Washington Lawyer - December 2017 - 37
GLOBAL & DOMESTIC OUTLOOK
Citing privacy and cybersecurity
concerns, countries around the
world have been enacting data
localization laws that restrict the
free flow of information across
borders. According to the nonpartisan Information Technology
& Innovation Foundation, at least
34 countries have imposed
barriers on data flows that come
in many forms, from blanket
bans on data transfers to sectorspecific policies.
A leader in data localization, Russian
law requires companies collecting
personal information about Russian
citizens to store the personal data on
servers in Russia for six months. The
law also requires domestic and foreign
companies collecting and processing
data or transferring it overseas to
formally register with the state, with
Personal information and important
data, such as financial, health care, and
credit information, that is collected and
generated by critical infrastructure operators in the People's Republic of China
must be stored in China. If data must be
shifted from in-country data centers,
Chinese officials will conduct a security
assessment before authorizing transfers.
Indonesia mandates that all companies
providing direct Internet service to
consumers must ensure various forms
of data are processed and stored in data
centers physically located within its
borders. The law ensures that data is
subject to local laws and enforcement.
South Africa's 2013 comprehensive
privacy law has no provision requiring
private or public organizations to
process or store data within its borders.
Cross-border transfers of data are forbidden unless the level of privacy protections in the data-receiving country
is equivalent to those in South Africa.
As Turkey nationalizes its information
infrastructure, it is offering incentives for
private companies to build data centers
there. The legal priority is on keeping
online data within the country, including
data from social media giants Facebook,
Twitter, and Instagram, prompting more
Western companies to construct data
centers in Turkey and abide by Turkish
data and privacy regulations.
To promote local online content development, Nigeria explicitly requires that
information and communications technology providers host consumer- and
government-generated data in Nigerian
data centers. The mandate means that
all operators must comply with Nigerian
physical and digital data center
Data center operators in the United
States face a myriad of regulations that
apply to the digital and physical sides of
operations, from securing the privacy of
medical information to environmental
regulations covering power systems. But
the U.S. does not have a data localization requirement and it has fought such
a mandate in other countries.
Sarah Kellogg is a regular contributor to
The European Union has created a de
facto data localization regime as part of
an effort to safeguard consumer privacy.
Recent EU regulations require that
personal and commercial data be stored
within the EU, although the law allows
for the free transfer of data between
nations, under certain circumstances.
For companies to legally do business in
the EU, they must meet all standards for
data collection, transfer, and disclosure.