Data Localization 101: How to Not Get Stuck in Local Data Protection Laws
There are many things to consider before you decide to take your product or service global. The need to account for translating and localizing your content is only the most obvious one. An issue that is easily overlooked is the legal requirements that come into play when localizing data. Depending on which country you are planning to do business in, you might run into strict regulations that require you to jump through a number of hoops. This can turn out too hard (and expensive) to master for smaller startups.
But let’s have a closer look.
There are various motivations for nations to require companies to adhere to certain standards and restrict or forbid the export of personal data. Safeguarding the privacy of their citizen is one of them, preventing or making it easier to track down cyber crime is another. Here are three examples of countries or big foreign markets with more or less strict data localization laws that you should know of:
A new cybersecurity law will go into effect in China in June 2017. It requires “critical information infrastructure operators” — which could be interpreted to include companies in many sectors, including telecommunications, information services, and finance — to store certain personal and business information in China. If a foreign company is subject to this law, it will have to apply for government permission before transferring data out of China. According to legal experts, the law leaves much room for interpretation, which might just lead to companies playing it safe and keeping the data in question in the country. While building the infrastructure for that might not be a problem for big corporations, startups that want to tackle the attractive Chinese market will most likely struggle with the costs involved.
Since September 2015, Russia has one of the most high-profile data localization laws in the world. It has a very comprehensive scope, requiring that any personal data collected from Russians must be stored and processed on servers located within Russia. Foreign companies must comply with this law or they risk significant fines or even having their websites blocked in Russia. Russia’s communications authority, Roskomnadzor, enforces the law actively and even tech giants like Microsoft had to go through an extensive vetting process in order to get certified by the administration.
The European Union and its member states traditionally have been protective of their citizen’s private data, more so than, for example, the US. The EU does not have an explicit data localization law, but directives like the General Data Protection Regulation spell out strict requirements for personal data that is transferred to non-EU countries. As a result, many companies have chosen to keep the data within the EU just to avoid the complicated and expensive process for exporting it.
There are many more countries that have restrictions on transferring personal data out of their jurisdiction–and what makes planning for data localization even harder is, that these requirements seem to change almost constantly. A good resource for project managers dealing with this issue is the regularly updated data localization snapshot published by the Information Technology Industry Council (TIC), which you can find here.
There are many components to going global with your brand and it is vital that you have your legal bases covered. If you are ready to take the next step into entering your chosen market, don’t hesitate to contact us. You can also request a quote for your next translation, localization, or global creative project.