Data residency: at home with regulations around the world

Data residency: at home with regulations around the world

"Everybody thinks we automatically understand every privacy law," Jason Rader told CSO last year, having settled into his new role as senior vice president and CISO at Insight, a Fortune 500 technology service provider with offices in nearly 20 countries across the globe. Nothing could be further from the truth – or from reality for that matter. According to the United Nations Conference on Trade and Development, as of today, 137 out of 194 countries have legislation in place to foster the protection of data and privacy and another 9% are in the process of drafting one.

"China is going to be the biggest market on the planet and they’re probably the most restrictive of anyone I've dealt with," explained the chief information security officer, who’s aided by a team of legal and compliance experts in navigating the global map of data residency laws. "If you're going to do business in a country, you have to observe the laws. You need to prove you're doing everything possible to comply, especially if it's a market that you're making a big investment in." If that market happens to be the US, this also includes state-by-state laws.

But what is data residency? How is it different from data sovereignty and data localization? And how can cloud-enabled businesses stay compliant with local and regional data residency laws and regulations?

Data residency refers to where data can be stored from a geographical standpoint, as defined by a business, government, or industry body. “Organizations that use cloud computing store data in the country where the data originated or beyond its borders. However, when businesses deliver hosted services over the internet, they can create data residency concerns,” TechTarget points out. Cloud providers store data across data centers and geographies, making it imperative – and challenging – for users to keep abreast of local data residency requirements. Especially because cloud computing customers aren’t always aware of their data's physical location.

It’s important to note here that data residency, while closely linked, is not to be confused with data sovereignty or data localization.

Data sovereignty is the idea that digital information is subject to the laws of the country where it physically resides. For example, Techopedia explains, data that sits in a cloud provider's San Francisco data center is governed by the California Consumer Privacy Act of 2018, or CCPA, even if the data source is in Canada. The most stringent of the three, data localization is the practice of keeping data in the country where it’s created, codified in rules on how it can be collected, processed, stored, or transferred within country borders referred to as data localization laws.

Data residency compliance requirements across borders and industries

As we’ve already pointed out, data protection provisions imposed by countries and even specific sectors have been on a steady rise for years. In 2018, the EU’s General Data Protection Regulation (GDPR) famously set the tone for a whole new generation of similar regulations that swiftly followed. Let’s take a closer look at some of these milestone privacy laws and what they mean for data residency compliance.

First things first: GDPR data residency requirements only regulate the processing of EU residents’ personal data without any specific data localization requirements. However, when personal data is transferred outside the European Union, the protection offered by the GDPR should travel with the data. Meaning that the country where the data is transferred to must have similar safeguards to ensure privacy protection.

That said, on July 16, 2020 the Court of Justice of the European Union decided that the EU-US Privacy Shield Framework was no longer a valid mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States. This could point to increasing data localization efforts. Plus, TechCrunch reports, European public sector bodies’ use of cloud services is also under coordinated scrutiny zeroing in on concern over international data transfers. Of course, the EU and US recently announced a political agreement to create a new data sharing framework. However, when that deal is reached, and how it holds up in the courts means that uncertainty could linger for another few years.

China’s answer to GDPR came into effect in November 2021, marking yet another step towards global standardization in consumer privacy rights. According to Fortune, by 2023, the Personal Information Protection Law, or PIPL, will provide 5 billion individuals with transparency and control over their personal data. At the same time, the transfer of identifiable data from China to other countries will remain a challenge, with data anonymization and aggregation giving businesses some room for centralized processing.

The Brazilian Senate approved Lei Geral de Proteção de Dados, LGPD for short, on April 3, 2020. Clearly inspired by its European counterpart, Brazil’s new data protection law extends its scope beyond the country to protect as much Brazil-related personal data as possible. The LGPD’s data transfer regime, like the GDPR’s, is built on the idea that personal data must remain within the country’s borders unless certain circumstances exist, which closely resemble those set forth by the GDPR, IAPP explains.

In the US, California was the first state to implement a broad, and probably the strictest, regulation of individual privacy rights. The CCPA, short for California Consumer Privacy Act, came into force in 2020, granting Californians similar rights as the GDPR, including the right to know whether their personal data is being collected and sold, or to ask for access to or deletion of their data. Unlike GDPR, however, it doesn't restrict cross-border data transfers and allows consumers to bring a civil action if their non-encrypted personal data is compromised.

The UK implementation of the General Data Protection Regulation, the Data Protection Act 2018 controls how UK residents’ personal information can be used by organizations, businesses, and the government. Accordingly, it mostly restricts transfers of personal data to entities outside of the UK, unless the rights of the individuals in respect of their personal data are protected in another way, explains the Information Commissioner’s Office. Transferring UK legal documents to the US, for example, may count as violation of attorney-client privilege.

This, of course, is only the tip of the iceberg. “Seeing data as a desirable currency and a tool in wielding economic and political power, dozens of countries, including China, Russia, Germany, Turkey, Belgium, Brazil and South Korea, have enacted data-must-stay laws in recent years with varying degrees of severity,” reports USA Today. Thirty-six, to be exact, according to the Information Technology and Innovation Foundation, adding Israel, Switzerland, South Africa, Argentina, Mexico, Uruguay, India, Malaysia, and Singapore to the list, along with many others.

When it comes to data residency restrictions, government-issued regulations are only half the story. Industry-specific regulations, such as the US’s HIPAA health data law and the PCI DSS, regulating businesses who collect and process cardholder data, both have data residency implications. In the same fashion, as detailed in ITIF’s summary of data residency requirements by country, Australia’s Personally Controlled Electronic Health Records Act prohibits the transfer of personal health records outside the country.

The French and the German governments are staunch supporters of digital protectionism, with the former promoting the use of a local data center called “le cloud souverain,” and the latter a “Bundescloud”, for storing government-generated data. New Zealand’s Internal Revenue Act requires businesses to store business records in-country, while in Romania, a 2015 online gambling law stipulates that all data on players and their gambling activities must be stored in the same way.

How can businesses mitigate data residency risks?

Setting up dedicated servers inside countries with data-must-stay regulations is one approach, but far from an ideal one. Rader says: "It's super expensive and you need on-prem resources, human resources. I don't think anybody starting off fresh is trying to approach it that way unless there's some giant restriction associated with it." On top of all that, the traditional “full-stack control” model has little-to-no impact on data security.

Amazon Web Services cites an example of a high-profile breach of a US government agency affecting more than 20 million federal employees that took place in an on-premises environment because of compromised user credentials. “Any system architecture lacking the appropriate security protections presents a credible attack vector, without regard for the physical location of the infrastructure or system,” the white paper concludes.

Here’s how Tresorit can help you tick all data residency boxes

Tresorit’s data residency options help companies satisfy both data residency and localization requirements, be they company-, industry- or government-imposed. Organizations with offices around the globe can keep their data in multiple countries, while maintaining frictionless collaboration between teams. Folders and users can be assigned to data centers, guaranteeing that they will only be able to keep their data where they are supposed to.

Tresorit stores data in a fully encrypted format on Microsoft Azure data centers and provides data residency options in the East and West US, UK, Canada, Germany, Switzerland, France, Singapore, the Netherlands, Dubai, and Brazil. Plus, the zero-knowledge protocol ensures that your password, or any files for that matter, never leaves your device, so neither Tresorit nor any unauthorized parties can access and make sense of your files.

Data residency options are included in the Enterprise plan and available for Business customers as an add-on.