly doing is ordering that their citizens’ data live within their borders and that it not depart the country without specific permission. Such laws usually are designed both to protect the data and the interest in using the data from foreign incursion, mishap or unwarranted voyeurism.

Data Residency Laws: Why They’re Important Around the World

In some countries, there are either explicit or implicit requirements to store data within the country’s borders. For example, the European Union has mandatory data residency requirements under the General Data Protection Regulation (GDPR). These apply to all businesses storing or processing personal data of EU citizens, regardless of the country where the business is headquartered.
Under Article 44 of the GDPR, personal data are subject to restrictions on transfer to countries outside of the EU. Transfers are prohibited unless an adequate level of data protection is ensured by the EU Commission on the basis of an adequacy decision or other instruments (i.e., model clauses, binding corporate rules, and administrative agreements). In practice, this will make it near impossible for U.S.-based global companies to provide data transfer services to EU customers in compliance with the GDPR.
In the United States, there are no country-wide mandates requiring data residency. However, certain states and industry regulators may have local data residency requirements. California, for example, has the California Consumer Privacy Act (CCPA), a groundbreaking new privacy law. Under the CCPA, California residents may request information about what personal information businesses collect about them, how that data is used, and with whom that information is shared. It is also expected that the proposed California Privacy Right’s Act (CPRA) will be approved by voters in November, which would further shape how data privacy laws are enacted both in California and nationwide.
For China, there are laws in place that dictate how data should be handled, including Cybersecurity Law of the People’s Republic of China (CSL), where large or critical network operators must store locally, in China, all the data they collect and generate. The law, which came into force on June 1, 2017, has been described as "China’s Magna Carta of Internet regulation."
More recently, the State Council issued its Opinions on Strengthening Data Protection in March 2020, which is in response to the European Union’s regulations on data protection in the EU and privacy laws, such as the GDPR.

How Data Residency Affects Your Business

For organizations with operations that span the globe and involve vast amounts of data, the impact of data residency laws can be significant. The regulatory, compliance, and political landscape in which your business operates can have a profound effect on the design and location of your IT infrastructure. When third-party processors are brought in to assist with handling sensitive data, businesses must ensure compliance with the data residency requirements of their customers, local laws, and contracting parties. Local laws may enforce territorial restrictions on certain transborder data flows, in addition to any contractual obligations your business may have to its customers. Data residency laws can impact the cost and efficiency of your data management and data processing strategies, and underscore the need for robust security and compliance requirements when the data at issue is a special category of personal data (such as what we see in the EU with "sensitive personal data" and "special categories of personal data," which includes race, health data, and financial information, etc.) or involves national security, such as in the context of outsourcing.
The ability to demonstrate accountability for compliance with data residency laws can also impact the reporting obligations of your business to regulators in the event of a data breach. For example, while it may be required to notify individuals located in the EEA in the event of a data breach because of the location of the individuals, a company that has only a handful of individuals located in the EEA, but has hundreds of individual from outside the EEA, may need to disclose to regulators (and possibly the public) in the United States.
Along with the challenges posed by data residency laws, there are also opportunities that businesses can leverage. With the increased sensitivity of personal data and national security interests, data residency laws can provide additional incentive for a global business to have a more localized approach to data management and data processing. For example, with the enactment of the GDPR, there are required considerations that require a close look at how a local processor is handling personal data transferred from the EEA. This closely resembles that of the Japanese legislation on the protection of personal information. Additionally, many other countries are looking at adopting data breach laws and administering centralized agencies to oversee privacy compliance and data management compliance, and this could benefit companies in the long term.
In spite of the challenges, data residency laws can be an opportunity for businesses to embrace data localization in a global environment, and leverage the reputational benefits of being in full compliance with local laws, avoiding incurring additional costs and proactively remaining in front of the competition by improving their data management and data processing strategies.

How to Comply with Data Residency Requirements

Companies can best understand and meet their data residency and transfer obligations in one of two ways: use risk models to assess the impact of a given data residency regime, or engage with regional/sectoral guidance initiatives to understand common factors.
Risk Models
Europe was a first mover on regulatory controls of cross border data. In an early extension of EU data protection principles, there was the 1995 EU Directive on Data Protection ("the EU DP Directive"), which applied to any processing of personal data that took place in the EU. The EU DP Directive also regulated cross border export of personal data, in that it prohibited transfers of personal data from the EU to third countries outside the EEA that did not have adequate data protection. In 1998, the first EU US Safe Harbor Framework was launched, which allowed for the export of personal data to the US from the EU to a certain set of "Safe Harbor" Privacy Shield certified businesses. However, in practice it has proven difficult to construct a "one size fits all" solution for every country, given the level of protection accorded to personal data may be a different in every jurisdiction. In addition, an assessment of where data physically resides, or the legal jurisdiction of storage providers (such as Google Drive), may also impact the legal requirements for data processing activities. A variety of self-regulation and/or mutual recognition initiatives have emerged which address cross border data transfers. These include the API Data Privacy Compliance Framework and the APEC Cross Border Privacy Rules System . The legal requirements for export of confidential and proprietary data vary across the globe. For example, the UK has a list of countries that have a statutory duty to provide adequate protection in connection with the movement of trade secrets. On the other hand, there is no formal list of countries with adequate trade secret protection for trade secrets under the EU. Consequently the case law and enforcement actions in respect to trade secret protection is still evolving in the EU.
Engage with Regional/Sectoral Initiatives
More recently, the OECD has put together a compliance guide to the "Cross-border Privacy Rules" system. That system is a binding system for organizational accountability for privacy protection, consisting of enforceable principles and binding commitments. On the other hand, APEC has developed a "cross-border privacy rules" system that provides a structure for APEC member economies to ensure data protection when carrying out cross-border data processing activities. Compliance with these rules is voluntary, but member economies make a strong commitment to implement them. Compliance strategies should therefore consider: The above analysis will indicate the preferred storage locations in order to minimize the risks, taking into account the compliance obligations of the country of the customer as well as the company’s operations globally. Lastly, companies need to be mindful of other relevant laws that may apply to data flows, for example, audit trails and security requirements. All of these will dictate ultimately what data can and cannot be moved to what jurisdictions.

The Future of Data Residency

As we have seen recently, data residency regulation is often a cat and mouse game between legislators and legislators. As new technologies emerge, and current technologies evolve, forces work either for or against the regulation of data residency. Adopting a wait-and-see strategy toward data residency regulation will not be acceptable. Here are some of the most likely future trends to be aware of:
Big Data
Sophisticated application of big data is creating huge amounts of data. Big data analytics are only going to get more advanced and pervasive. Consequently, it doesn’t look likely that the amount of data ocean is going to shrink. Nor does it seem likely that big data will be subject to more limitations (such as how long it can be stored). Rather, data residency regulation seems to be moving in the opposite trend, to regulate who has access to what data rather than how much data.
The Internet of Things
Gartner predicts that there will be 30 billion connected devices (from wearables like Fitbits, to smart cars and TVs) by the year 2020. That is roughly four connected devices per person on the planet. Not only are there going to be more devices connected, but they will be collecting and transmitting more data. As of January 2017, the GDPR draft specifically applies to connected devices, which are considered personal data under the GDPR despite the fact that they do not directly collect personal data. Future data residency regulation is likely to be more concerned with who owns that data being transmitted from smart devices, rather than where the data sent and received from these devices should be stored.
Technological Development
Technological development has always worked against regulation. For example, when mainframe computers were first used, there was no regulation regarding data security. It was learned on an ad hoc basis that a locked door on the computer room was important, and the risk of data being stolen was raised from "remote" to "not possible," and as computer technology continued to develop, so did regulatory concerns. The story of mainframe security has repeated itself with the development of every new technology we have relied on, and will continue to rely on for the foreseeable future (e.g., cloud computing, big data, artificial intelligence, the internet of things, etc.).
Current case law supports the notion that technology will outpace regulation. In 1985, in U.S. v. New York Telephone Co., 434 U.S. 159 (1977), the Supreme Court allowed law enforcement officials to access stored voice mail messages held by the telephone company without a warrant, simply because they had done so before a certain date in 1979. This has been called the "pre-McCarty trithing," and means that certain technology that existed before the passing of new data residency regulation will not automatically be subject to it, considering that it existed before the data residency regulation took place. This is similarly true in the European Union where the CJEU continues to find that pre-Directive 95/46/EC data processing continues to be subject to national laws, not EU regulation. In fact, for the first time, the CJEU found on August 1, 2016, in Nowak v. Data Protection Commissioner, that pre-GDPR directive 95/46/EC data processing activity can be considered subject to the GDPR after a procedure initiated after May 25, 2018.
Therefore, as new technologies become commonplace, data residency regulation will likely be front-of-mind for many. However, current actions are a reminder that whether or not they affect data residency regulation will depend on how quickly the regulation is implemented, and how quickly data processors adapt to technological changes in ways that the regulation would impact them.

Wrap-up: Making Sense of Data Residency

The demands of data residency inevitably require a balancing act between regulatory compliance and the legitimate operational needs of companies. Navigating the patchwork of industry-specific regulations and country-by-country laws can drive compliance teams to distraction, especially when the countries they operate in have wildly diverging or even contradictory rules. Implementation of policies often becomes an exercise in finding opt-outs and regulatory alternatives, even if only to avoid the costs of opening new data centers or compromising on the technical limits of their systems.
Until late 2018, China’s data residency regime was opaque. There were no formal regulations available for review. However, in October 2018, the Cyberspace Administration of China (CAC) released the Regulations on Security Protection for Critical Information Infrastructures, which contains regulations that identify how data can be transferred out of China. Some of the new regulations appear, at first blush, to offer several paths to your competitor’s favorite opt-out provision. Notably: (1) that transfer of personal information out of China is presumed to be "reasonable and necessary to provide a service or conduct transactions, but is subject to other restrictions" (e.g., consent); and (2) that cross-border transfer of personal information should also be reasonable and necessary for the purpose of "safeguarding national security and the public interests," but is subject to "security assessments" for "key information infrastructure operators" (those information systems that "directly relate to state security, national economy, and people’s livelihoods"). However, certain legal obligations—from obligations concerning cross-border transfer of personal data to definitions of personal data that incorporate a broad net of what could be deemed Personal Information—can still require a difficult balancing act to pursue. Even if this roadshow will go on for some time , there is little doubt that the due diligence and legal analysis that must go into data residency requirements has been raised to a new level.
The fate of GDPR may be very much an open question, but one thing is certain: companies that underestimate the global regulatory response to data residency will do so at their peril. GDPR arguably elevated the issue of data residency into one of the most consequential aspects of current regulatory regimes and the future direction of privacy law. It has laid the foundation for a wealth of privacy norms that will affect not only EU businesses but those of the entire world that do business there or even have an online presence. This year will unquestionably see a flood of laws. As noted above, California’s "California Consumer Privacy Act" will take effect in just over one year, and Brazil’s "Ley Geral de Proteção de Dados Pessoais" will take effect in August 2020. These laws either expressly cross borders or allow for the transfer of data outside their jurisdictions under certain conditions. Canada’s general amendment to its separate laws includes similar provisions, and India’s draft bill likely will span very similar ground. Indian regulators explicitly mentioned data localization/separation as something that needs to be addressed. Africa has similar legislation in process. And America’s own states are actively in the throes of bills concerning data privacy and residency.
Implementation roadshows aside, the concrete lesson from GDPR is this: take data residency seriously. Laws, regulations and infrastructure supporting them are here to stay. Failure to recognize these changes can only mean more bad headlines in the coming years.

Leave Comment

Your email address will not be published. Required fields are marked *