Businesses operating in multiple national jurisdictions must take into account data residency requirements. Unfortunately, some countries find the concept of a “national cloud”—operated by local companies and subject only to local laws—highly attractive, so data residency laws are on the rise. Should the trend spread, it portends a future in which companies will have to maintain, or use a cloud provider that maintains, a data center in nearly every nation on earth.
Where Does Data Localization Apply?
Dozens of countries have enacted data localization/residency rules. They include China, Israel, Switzerland, Turkey, Belgium, Brazil, South Korea, South Africa, Argentina, Mexico, Uruguay, India, Malayasia, and Singapore.
Not all are equally stringent, however. Canada, France, and Germany are known for strictness of data residency. Australia specifically requires health data to be stored in country, and the U.S. demands that federal government data be housed domestically.
The ITIF has posted information about country-specific data requirements here. This is a great service to the IT industry and one hopes they will maintain such a resource going forward.
How are Companies Complying?
With data localization laws cropping up all the time, enterprises must find ways to adapt. More and more companies are looking to vendors to stay up-to-date on the rapidly changing compliance landscape for physical storage and data transmission outside national borders.
It’s important to note, companies are not exempt from financial penalty or prosecution if they use cloud providers claiming to be compliant. Every company must, therefore, exert due diligence to understand how their cloud partners deal with data localization rules. Businesses should develop processes to screen potential partners and ensure country-specific requirements are reflected in contractual SLAs.
There seems to be no getting around the multiplication of providers, at least in the short-term. Few cloud services companies expect to offer physical storage within each country that has, or may soon enact, data residency requirements. This will mean identifying countries where the current network of cloud vendors falls short and selecting additional providers.
At present, the requirements are more onerous for companies operating in certain spheres, such as healthcare, finance, and government. Fortunately, some cloud services providers are developing specialized offerings and expertise in these and other key verticals.
As comforting as it would be to farm out all responsibility to cloud services vendors, enterprises should consider maintaining a reasonable degree of knowledge in house or engaging a specialist law firm to ensure their own data handling practices, as well as those of their cloud partners, don’t overstep any legal lines. Yes, this will cost money and the added complexity across an international data center network will compromise efficiency. But with high fines and market access at stake, increased vigilance is the only safe option today and probably for years to come.
Chris Adams is President and COO of Park Place Technologies. Contact him at firstname.lastname@example.org.