Have you heard about data residency?
If you haven’t, it’s a concept that determines where different organizations store your data. Some nations have stricter data protection laws, while others have implemented only minor measures.
As you don’t want your data to fall into the wrong hands, the location of your personal information is crucial.
In this article, we will discuss what data residency means and how it differs from data localization and data sovereignty. We’ll also explore the measures different nations use.
What Does Data Residency Mean?
Data residency is where an organization – government body, industrial body, or business – specifies the geographical location of their choice for where they store their data.
There are various reasons why an organization would do this:
- Tax benefits. In this case, a nation’s government may offer a beneficial tax environment for a business. However, in exchange, the company would ensure that a significant part of its operations stays within the country’s borders. As data storage is an important component of business operations, it may choose to host its data in the country.
- The business could also include data residency in its company policy to make it transparent for its customers where their data is stored.
- The company may also choose to host its data in a specific country due to financial (e.g., it’s cheaper to set up a data center or use a local data service provider’s services) or regulatory (e.g., the government has beneficial data protection laws) reasons.
Data Residency vs. Data Localization vs. Data Sovereignty
Have you heard of data localization and data sovereignty?
These terms are often used interchangeably with data residency frequently being used in the wrong way.
While data residency, data localization, and data sovereignty are closely related, they refer to concepts with different meanings, which could create some confusion amongst both consumers and businesses.
Let’s resolve the confusion and get things clear now.
The first and least restrictive concept is data residency, where a government body, industrial body, or business simply specifies the geographical location where it stores its data.
As illustrated in the last section’s examples, with data residency, the organization has a choice as to where it wishes to store its data.
On the other hand, data sovereignty is a more restrictive concept. It represents the idea that data is subject to the nation’s laws where it is collected, processed, and stored.
Therefore, businesses have to comply with local data protection laws to avoid getting fined by the government.
Data localization is the most restrictive concept of the three.
While data residency gives organizations a choice to specify the geographical location where its data is stored, data localization refers to keeping the data of businesses within the borders of a country.
The concept almost always refers to the storage and creation of the data, and some nations that have implemented data localization laws require organizations to keep only the copy of the data within the country.
If there’s a valid reason, such data localization laws allow the government to audit its citizens’ data without requiring the nation’s authorities to interact with other governments.
On the other hand, some nations have implemented very restrictive data localization laws, prohibiting the data from crossing the country’s borders.
For example, Russia’s On Personal Data Law (OPD-Law) requires organizations to store, retrieve, and update data exclusively in data centers within the nation’s borders.
While stating that their goal is to protect their citizens’ data, these nations often implement strict data localization measures to secure a market advantage for local data centers that align with their data protectionism-related goals.
By doing so, such laws restrict the international flow of data. Therefore, critics argue that it prevents organizations from realizing the full potential of their data while contributing to “digital factionalism” and the “splinternet.”
Data Residency and the GDPR
The General Data Protection Regulation (GDPR) is among the world’s most popular data privacy laws.
As per the GDPR, companies that interact with the personal information of European Union citizens – both within and outside the EU – have to comply with strict data privacy laws.
While EU authorities can impose fines up to 20 million EUR on businesses or acquire 4% of their total global turnover as a penalty for non-compliance, there are no data residency laws in the GDPR.
Therefore, as per the EU data residency laws, organizations are free to choose where they host the data of European Union citizens.
However, businesses still have to comply with the EU’s (mostly data sovereignty-related) laws that require companies to fulfill specific requirements when transferring data outside of the European Union.
For example, a business could only transfer data to a third country if that nation has similarly adequate data safeguards as the EU or the company has a valid legal reason.
As of today, the EU has issued 13 adequacy decisions.
This means that European Union authorities (at least partially) consider these nations to have satisfactory data safeguards, allowing companies to transfer the personal information of EU citizens to these locations.
Data Residency Requirements by Country
According to the Personally Controlled Health Records Act of 2012, all personal medical information in Australia has to be stored in local servers.
While the law ensures that foreign governments are unable to access Australian citizens’ personal health records, the Oceanic nation’s data residency law prevents medical service providers, such as IBM Watson Health, from offering solutions to the nation’s citizens and organizations.
In Canada, two provinces (British Columbia and Nova Scotia) require public bodies (e.g. schools, public agencies, hospitals) to store their personal data within the nation’s borders where the data can only be accessed from the country.
China has one of the strictest data residency and localization laws on the globe.
In addition to restricting access to certain websites as part of the Golden Shield Program (also referred to as “the Great Firewall of China”), organizations have to comply with a wide range of data residency measures.
For example, companies offering e-banking services in China have to locate their data servers in the Asian nation. At the same time, Chinese personal financial information can only be analyzed, stored, and processed locally.
Also, the data of internet-based mapping services, as well as medical and health records, have to be kept in China.
Certain companies also have to comply with a cybersecurity law that prohibits personal information and important business data from leaving the country.
In France, data produced by local and national public administrations have to be stored with cloud services that are within the country’s borders.
It is also illegal in the European country to move information that is connected to legal proceedings outside of the nation.
Germany has similar views on data residency as France, advocating the idea of national clouds where personal information can be stored locally within its borders.
While data residency laws can vary by state, all organizations within Germany have to store accounting data in the European country.
Furthermore, organizations and individuals liable for taxes in Germany have to keep their accounting records within the country’s borders (with some exceptions).
Similarly to China, Russia has implemented strict data residency and localization laws.
As per the 2015 Personal Data Law, the data operators that collect personal information from Russian citizens are required to do all their data-related operations using databases that are physically located in the nation.
In addition to requiring companies to store all telecommunications data in the country for six months, the Russian government could impose a fine or shut down the services of businesses that refuse or fail to comply with the nation’s data residency laws.
Data Residency: An Important Concept Influencing Where Your Data Is Stored
As organizations specify the geographical location to store data, data residency has a great influence on where businesses keep your personal information.
Since data residency laws vary by country – for example, there are strict requirements in China and Russia while minimal regulation in Canada and the EU (GDPR) – it’s important to know where the services you use are storing your data.
If that nation has data sovereignty laws, businesses have to comply with them, which means that the government may access your personal information for any (valid) reasons.
While proper data sovereignty rules can help consumers protect their personal information, strict data localization laws could do more harm than good (e.g., the government can monitor the data easily while restricting the international flow of information).