Data Localisation Rules International Overview
Data Localisation Rules: International Overview
1. Introduction
Data localisation refers to laws or regulations that require organizations to store, process, or manage certain categories of data within a country’s borders. These rules aim to:
Protect national security and critical infrastructure
Safeguard personal and sensitive data
Ensure government access for regulatory or investigative purposes
Promote domestic data infrastructure and technology markets
Data localisation is increasingly a global phenomenon, affecting cloud computing, cross-border data transfers, financial services, healthcare, and e-commerce. Failure to comply can result in regulatory penalties, litigation, and restrictions on international business operations.
2. Key Drivers of Data Localisation
Privacy and Data Protection
Laws like GDPR restrict cross-border transfers unless appropriate safeguards exist.
Countries may mandate local storage for sensitive personal data to ensure legal jurisdiction over enforcement.
National Security and Law Enforcement
Governments require local storage to monitor or investigate data related to national security, anti-money laundering, or cybersecurity threats.
Economic and Technological Development
Encourages domestic data center investments and cloud service markets.
Consumer Trust
Local storage is perceived to offer better protection against foreign surveillance or misuse of personal data.
3. International Approaches
(a) European Union
General Data Protection Regulation (GDPR):
Does not mandate strict localisation but requires adequate safeguards for cross-border data transfers (e.g., Standard Contractual Clauses, Binding Corporate Rules).
The Schrems II case (2020) invalidated the EU-US Privacy Shield framework, emphasizing the need for local oversight or equivalent protections.
(b) United States
The US generally does not impose mandatory localisation.
Sectoral laws such as HIPAA and financial regulations require that certain sensitive data be adequately protected, but storage location is flexible.
Government authorities can access data stored abroad under certain conditions (e.g., Microsoft Ireland Case, 2016).
(c) India
India’s Digital Personal Data Protection Act, 2023 and RBI guidelines impose localisation for financial and critical personal data.
Some categories of personal data must be stored and processed in India, while critical personal data requires exclusive local storage.
(d) China
China’s Cybersecurity Law (2017) mandates localisation for “critical information infrastructure” operators.
Personal information and important data collected in China must be stored locally.
(e) Russia
Russian Federal Law No. 242-FZ requires that personal data of Russian citizens be stored and processed on servers physically located in Russia.
(f) Brazil
Brazil’s General Data Protection Law (LGPD) allows cross-border transfers only if the receiving country provides adequate protection or contractual safeguards.
There is no strict localisation mandate, but regulatory authorities recommend local backups for sensitive personal data.
4. Legal Considerations for Compliance
Cross-Border Data Transfer Rules
Organisations must map data flows to comply with localisation and transfer restrictions.
Data Classification
Laws often distinguish between sensitive, critical, and general data.
Contractual Obligations with Hosting Providers
Data hosting agreements must include localisation compliance clauses.
Audit and Monitoring
Regulators may require evidence of local storage and secure handling.
Penalties for Non-Compliance
Fines, operational restrictions, and legal liabilities.
5. Key Judicial and Regulatory Cases
1. Schrems II – Data Protection Commissioner v. Facebook Ireland (2020)
EU Court of Justice invalidated the EU-US Privacy Shield.
Emphasized that transferring EU personal data to the US without adequate protection violated GDPR.
Outcome: Companies must ensure equivalent protections, highlighting localisation or strong contractual safeguards.
2. Microsoft Corp. v. United States (“Microsoft Ireland Case”, 2016)
US authorities sought access to emails stored in Ireland.
Case highlighted jurisdictional limits on cross-border data access and underscored the need for companies to consider localisation for sensitive data.
3. Google Spain SL v. Agencia Española de Protección de Datos (2014)
Recognized the “Right to be Forgotten,” which requires search engines to remove personal data.
Although not directly about localisation, it emphasized the importance of jurisdictional compliance when storing or processing data internationally.
4. RBI Guidelines on Data Localisation (India, 2018)
Indian courts upheld the Reserve Bank of India’s requirement for all payment system data to be stored in India.
Banks and payment processors must maintain local storage and disaster recovery systems.
5. China Cybersecurity Law Enforcement Cases (2017-2020)
Several enforcement actions required multinational tech companies to store critical data locally.
Companies failing to comply faced fines, access restrictions, or operational blocks in China.
6. Russian Federal Service for Supervision of Communications (Roskomnadzor) Enforcement Cases (2015-2021)
Companies like LinkedIn faced sanctions for failing to store Russian citizens’ data locally.
Outcome: Demonstrated strict enforcement of localisation rules with operational consequences.
6. Emerging Trends
Increased Globalisation vs Localisation Tensions
Multinational companies must balance efficiency of cloud operations with local regulatory mandates.
Sector-Specific Localisation
Financial services, healthcare, telecoms, and critical infrastructure are increasingly subject to stricter localisation requirements.
Hybrid Models
Some regulators allow cross-border transfers if local copies of critical data are maintained.
Integration with Cybersecurity and Cloud Contracts
DHAs and cloud agreements increasingly include localisation clauses to manage risk.
Regulatory Enforcement Growth
Regulators are more aggressively auditing compliance, issuing fines, and enforcing penalties for non-compliance.
7. Conclusion
Data localisation rules reflect a growing global trend toward national data sovereignty, privacy protection, and cybersecurity assurance. Organizations operating internationally must:
Map data flows and classify data by regulatory requirements
Review cloud and hosting agreements for localisation compliance
Implement audit and monitoring controls to demonstrate adherence
Understand enforcement risks, including fines, litigation, and operational restrictions
Key judicial and regulatory cases highlight the importance of localisation for privacy compliance, regulatory access, and cross-border risk management, making it an essential consideration in corporate governance and global IT strategy.
RELATED Blog
comments