Data residency in 2024: Laws, trends, and insights

2023 has brought several changes in the Data privacy space, from new privacy protection enactments to new trends. Countries across the Gulf Cooperation Council (GCC) including Saudi Arabia, the United Arab Emirates, Bahrain, and Oman enacted data privacy laws. We also witnessed the following trends:

• Increased data regulatory activities across several countries like China; 
• Technological advancements that have improved compliance with data protection laws; 
• Increasing consumers’ awareness of their data rights, etc.

As multinational businesses grapple with evolving laws, shifts in technology, and heightened concerns over privacy, the conversation surrounding where data resides has become more pivotal than ever.

2024 will be even more exciting as the conversation will go beyond regulatory concerns to brand sustainability, anchoring on metrics like customer retention, customer satisfaction, and brand loyalty. This shift is driven by customers becoming more aware of their data rights and brands recognizing the influence of data policies on customer patronage and loyalty.

This article will discuss data protection laws for 2024, trends, and insightful revelations shaping data residency in the near future. We will also show you how InCountry can help you stay compliant with data privacy laws. 

Which data residency laws will come into force in 2024?

Like in 2023, we expect several data privacy laws to come into force in 2024. Please note that some of these privacy laws have already been formulated and are being reviewed for enforcement. The following are some of the privacy laws we expect:

1. India’s Digital Personal Data Protection Bill (DPDP Bill)
2. The EU-U.S. Data Privacy Framework
3. Saudi Arabia’s Personal Data Protection Law (PDPL)
4. Oregon Consumer Privacy Act (OCPA)
5. Texas Data Privacy and Security Act (TDPSA)

India’s Digital Personal Data Protection Bill (DPDP Bill)

This is another data privacy law that is set to rock the data privacy 2024 space. Like most data privacy laws, it has some set objectives it is directed at hitting. Those objectives are as follows:

• Grant individuals control over their personal data.
• Regulate the collection, use, and storage of personal data by businesses.
• Promote innovation and responsible data governance in the digital economy.

This policy applies to all entities that process personal data within India, regardless of location or nationality. Including foreign entities offering goods or services in India.

Some of the key provisions of this policy are as follows:

• Requires free, informed, and specific consent for personal data processing, with exceptions for certain legitimate purposes.
• Individuals can access, correct, erase, restrict, and port their personal data.
• Businesses must collect and store only the minimum data necessary for their stated purposes.
• Businesses must implement reasonable security measures to protect personal data.
• Sensitive personal data must be stored within India, with exceptions allowed for certain purposes.
• Restricted to certain countries or with government approval.
• It requires data processing entities to appoint data protection officers, who will conduct data privacy impact assessments periodically and report data breaches.
• A Data Protection Board enforces the law and adjudicates disputes.

This policy was recently passed by the lower House of Parliament in India and is set to go through for implementation in 2024. CEOs and other business leaders with Operations in India should start planning for full implementation.

The EU-U.S. Data Privacy Framework

Before the formulation of this privacy framework, the EU courts invalidated earlier Privacy Policies, such as the Safe Habor and Privacy Shield, because of the concern that these laws gave the US government free access to the personal data of EU Citizens. To solve this challenge, this new data privacy framework has become very necessary. The goal is to ensure safe and reliable data between the US and the EU.

Some major features to note before its implementation are as follows:

• Improved protection of EU residents’ data:
  • Limits US government access to EU data to what’s necessary and proportionate.
  • Establishes a new independent Data Protection Review Court (DPRC) to handle EU individuals’ complaints about US intelligence activities.

• Improved rights for EU individuals:
  • Right to access, correct, delete, and restrict processing of their data.
  • Independent redress mechanism for data protection violations.

• Outlines the responsibilities of US companies:
  • Need to comply with a detailed set of data privacy principles.
  • Implement robust data security measures.
  • Offer clear and transparent information about data practices.

A major advantage that comes with this policy for both territories is the continued transatlantic data flows between both territories, for businesses. It also provides stronger data protection laws for EU citizens. As a business leader in the US, you should review this policy properly before its full implementation to ensure full compliance, since there are some new additions.

Saudi Arabia’s Personal Data Protection Law (PDPL)

Saudi Arabia’s Personal Data Protection Law (PDPL) which was amended in 2023 will come into effect in September 2024. This is a major achievement for the Kingdom as it adopts global standards for data privacy regulations while also including unique elements that reflect the Middle Eastern culture. The PDPL, which shares some similarities with the EU’s GDPR, outlines essential guidelines for data residency, cross-border data transfers, data subject rights, lawful processing, information security, breach notifications, and other crucial aspects of data protection. This law is a vital step towards safeguarding individuals’ privacy and ensuring the secure handling of personal data in the region.

Here are some key aspects of the PDPL

• The PDPL requires data processing to be done lawfully, fairly, and transparently, with consent obtained where necessary.
• Data owners must have access to their data and can request the correction and deletion of their data if necessary.
• The law imposes responsibilities on data controllers and processors, outlining measures for data protection, security, and data breach notification requirements.
• The PDPL specifies that data-controlling entities must limit the data they collect to what is appropriate and necessary.
• The law emphasizes the implementation of necessary security measures, aligning with National Cybersecurity Authority standards.
•  Controllers must ensure periodic compliance assessments of data processors, placing accountability solely on the controller.

 Compliance with this law will be crucial for organizations operating within Saudi Arabia to protect individuals’ data and avoid severe legal consequences.

Oregon Consumer Privacy Act (OCPA)

The data privacy space in the US is currently decentralized, as most States have formulated data privacy laws to manage data privacy within the state. For instance, California has the California Consumer Privacy Act (CCPA, 2020), and Colorado with their Colorado Privacy Act (CPA, 2021), etc.

In 2024, the state of Oregon is expected to join the League of States in the US with an active data privacy law governing the collection, processing, and storing of the personal data of residents of Oregon. The privacy law is expected to apply to businesses that operate in Oregon and meet any of the following requirements:

• Process personal data of 25,000+ Oregon residents annually.
• Obtain over 50% of annual gross revenue from the sale of personal data.

Like other data privacy laws around the world, it guarantees the following rights for Oregon residents:

• Confirm if their data is processed, what categories are collected, and who it’s shared with.
• Request correction of inaccurate or incomplete personal data.
• Request deletion of their personal data.
• Obtain their personal data in a readily portable format.
• To opt out of the sale of their personal data.
• Prohibits discrimination against consumers who exercise their rights.

Consequently, the following are the obligations of businesses that operate in Oregon:

• Implement reasonable security measures to protect personal data.
• Provide clear and conspicuous notice about data collection and usage.
• Respond to consumer requests within 45 days (extendable in some cases).
• Designate a privacy officer for oversight.

This data privacy law is expected to be enforced in July 2024. As a CEO, or some other Senior Executive of a business in Oregon, you should consider studying more about this policy, and position your organization to be fully compliant.

Texas Data Privacy and Security Act (TDPSA)

This is another data privacy law that is projected for implementation in the US. As you may know, Texas is one of the largest states in the USA and is set to implement its Data Privacy & Security Act in 2024. It applies to businesses that fall into these categories:

• Conduct business in Texas or produce products/services consumed by Texas residents.
• Process or sell personal data.
• Are not small businesses (as defined by the US Small Business Administration).

It offers Texans the following rights:

• Request deletion of their personal data.
• Request correction of inaccurate or incomplete personal data.
• Confirm data processing, obtain copies of data, and access certain categories collected.
• Portability: Obtain their personal data in a readily portable format.
• To opt out of the sale of their personal data.
• Prohibits discrimination against consumers who exercise their rights.

Business Leaders with interests in Texas should start preparing to for the implementation of this policy to avoid the penalties for noncompliance.

Data residency trends and insights for 2024

Beyond the myriad of data privacy laws that are projected to be implemented in 2024, there are other data insights and trends that we experts in this field expect to see. These trends and insights are important because they will shape the data privacy laws that will be enforced, in 2024. Beyond that, they may even influence the amendment of already existing data privacy laws.

Here are some trends and insights to look for in 2024:

#1 Data protection must be included from the start

With the recent surge in data privacy legislation, including the EU GDPR, CCPA, and upcoming laws like TDPSA and OCPA, compliance is becoming increasingly complex. Consequently, we expect to see more companies inculcate data protection into their system, from start to finish. Building data protection into your systems from the start will help you stay ahead of the curve and avoid costly compliance issues. Thankfully, InCountry can help you stay compliant with data privacy. We are up to date on data residency requirements by country and can help you stay compliant.

Data breaches and privacy violations can significantly damage your brand reputation and erode customer trust. By prioritizing data protection, you demonstrate your commitment to ethical data practices and build trust with your customers.

#2 Increasing customer awareness

Brands are acknowledging the profound impact of stringent data policies on customer patronage and loyalty. Recognizing that consumers are more discerning about how their data is managed, companies are aligning their strategies with ethical data practices. This isn’t merely a compliance-driven adjustment but a strategic move to foster trust and loyalty among their customer base.

The nexus between data residency and brand sustainability has led companies to reassess their data storage and processing protocols. They’re proactively ensuring that data residency aligns with not only regulatory requirements but also customer preferences and expectations. Brands are now leveraging this approach as a competitive advantage, understanding that a transparent and responsible data residency strategy can significantly augment customer loyalty and market share.

In 2024, the convergence of data residency with brand sustainability isn’t just a trend; it’s a fundamental shift in how businesses prioritize and safeguard customer data. This shift underscores the imperative for brands to recognize that ethical data practices are critical in nurturing enduring customer relationships and sustaining brand loyalty in an increasingly data-aware marketplace.

#3 AI and Data Privacy 

The intersection of AI and data privacy will be a hot topic in 2024, presenting both challenges and exciting opportunities. As you may know, AI systems heavily rely on large amounts of data, and this raises concerns about data breaches, discriminatory profiling, and other unintended consequences. Robust data security measures and privacy-preserving AI techniques will be essential for mitigating these risks.

#4 Cross-border data transfers in 2024

2023 has seen several interesting activities in the data protection space, with several countries placing strict requirements for data transfers out of their country. The GDPR seemed to have set this trajectory that several data privacy laws have emulated.

In 2024, we expect to see the following trends in data transfers:

• Privacy-enhancing technologies: Secure data analysis without revealing the underlying data, like secure multi-party computation, will gain traction for secure cross-border collaboration.
• Evolving regulations: New data transfer mechanisms and agreements will aim for a more standardized approach, while revised EU Standard Contractual Clauses (SCCs) and regional frameworks like APEC’s will shape the industry.
• Rise of the data privacy officer (DPO): Expertise in international data privacy regulations and PET implementation will be crucial for DPOs.
• Data minimization: Businesses will focus on collecting and storing only necessary data, reducing cross-border data volume.
• Geo-blocking and data localization: Potential hurdles for cross-border flows, requiring businesses to adapt services to comply with local laws.

These are some of the trends we expect to see in the area of data transferring.

#5 Increased penalties & consumer awareness

As we witness the global expansion of data privacy and protection laws, it comes as no surprise that we can anticipate a surge in fines in the year 2024. For instance, in May 2023, the Irish Data Protection Commission (DPC) issued a record-breaking fine of €1.2 billion ($1.3 billion) on Facebook’s Meta. This penalty was a consequence of Meta’s mishandling of data transfers between the EU and the US. Others that occurred during the year include:

• A €40 million ($43 million) fine against CRITEO.
• A €345 million ($370 million) fine on TikTok from the Irish DPC, etc.

We expect to see more hefty fines in 2024, and this should serve as a warning to business leaders in the new year to ensure compliance with all laid-down policies in their country of operation. Additionally, consumers are also becoming increasingly aware of their rights provided by the various Data Protection Laws.

#6 Generative AI breaches and associated fines

Generative AI (GenAI) is becoming increasingly complicated for application developers, thereby creating potential complications if the technology is not used with care and responsibility. The consequences could extend beyond mere challenges, venturing into the realms of data breaches and subsequent fines.

Forrester’s 2024 Projections in Cybersecurity, Risk, and Privacy paint a cautionary picture. According to their foresight, insecure AI-generated code is anticipated to play a pivotal role in at least three data breaches. These breaches stem from security flaws embedded in the generated code or vulnerabilities in the AI-recommended dependencies. It serves as a stark reminder that the responsible utilization of generative AI is not just a best practice but a critical imperative in safeguarding against potential pitfalls in the ever-evolving cybersecurity and privacy sectors.

#7 Continued AI proliferation and legislation

The US has just ratified an AI Executive Order, a strategic move aimed at ensuring the responsible, secure, and trustworthy advancement and application of AI. While the US may not be the pioneer in crafting an AI Privacy Law, it certainly joins the global conversation, with countries like the EU, Brazil, Canada, and China actively shaping their regulatory frameworks.

As we set our sights on 2024, the global stage is poised for an uptick in AI legislation. Nations are gearing up to navigate the intricacies of AI, emphasizing safe and ethical utilization. In the coming year, regulators will be grappling with the delicate task of striking a balance—safeguarding consumer rights while fostering the evolution of groundbreaking AI technologies.

Amidst the buzz, the U.S. Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) have taken the collaborative lead. In conjunction with 21 other global agencies, they’ve unveiled Guidelines for Secure AI System Development. This collaborative effort signals a shared commitment to shaping the AI landscape responsibly and sets the tone for a year where global cooperation takes center stage in defining the future of AI governance.

How InCountry can help global companies stay compliant

Without question, 2024 will witness more complicated policies, and reviews of existing data privacy policies as countries strive to keep the personal data of their residents safe. Staying compliant may become a challenge if you do not have the right tools or help. However, the good news is that InCountry can provide both. With data centers located worldwide and a deep understanding of data privacy laws, InCountry can ensure that your business stays compliant across the various countries where you operate.

We offer Data Residency-as-a-Service in many countries, which ensures you stay compliant in all countries your business operates. With this service, you can store your client’s data in the country of your choice while giving you access to the same data from any other location in the world. This service also covers those that utilize Salesforce, as we have Salesforce Data Residency.

Besides our Data Residency-as-a-Service, there are several other benefits your global company can enjoy when we work with you. Our isolated data environments minimize the risk of unauthorized access or breaches, ensuring data privacy and compliance with HIPAA, GDPR, and CCPA regulations. Furthermore, we utilize advanced security measures like anomaly detection and intrusion prevention to proactively identify and mitigate data threats.

What’s more, InCountry provides detailed audit logs and reports, enabling businesses to demonstrate compliance and meet regulatory requirements. Simply put, we make it easier for you to conduct your business globally as you do not have to worry about data compliance. To learn more, Contact us today; let’s discuss your needs and show you how much value we can contribute to your business success!