Data residency laws require that companies operating in a country keep data about its citizens on servers located in that country. For companies that have customers or employees in multiple countries, the regulatory requirements can be onerous and difficult to keep up with.
Previously, “safe harbor” laws or tokenization-based approaches helped companies address the issue, but recent regulatory changes have made both approaches less workable. Meanwhile, countries like China, Russia and Brazil have been making changes to their data residency requirements.
In 2020, European courts upended the previous data transfer mechanisms — the EU-U.S. Privacy Shield and standard contractual clauses. In summer 2021, new guidance was released, and companies now have until the end of 2022 to switch to new standard contractual clauses that comply with the new requirements.
In summer 2021, China passed a new data security law, which went into effect in September, with significant financial penalties for companies that violate its new cross-border data transfer rules. This was soon followed by a personal information protection law, China’s answer to the EU’s General Data Protection Regulation (GDPR), which took effect in November.
Brazil passed its own version of the GDPR in fall 2020 and began enforcing it in August 2021.
Russia adopted a data localization law in 2014, then upped the fines on violations significantly in 2019. Last summer, a new law required companies with significant numbers of Russian users to have not just servers but physical offices in Russia. That law went into effect at the start of 2022.
According to the United Nations Conference on Trade and Development, 133 countries have legislation in place to protect data and privacy and another 20 are working on draft legislation. As a result of these and other changes, companies now either set up local servers for the jurisdictions where they do business and residency laws apply, use cloud providers that offer residency support, or work with a newly emerging class of vendors called residency-as-a-service providers.
More Stories
European Journalists Targeted by Paragon Spyware, Citizen Lab Confirms
This is the first forensic evidence that journalists’ devices have been infected with Paragon’s Graphite spyware Read More
Paragon Spyware used to Spy on European Journalists
Paragon is a Israeli spyware company, increasingly in the news (now that NSO Group seems to be waning). “Graphite” is...
Ransomware Gang Exploits SimpleHelp RMM to Compromise Utility Billing Firm
A CISA advisory urged all software vendors and downstream customers to check if they are impacted by unpatched versions of...
Microsoft 365 Copilot: New Zero-Click AI Vulnerability Allows Corporate Data Theft
Researchers have found a flaw in Microsoft 365 Copilot that allows the exfiltration of sensitive corporate data with a simple...
South African man imprisoned after ransom demand against his former employer
Lucky Erasmus and a company insider installed software without authorisation on Ecentric's systems which granted them remote access, enabling them...
Inside a Dark Adtech Empire Fed by Fake CAPTCHAs
Late last year, security researchers made a startling discovery: Kremlin-backed disinformation campaigns were bypassing moderation on social media platforms by...