Industry

Data residency laws: An international guide

Get an overview of data residency laws in the U.S. and around the world.

icon of a globe and a padlock
Last updated:
3/6/2024
Read time:
Share this post
Copied
Table of contents
⚡ Key takeaways
  • Some data residency laws have explicit requirements for businesses to store and process data within the country or region — known as data localization.
  • Other regulations place obstacles to cross-border data transfers, which lead to data localization as a simpler means to compliance. 
  • Global data residency laws generally align in terms of their goals. However, the application and specifics can create contradictory requirements, making it critical for businesses operating internationally to pinpoint these contradictions and document potential solutions.

Many countries are focusing on data privacy in response to widespread digitalization and use of personal information by establishing laws and regulations to give residents more control over their personal data, although the definitions of personal data can vary. The newly established laws and regulations introduce security measures to help prevent identity theft and cybercrime, and they may also require data localization or lead organizations to store data within specific borders to streamline compliance. 

A brief overview of data residency laws 

Some data privacy laws and industry regulations touch on data residency, or the physical location where data is stored. By requiring organizations to store and process data within the region, governments can ensure that their laws and regulations will apply and can be enforced. 

Sometimes, data residency laws have explicit requirements for businesses to store and process data within the country or region — known as data localization. Or, the laws may place obstacles on cross-border data transfers, which lead to data localization as a simpler means to compliance. 

In many cases, data residency laws and regulations are limited to certain types of data or industries. For example, health and financial data tends to be more strictly regulated than other types of personal data. 

However, even if you’re not in a highly regulated industry, you need to be aware of the data privacy and residency laws wherever you operate. You may also be responsible for ensuring the cloud service providers and sub-processors you use comply with the applicable laws. 

Data residency laws by region and country 

Two global law firms, DLA Piper and Baker McKenzie, have in-depth resources with information on data protection laws around the world. We’re not covering the globe or every aspect of the laws here, but we do want to highlight the data residency laws in a few areas.

United States data residency laws

The U.S. doesn’t have sweeping data privacy or residency laws at the federal level. 

The Federal Trade Commission can enforce federal laws that limit the sharing of personal information and take action against companies that don’t keep consumers’ data safe. However, laws restricting data usage or transfers generally don’t require data localization. 

In many ways, the U.S. has actually gone against the grain by promoting data portability over localization. For example, the United States-Mexico-Canada Agreement (USMCA) — the revised North American Free Trade Agreement (NAFTA) — explicitly forbids data localization requirements.

Over a dozen states have introduced consumer privacy laws, starting with the California Consumer Privacy Act (CCPA) in 2020, which was amended by the California Privacy Rights Act (CPRA) in 2023. But again, these don’t have data localization requirements. 

European Union data residency laws

The Global Data Protection Regulation (GDPR) covers residents of the European Economic Area (EEA), which is made up of EU member states, plus Iceland, Norway, and Lichtenstein. 

The law focuses on data privacy and the processing of personal data — any information that could be used to directly or indirectly identify a person — within the EEA. It also applies to organizations outside the EEA that monitor EEA residents or offer them goods or services. 

GDPR doesn’t directly require data localization, but it does impose limitations on data transfers that create localization effects and could lead organizations to keep data within the EEA. 

For example, data transfers outside the EEA are only allowed if the European Commission has determined the receiving country has adequate protections and safeguards in place. However, there are exceptions that allow organizations to more easily transfer data to other countries, such as when a person gives consent to have their data transferred.

United Kingdom data residency laws

Although the UK is no longer part of the EU, the UK Data Protection Act (DPA) effectively implements GDPR within the UK. 

The DPA expands on the GDPR in some areas but doesn’t impose new data residency requirements. It also uses the same approach to cross-border data transfers and recognizes countries that were part of the EEA before Brexit as having adequate levels of protection. 

The EU has also recognized that the UK offers equivalent personal data protections, allowing for the continued free flow of data transfer between the UK and EU.

The UK has also established a “data bridge” with the U.S., allowing personal data to more freely flow to the U.S. 

Canada data residency laws

The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada’s main data privacy law at the federal level, although provinces also have related laws. 

Organizations that want to transfer personal data within or outside of Canada must ensure that the recipient has appropriate safeguards in place. However, data localization generally isn’t required at the national level. 

In Alberta, the Personal Information Protection Act (PIPA) requires organizations to notify consumers if their data will be transferred and then processed outside of Canada. Quebec’s Private Sector Act has a similar stipulation, obligating organizations to conduct a data privacy assessment and put safeguards in place before transferring data outside Quebec. 

Similar to GDPR, these types of barriers on transfer could create a localization effect, leading some companies to keep data within Canada to ensure compliance. Note that Persona does not currently support data residency in Canada.

Japan data residency laws

Japan’s Act on the Protection of Personal Information (APPI) was enacted in 2003 and has undergone several changes. Most recently, an amended version of the APPI came into effect in 2023.

Similar to GDPR, the amended APPI doesn’t impose data localization requirements. However, cross-border transfers of personal data stored in Japan require an opt-in by data subjects, for the recipient to be in an allow-listed country designated as such by the Personal Information Protection Commission of Japan (PPC), or for the receiver to meet adequacy requirements. Alternatively, an organization needs to ensure the transfer and that the receiving party has safeguards in place to protect the data. 

Japan has agreements with the EU and UK that allow for data transfers. The U.S.-Japan Digital Trade Agreement (DFTA) also allows for cross-border transfers and, similar to the USMCA, prohibits data localization requirements. Note that Persona does not currently support data residency in Japan.

Practical tips for complying with data residency laws

You’ll need to be aware of and comply with the data residency laws in every jurisdiction where you operate — and where you want to expand. For the most part, data residency laws align in terms of the goals. However, the application and specifics can create contradictory requirements. 

Many data privacy laws also require organizations to appoint a data protection officer who will oversee your data operations in the area and be your point of contact with regulators. Work with these individuals to create systems for processing and protecting data, responding to user requests, and monitoring compliance.

Engaging solutions providers and cloud service providers (CSPs) who understand and align with your policies and needs is also important. Many of the large CSPs have data centers in different countries and offer single-tenant architecture. 

With a dedicated server, you can more easily control where your data is stored and processed. It’s one of the approaches that Persona offers so customers can maintain GDPR and CCPA compliance with our identity verification, fraud prevention, Know Your Customer (KYC), and Know Your Business (KYB) solutions. And when you partner with Persona, you can entrust your data collection, storage, and processing requirements to us. 

Keeping users’ personally identifiable information (PII) out of your systems allows you to focus on your core business, and we can support data residency requirements in the U.S. and EU. Persona also helps you comply with access and right-to-be-forgotten requirements by allowing your users to request or delete their securely stored personal data at any time. 

Start for free or get a demo today.

Free white paper
See how experts evaluate identity solutions

Published on:
3/6/2024

Frequently asked questions

No items found.

Continue reading

Continue reading

Identity proofing: what it is and why it matters
Identity proofing: what it is and why it matters
Industry

Identity proofing: what it is and why it matters

Learn what identity proofing entails and how to incorporate it into your business to prevent fraud.

Employment identity verification: what it is and why it matters
Employment identity verification: what it is and why it matters
Industry

Employment identity verification: what it is and why it matters

Find out why you need to verify prospective employees’ identities — and how to actually do it.

How to check if a company is legitimate: a step-by-step guide
How to check if a company is legitimate: a step-by-step guide
Industry

How to check if a company is legitimate: a step-by-step guide

Find out which verification methods to use — and how a KYB tool can streamline the process.

Data residency laws and KYC
Industry

Data residency laws and KYC

Data residency laws can make KYC and KYB more complex. Learn what they are and how you can manage storing and processing data in different jurisdictions.

New age of data privacy regulation: How businesses can prepare
Industry

New age of data privacy regulation: How businesses can prepare

It’s only a matter of time before new data privacy regulation is passed, so it’s pertinent that businesses prepare before it’s too late.

Data subject access requests for the GDPR
Industry

Data subject access requests for the GDPR

Learn about data subject access requests (DSARs) for the GDPR and individuals’ rights to access their personal data.

Ready to get started?

Get in touch or start exploring Persona today.