Data Residency, Data Sovereignty and Data Localization: Conceptual Clarifications

0

By Oyiwodu Rebecca Eyah

The last decade has witnessed expansion in the adoption of digital economy amongst countries with most business, private and public institutions leveraging digital space to offer services. However, transacting in digital space comes with its own legal concerns, with data protection and privacy being predominant.

As more transactions and engagements occur on the internet, data exchange is inevitable and fast increasing. Businesses therefore find themselves faced with a need to effectively store these data and comply with fast developing data protection law. In a bid to cut costs, streamline efficiency and ensure availability of data and systems to staff, businesses are opting for cloud storage.

Cloud storage is a service model in which data is transmitted and stored on remote storage systems, where it is maintained, managed, backed up and made available to users over a network — typically, the internet Cloud service providers manage and maintain data transferred to the cloud, and in some cases, the physical location of the data center where the data are stored is unknown to the users who are required to comply with data regulations. This is where the concepts of data residency, data sovereignty and data localization come in.

Data residency, sovereignty and localization are 3 different terms that are often misunderstood because they overlap in some respect. However, in order to comply with data protection regulations and avoid sanctions, businesses must understand the differences in these terms.

What is Data Residency?

Data residency refers to the physical or geographical location of an organization’s data or information. For regulatory and policy reasons, an organization may specify a location where their data is stored, other than their country of origin.

ALSO READ   The Nature of Intellectual Property Rights for Works Produced by Artificial Intelligence

In the absence of a universal data protection law, some countries and regions have developed their territorial regulations and legislation. This means that to understand which data laws and regulations govern their data, users need to know where their cloud provider’s data centers are located and research the data residency policies for that location.

The obvious challenge in dealing with data residency issues is in ascertaining the location of the data center, in order to comply with the applicable local laws. This is where the concept of data residency and data sovereignty conflate.

What is Data Sovereignty?

Data sovereignty refers to the laws and policies applicable to data in the jurisdiction where it originates from or is located.

Where data residency deals with a geographic location, data sovereignty deals with the data protection laws applicable to data in the geographical location.

Existing data protection laws in most jurisdictions require businesses to operate under local data regulations that dictate how the data of its citizens or residents must be collected, processed and stored within and outside its borders (Article 1.2 of the Nigerian Data Protection Regulation (NDPR), 2019 defines the scope of the regulation to cover all natural persons resident in Nigeria, as well as Nigerian citizens who are residing outside Nigeria). However, companies are allowed to transfer data after complying with local data protection and privacy laws.

What is Data Localization?

Data localization is loosely defined as measures controlling over the location where regulated data physically reside (Peng, Shin-yi and Liu, Han-Wei, The Legality of Data Residency Requirements: How Can the Trans-Pacific Partnership Help? (April 15, 2017). Journal of World Trade 51, no. 2 (2017): 183–204., Available at SSRN: https://ssrn.com/abstract=2961067). It requires that data created within certain borders stay within them. In contrast to data residency and data sovereignty, it is most applied to the creation and storage of personal data.

ALSO READ   FEC Approves Nigeria Data Protection Bill

An example of data localization in operation is Russia’s On Personal Data Law which requires that data generated within Russia, must remain in its territory. It provides stringent regulations for the transfer of personal data from Russia to other countries. India proposed a similar regulation in 2019, but after much criticism, the Bill was withdrawn in August 2022, following concerns by tech companies operating within its borders.

It is argued that the underlying purpose for data residency and data localization requirements is that countries employing it want control over their citizens’ data without recourse to another country’s privacy laws. However, these requirements may significantly undermine online activities and e-commerce and have therefore been subject to criticism.

Similarities and differences between the 3 concepts

  1. All three concepts relate to the application and protection of data privacy in the flow of data across national borders.

 

  1. Where data residency deals with the geographic location of data and data sovereignty deals with the data protection laws applicable in that geographical location, data localization deals with a country’s need to restrict the flow of data outside its borders.

 

  1. Data residency and data sovereignty apply to various types of data, while data localization almost always applies to personal data.

In conclusion, although this article seeks to draw the similarities and differences in these concept, it is relevant to draw out the implication of data residency and data localization measures on the economy. Free flow of data is essential to unlock innovation in all economic sectors. Unhindered access to data have ensured adequate economic and health responses. Data that is stored locally as a result of data localization requirements would not result in economic growth without the necessary open data and data access policies. However, despite the challenges that strict data localization requirements will bring with, the number of countries adopting it have more than doubled from 67 in 2017 to 144 in 2021. (Kholofelo Kugler, The Impact of Data Localisation Laws on Trade in Africa (2021). Policy brief 08, Mandela Institute, School of Law, University of the Witwatersand.)

On the other hand, to avoid the confusion and associated dilemma, cloud users need to carefully review their Service Level Agreements (SLAs) with cloud providers to establish the exact location where their data can and cannot be moved, stored or processed. It is also important to check for cloud service providers’ exemption from data localization liabilities in regions with restrictions. Organizations need to understand these concepts if they must stay in compliance with privacy laws as they expand their businesses into the global market.

ALSO READ   NDPR Implementation Framework 2020: My Thoughts!

Rebecca’s area of specialization is data protection and intellectual property law

LEAVE A REPLY

Please enter your comment!
Please enter your name here