When do businesses need to store data in their own country?

Increased regulations around data sovereignty mean it’s more important than ever to think about where business information is stored. James Morris explains how to navigate the murky waters of globalised data.

The past two decades have felt like a free-for-all for global data. But now that we understand the dangers involved better, we’ve started to realise that information must be held with a greater focus on privacy, control and security.

This has led to legislation such as Europe’s GDPR and California’s CCPA (California Consumer Privacy Act). Most pertinently to the question about data, these regulations include requirements about keeping personal data within specific geographic locations.

All modern digital businesses involve data, and they deal with people from around the globe, so when does this data need to be stored locally?

The rise of data regulation

“There has been a global surge in the creation of laws focused on data privacy,” says Greg Day, senior vice president and global field CISO at Cybereason. “Businesses now face the challenge of complying with multiple regulations based on the location of individuals and where their data is stored.”

The importance of knowing where data resides has come to the fore in part thanks to the rise in cloud computing and Software as a Service (SaaS). Not only are companies moving away from keeping information on local servers at company offices, but increasing deployment of remote working means that employees need access from anywhere, further accentuating the value of cloud storage.

However, this is not as new as at first it seems. Some countries had data protection laws in place long before GDPR and its ilk.

For example, French national law has protected employee data from being used outside the country for decades. There are similar regulations in place in Russia, China, Germany, Indonesia and even Vietnam, stipulating that data about its citizens must be held on physical servers within the nation’s boundaries.

But these regulations vary in scope, target specific types of data (eg financial transactions, healthcare records), and often leave ambiguities for interpretation. Moreover, international agreements and adequacy decisions, such as the EU-US Privacy Shield, introduce further layers of complexity.

New transnational legislation such as GDPR was designed to significantly clarify, unify, and strengthen controls through standardisation. The GDPR requires that data collected on EU citizens must either be stored in the EU or within a jurisdiction with similar levels of protection. Even if data is being temporarily accessed from another location, that location must still comply with these requirements. So a company that processes EU-resident data will need to comply with the GDPR or risk prosecution.

Data residency versus data sovereignty

Two related terms used in this context are data sovereignty and data residency. They are often used interchangeably but don’t mean quite the same thing.

Data sovereignty is where information is stored in a designated physical location and is subject to the laws of that country (for more on this, read our explainer on what is data sovereignty). This means it is protected by that country’s specific privacy laws.

Data residency, in contrast, is where a company chooses to store its data in a specific location, which could be to enjoy lower taxation in a different country. In other words, data residency is not about where a business needs to store its data, but where it wants to for economic or organisational reasons.

Not all data is created equal, either. The information that needs the greatest geographical protection is personally identifiable information (PII), either about employees or customers. This can include profile data, such as names and addresses. It could be employment details, including historical records. The information could also be financial, such as accounts and payments for products or services. Particularly sensitive will be health records.

Srini Kadiyala, CTO of OvalEdge argues: “When it comes to following data privacy regulations, the law is the law, and it must be observed directly. Still, effective governance can ensure that while data is being used within your organisation, you don’t inadvertently reveal PII or other data that falls within these regulatory boundaries.”

Data that may not be immediately susceptible to sovereignty concerns could be scientific results, product details or specifications.

“These laws do not cover anonymous or aggregated data that doesn’t identify individuals and often don’t cover business data either,” says Ronen Cohen, VP of Strategy at Duality.

However, intellectual property law is likely to apply to business data, and there may be economic reasons to protect the information. A product design could be protected by a patent – but there are countries that do not belong to the Patent Cooperation Treaty, such as Taiwan, Bangladesh and Pakistan.

Weighing up the cost of compliance

Ensuring a company’s data storage is compliant with regulations can have a significant cost, requiring investments in local infrastructure and expertise. Data localisation disrupts established global data processing workflows, potentially impacting efficiency and innovation.

However, while compliance unlocks access to crucial markets and builds trust with local users, particularly in privacy-conscious regions, it may not be essential. “If organisations can turn PII into anonymised data, they can operate with fewer restrictions,” says Cohen. “There are several methods and technologies to accomplish this, the most prominent category of which are ‘Privacy Enhancing Technologies’, or PETs.”

He adds: “One approach is adopting technologies like encryption and other secure data transfer mechanisms, enabling companies to comply with data protection laws while not necessarily restricting data to specific geographical boundaries.”

Data orchestration is another part of the solution, where the company chooses where data is stored based on geographic location while incorporating access and security controls derived from local regulations.

Beyond pure compliance, strategic factors influence data residency decisions. Companies operating in highly regulated industries, such as finance or healthcare, may actively adopt stricter internal policies to mitigate risk and maintain regulatory licences.

To address data residency issues, the largest cloud vendors now maintain data centres around the world. Google Cloud, AWS and Microsoft Azure all offer options to host data in specific geographic locations rather than leaving it up to the provider. However, smaller vendors may only offer some options. Even if a smaller vendor contracts with one of the big three as a cloud provider, they may only offer a subset of that provider’s portfolio or even just one specific data centre.

SaaS platforms are also often designed around a single data centre, making data sovereignty hard to apply. Users may be asked to agree to allow their data to be stored wherever the cloud vendor wishes to put it.

Further considerations include multi-cloud vendor lock-in. Once data is stored in a specific country, do local laws allow it to be moved? Recent court rulings, like the Schrems II case in the EU, have highlighted the challenges of ensuring adequate data protection within a global cloud infrastructure. This case involved Facebook transferring the personal data of EU citizens to the USA and revolved around US surveillance programmes such as PRISM and UPSTREAM infringing the GDPR.

Data residency: a call for clarity and collaboration

At the heart of the data residency debate lies the fundamental tension between citizen privacy (as highlighted by Schrems II) and global connectivity.

Proponents argue that local storage safeguards data from intrusive government surveillance and ensures quicker legal redress for privacy violations. Conversely, critics warn that data localisation can create digital walls, stifling innovation and hindering cross-border data flows. This can disproportionately impact smaller businesses and limit access to essential online services for users in data-restricted regions.

Finding the right balance is crucial. Data residency measures should be proportionate, targeted to genuinely sensitive data, and accompanied by robust data transfer mechanisms that uphold privacy rights. International cooperation and harmonisation of data protection frameworks are essential to creating a level playing field for businesses while safeguarding individual privacy across borders.

The data residency landscape is constantly evolving, with new regulations emerging and technological advancements challenging established norms. Businesses must maintain agility and adopt adaptable data management strategies to navigate this dynamic environment.

Governments have a particular responsibility to create transparent and predictable legal frameworks that balance national security, privacy and economic growth. Increased international collaboration on data residency issues is crucial to fostering a global digital ecosystem that is both secure and open.

As the borders of the digital world become increasingly fluid, finding the right balance between data residency and global connectivity will be crucial to ensuring a future where both businesses and individuals can thrive in a secure and trusted online environment.