The Rise of ‘Data Residency’ Regulations
Park Place Technologies
Increasingly, nation-states want oversight of their citizens’ data
An emerging trend among nation-states is requiring data on citizens be stored in their own country. Commonly referred to as data residency or data localization regulations, these rules are becoming a major challenge to IT operations for a variety of companies doing business across borders.
A Recent Showdown between LinkedIn and Russia
Under the concept of data sovereignty, digital data is subject to the laws or legal jurisdiction of the country where it is stored. Increasingly, nation-states want oversight of their citizens’ data. Moreover, in the post-Snowden era, many governments are especially interested in guaranteeing that any snooping that is going on is done themselves, not by allies or adversaries.
It may come as no surprise that Russia is one of the countries exerting the strictest data controls. In fact, the country’s data localization rules were center to LinkedIns recent decision to abandon the Russia market.
A 2015 law now requires information on Russians to be maintained on servers in Russia, and after some reprieve, enforcement is rolling. The government claims the new law protects citizens’ privacy, but critics argue the real goal is to facilitate Russia’s tracking of residents’ activities and opinions. No matter the intent of the rule, LinkedIn decided to opt out.
From the consumer side, a VPN appearing to be in Russia will allow residents to access LinkedIn, should they see an advantage in doing so. Otherwise the 6 million local users will be cut off from this employment-focused social media service.
It’s not the first time LinkedIn has had to confront international regulatory issues. To enter China, the company launched a separate site and caved to censorship demands. About a year ago, Facebook made similar compromises to gain access to billions of consumers there, creating a censorship tool to try to break through the Great Firewall as well.
As far as Russia is concerned, Apple and Google have yielded to data residency demands. It has also been reported that SAP, Samsung, Lenovo, and IBM are among the many tech companies, online retailers, payment systems, and other enterprises in compliance or in the process of transferring data. On the other side, Facebook, perhaps due to the public embarrassment over its decisions in China, has joined Twitter in holding out, at least for now.
An Expanding Challenge
It would be one thing if Russia and China were alone in enacting data residency rules, but dozens of countries on six continents have their own requirements. Some affect all data while others cover only specific types, such as health or genetic information.
Overall, the trend is toward more, not less, government intervention and rule-making. IT pros are now envisioning a future in which companies must segment out and store, process, and transfer data differently based on the national origin of the individual. This may soon create expensive and difficult logistical demands and could lead to changes in some enterprises business models.
To help readers get a handle on what’s coming, we’ll be discussing the status of data localization regulations in forthcoming blogs.
Chris Adams is President and COO of Park Place Technologies. Contact him at firstname.lastname@example.org.