Global situation in the data protection laws and regulations
The increased digitization of organizations, driven by the rapid adoption of technologies such as cloud computing and data analytics, has increased the importance of data dramatically. This trend influences both traditional industries as well as SaaS and e-commerce.
Data is rightfully considered the lifeblood of the modern global economy, while transferring protected data overseas gets more and more complicated. More and more countries develop barriers that make this process time consuming and costly due to newly enacted data residency regulations.
What is data residency and how it’s changing the global data landscape
As information ages progresses, geographies’ relevance to privacy is becoming more and more important. While large, multi-national privacy regulations like the GDPR or major laws like the CCPA make headlines, there are countless smaller, regional laws and customs that often get less coverage or attention. These laws are often the cornerstone obstacle in the global expansion plans for the multinational businesses.
What is data residency? It’s the localization of regulated data such as personal information within a particular region or country. That could include only storing the data, but it could also include processing it. Where this data is processed in accordance with the laws of that specific region. For this matter, InCountry is the first data residency-as-a-service provider that allows you to expand globally as it securely manages your regulated data in 90+ countries.
Despite the significant benefits to companies, consumers, and national economies that arise from the new digitalized world and ability of organizations to easily share data across borders, dozens of countries have erected barriers to cross-border data flows. Among them – data residency requirements that confine data within a country’s borders, or a concept also known as “data localization.”
Data localization can be explicitly required by law or is the result of other restrictive policies that make it infeasible to transfer data. They require companies to store a copy of the data locally, process data locally and mandate individual or government consent for data transfers.
Let’s have a closer look at some data residency requirements examples by countries.
Data-Localization policies around the world
The map below captures most of the world’s data-localization policies. Data localization comes in many forms: while some countries enact blanket bans on data transfers, many are sector specific, covering personal, health, accounting, tax, financial, mapping, government, telecommunications, e-commerce and online publishing data.
InCountry supports global businesses who face regional privacy laws restrictions. Partnering with InCountry is the fastest way to comply with data residency regulations and unlock new territories.
EU data residency requirements
European Union has a unified data protection law called the GDPR (General Data Protection regulation). This law regulates processing of personal data within the EU and is an important component of the EU’s privacy and human rights law. While the EU does not currently have specific data localization requirements, the recent invalidation of Privacy Shield could mean the requirement of such. Many companies have already taken steps to ensure their data strategies ensure data localization of regulated data before it leaves their countries of origin.
Regulated Data Types
Profile, Employment, Finance, Health, Payment.
Organisations which receive and hold any of regulated data types to follow the GDPR requirements. According to GDPR, companies have to keep the data secure inside the EU and if the data is to be transferred outside of the UE, then it can only be transferred to countries or organisations that have signed up to equivalent privacy protection.
How does this work in technical terms? A transfer means that the source data was moved to a machine outside the EU. But, it can also happen when an employee outside the EU accesses the data – for example, a developer in India is checking logs or a support engineer in Singapore is helping a customer and views his data.
These manipulations are considered as data transfer as well (since data moves to another country) so in an ideal world you’ll have to make sure that only EU citizens and UE machines interact with the data. Both storage in, processing in, and access from outside the EEA will count as transfer. This has major implications for your processing architecture. For example, if you have a US and international customer base, you will need to store and process data separately and in multiple countries.
Yet, such transfer is still ok if you agree to apply GDPR data protection principles or use a special data residency-as-a-service provider that helps protect the data during transfers. (how correct is this saying?)
Russian data residency law
Data protection rules for Russia are found in specific legislation, particularly the Data Protection Act No. 152 FZ dated 27 July 2006 (DPA) as well as various regulatory acts adopted to implement the DPA. Some other data residency laws for Russia are the Information, Information Technologies and Information Protection Act No. 149 FZ dated 27 July 2006, which establishes basic rules as to the information in general and its protection.
The information is considered personal data if it identifies a specific person. The rules of localisation apply to companies only if they carry out specific actions intentionally: collecting, recording, systematisation, accumulating, storing, clarifying (updating and modifying) and extracting personal data.
Yet, Russian data residency law does not prohibit further processing of Russians’ personal data abroad, if this data was previously included in a Russian database and is updated there as necessary.
Therefore, personal data usage, transfer (distribution, provision), depersonaliation, blocking, removal or destruction can be performed using databases outside of Russia.
Regulated Data Types
Profile; Finance; Employee; Health (mirrored copies are allowed to be held outside the Russian Federation).
Payment data specifics: all credit cards including international ones, domestic transactions are handled via Russian National Payment System. Internal transactional records should be processed and stored within the Russian Federation.
Data residency law in Russia – how it works
Technically, data localisation law applies to all Russian companies, branches and representative offices of foreign corporations, as well as other legal entities incorporated outside Russia, that do not have an official presence in Russia but have business activities in the local market.
This law also applies if an international company uses the domain names “.ru, .рф”, has a Russian-language website, receives payment in Russian rubles or delivers goods to the Russian Federation. So, any company doing business in Russia or with Russians may be affected by the law, even if it is not registered in Russia.
If any of the abovementioned applies to your company, it will be considered as an operator of personal data and must localise its databases in the Russian Federation. These legal requirements are applied exclusively to the provisions that were adopted as of 1 September 2015, so personal data collected before this date does not need to be transferred to Russia.
Regulatory Bodies and Regulations
Roscomnadzor is the official governmental body that controls how companies fulfill their localisation duties in Russia. Among its function is the ability to launch an off- or on-site audit. During the audit, a state department usually examines notifications sent by the operator and can require any necessary information – for example, confirmation of the place where databases are stored.
Compliance with Data Protection Act No. 152 requires involvement of lawyers as well as IT specialists in order to create systems and policies for dealing with personal data. Companies which already carry out activities in Russia need to review their database content and systems for dealing with personal data. Some databases obviously need to be relocated to Russia and moving them to the cloud will not solve the issue based on local practice.
Data residency laws in UAE
UAE has some specific approaches to managing data localisation laws. First of all, UAE does not have a comprehensive data protection law at federal level, yet there are a number of laws in place that govern privacy and data security in this country.
Also, there are sector-specific data protection provisions in certain laws. Moreover, the UAE has a number of special economic or sector free zones, three of which have specific data protection laws. These are the Dubai International Financial Centre, the Abu Dhabi Global Market (ADGM) and the Dubai Health Care City.
Regulatory bodies and regulations in UAE
The Abu Dhabi Global Market (ADGM) is a free zone and an international financial centre established in the UAE capital. It has had a data protection regulation in place since 2015. In order to align its definitions to international standards and provide clarity on a number of points certain amendments were added to this law in the Data Protection (Amendment) Regulations 2018. The ADGM also established an Office of Data Protection (ODP) in December 2017, which was tasked with the enforcement and control of the regulations.
Another Free Zone within the UAE, the Dubai International Financial Centre (DIFC). It has had a Data Localisation Law since 2007, which was brought in line with international standards in January 2018. The Office of the Data Protection Commissioner is in charge of protection of all personal information in the DIFC.
UAE data localisation laws
Data Protection in UAE is governed by federal laws and regulations from UAE Central Bank & Telecommunications Regulatory Authority (TRA). These UAE Federal Laws and regulations contain various provisions in relation to privacy and the protection of Personal Data.
Some of them are:
- The Cyber Crime Law – Federal Decree Law no. (5) of 2012. The Cyber Crime Law criminalises obtaining, possessing, modifying, destroying or disclosing (without authorisation) electronic documents or electronic information relating to medical records (Article 7).
- Penal Code (Federal Law No 3 of 1987 as amended)
- UAE’s Central Bank Regulatory Framework for Stored Values and Electronic Payment Systems (“Digital Payment Regulation”) Jan 1st 2017
- Telecommunications Regulatory Authority (TRA) – The Consumer Protection Regulations, Version 1.3, 10 January 2017
- The DHCC Health Data Protection Regulation No. 7 of 2013
- The DIFC implemented DIFC Law No. 1 of 2007 Data Protection Law in 2007 which was subsequently amended by DIFC Law No. 5 of 2012 Data Protection Law Amendment Law (‘DPL’).
- The Dubai Data Law, 27 December 2015
Regulated Data Types
Finance; Health; IoT; Profile (Government data).
Data Residency or Data Transfer Restrictions
Can personal data be transferred to third parties inside and/or outside of the UAE? According to the Penal Code (Clause 379), it can be, if the concerned person has consented in writing to such transfer. The key expectation is to have consent from the concerned person.
However, for finance type of data situation is different, The ‘Regulatory Framework For Stored Values and Electronic Payment Systems’ by the Central Bank of The UAE obligates all Payment System Operators (PSPs) to store and retain all User and transaction data exclusively within the borders of the UAE.
Cernatin restrictions exist in the telecom industry as well. Telecommunications Regulatory Authority (TRA) via ‘The Consumer Protection Regulations, Version 1.3, Issued 10 January 2017’ requires that licensees should obtain a Subscriber’s prior consent before sharing any ‘Subscriber Information’ with its affiliates and/or other third parties not directly involved in the provision of the telecommunications services ordered by the Subscriber.
Further the licensees must ensure that the third-parties are taking all reasonable and appropriate measures to protect the confidentiality and security of the Subscriber Information and the third party’s obligation should be taken care contractually and they should be made responsible for protecting confidentiality and security of Subscriber Information. It’s the obligation of the licensee to ensure that all reasonable measures to protect the privacy of Subscriber Information that it maintains in its files, whether in electronic or paper form.
It’s important to ensure that the level of best practices and data compliance controls implemented can provide an adequate level of regulated data protection. Organisations should look now at how they collect, store and use redulated data in UAE and ask themselves how they can comply with the local laws. This may involve using special data residency-as-a-service platforms like InCountry.
Data localization laws in Vietnam
Data localisation laws in Vietnam have certain specifics. Unlike other countries, there is no single comprehensive data protection law in this country.
Instead, data protection regulations are currently spread across various acts and guiding legal documents. Among them are the following: the Civil Code (2015), the E-transactions Law (2005), the Information Technology Law (2006), the Consumer Rights Protection Law (2010), the Cyber Information Security Law (2015), the Cybersecurity Law (2018). In these circumstances, it is sometimes difficult for companies to identify if data protection laws are applicable to each particular situation.
Regulated Data Types
Profile, Health, Employee.
Vietnam Data Localisation Laws
The key principles on collection, storage, use, processing, disclosure or transfer of personal information are specified in the following main laws and guiding documents:
- Law No. 24/2018/QH14 on Cybersecurity, passed by the National Assembly on 12 June 2018 (“Cybersecurity Law”);
- Law No. 86/2015/QH13 on Cyberinformation Security, passed by the National Assembly on 19 November 2015; amended by Law No. 35/2018/QH14 dated 20 November 2018, on amendments to some articles concerning planning of 37 Laws (“Cyber-information Security Law”);
- Decree No. 85/2016/ND-CP dated 1 July 2016, on the security of information systems by classification;
- Circular No. 20/2017/TT-BTTTT dated 12 September 2017 of the Ministry of Information and Communications, providing for Regulations on coordinating and responding to information security incidents nationwide.
It’s worth mentioning that each aspect and each industry in Vietnam may have their own respective regulating documents. In other words, applicability of legal documents will depend on the actual context of each business case, e.g profile, health, finance or employee data can be subject to specialized data protection regulations depending on the industry. There’s also special regulation on employees’ personal information as stated in Labour Code 2012.
What is the most important Vietnamese legal document that regulates data protection? It’s the Cybersecurity law of Vietnam. Unlike other cybersecurity laws that were inspired by the GDPR of the EU, this law shares similarities with China’s Cybersecurity Law established in 2017. It focuses on providing the government with the ability to control the flow of information, instead of enforcing data privacy rights for private data subjects.
Other laws that are currently being prepared are a draft Decree detailing a number of articles of the Cybersecurity Law, a draft Decree detailing the order of and procedures for application of a number of cybersecurity assurance measures and a draft Decision of the Prime Minister promulgating a List of information systems important for national security.
Personal Data and Data Subject Definitions
Based on many existing legal documents, personal data and data subject definitions are referred to by different terms such as “private life”, “private secret”, “personal information”, “customer’s information”. However, these are generally understood as follows:
- “personal data” is information on an identifiable individual that may include his/her name, address, race, ethnicity, education, financial circumstances, employment history and other information; and
- “data subject” is a person who can be identified from such personal data.
What is the definition of entities that should comply with data localisation regulations? They are also relatively broad and identified differently in various applicable laws. Generally they include individuals and organizations dealing (i.e., collecting, storing, and processing) with personal data in Vietnam, which may include foreign entities.
Companies who work with regulated data in Vietnam should follow the following obligations:
Data subject consent has to be obtained before collecting, sharing, disclosing or transmitting personal data to a third party. If personal data is transmitted to and processed by a third party, then in a contract with the third party, there must be provisions that clearly define the responsibility of each party to comply with the relevant regulations on data protection;
Preparing a privacy notice and making sure that it is easily accessible by the data subjects (e.g. on the website);
Personal data has to be deleted upon data subject’s request or usage period expiry;
Regulated data has to be stored securely and in compliance with technical standards that are compatible with international standards (i.e., ISO/IEC) and regulations on assurance of cyber-information security;
If needed, upon request from competent local authority inspection can be carried out in order to control and ensure information security.
Concerns and useful links
While considering adoption of data residency laws in Vietnam, it makes sense to consider the following factors:
- Currently there is no way to officially check statistics or recordings on regulatory and compliance issues;
- To get more information on the subject of data protection regulation Vietnam, you can visit Vietnam Information Security Association – VNISA
- Non-compliance in terms of data protection may be subject to sanctions (even criminal ones), depending on the severity. Although the data protection regulations provide for many obligations, the regulations on handling non-compliance have not been updated yet.
Saudi Arabia data residency laws
The primary source of law in the Kingdom of Saudi Arabia (KSA) if Shari’a principles. these are Islamic principles derived from the Holy Quran and the Sunnah. Besides Shari’a principles, the law in the KSA consists of secular regulations passed by the government.
Regulated Data Types
Profile, Health, Employee, Finance.
Cloud Computing Framework
The KSA Cloud Computing Regulatory Framework (CCF) is based on international best practices and governs the rights and obligations of cloud service providers (CSPs), individual customers, government entities and businesses. The CCF is one of only a few examples of cloud-specific regulatory frameworks around the world and includes principles of data protection. Some of the provisions, such as security breach notification, are in line with the approach taken in the EU, while others, such as the requirement to register with the Communications and Information Technology Commission (CITC) content classification, are specific to KSA.
Some of the most important features of the CCF from a data protection perspective, are the cloud security requirements cloud service providers must adhere. Cloud customer information can be subject to different levels of information security, depending on the required level of preservation of the information’s confidentiality, integrity, and availability. CSPs must also inform any cloud customer, upon request, of the information security features offered by the CSP or applied to the cloud customer’s information.
There are certain secular regulations passed by the government, which, although not dedicated as a whole to data privacy/protection, contain specific provisions governing the right to privacy and data protection in certain contexts.
Among them are:
There may also be specific regulations applicable to certain industries, for example, in banking, which is regulated by the Saudi Arabian Monetary Authority (SAMA).
More specific examples of privacy-related legal provisions are found in the Anti-Cyber Crime Law of 2007 (Royal Decree No. M/17) and the new E-commerce Law of 2019. In addition, sectoral regulations contain data protection obligations regarding organisations working in telecommunication, IT/cloud services, healthcare and financial services industries.
How InCountry data residency-as-a-service works
As our world gets a bit bigger every day, regional differences arise: what may be seen as an acceptable use of personal information in Egypt could be controversial in China. A service like InCountry, supporting data residency allows processing to be tailored to regional expectations through internal processing decisions.
InCountry can become your ultimate solution in the global compliance scheme. Our service is currently available in 80+ countries and rapidly growing. Our service securely manages your regulated data – let’s see how this happens.
Types of data that can be collected and processed with InCountry:
Profile, finance, health, employee, payment.
As you want to scale globally with minimum effort and maximum speed, our solutions are specifically made so they can be implemented quickly and cost-effectively, adapting to the amount of customization and control you need.
Currently InCountry offers 3 types of products: InCountry REST API and SDK, InCountry Border, InCountry Single-Tenant.
While the definition of privacy varies across regions, there’s one thing everyone agrees on — that privacy is important. It’s always challenging to see into the future, but if the last five years are any guide, regional differences in privacy laws are likely to increase.
Supporting data residency sends customers two signals. First, a business supporting data residency respects privacy. And second, a business supporting data residency can meet regional data protection and privacy requirements.
At InCountry, we believe data residency-as-a-service is the ultimate solution to those companies that seek global expansion and need to comply with data residency laws in different countries. Working with service providers like InCountry helps ensure that information can be collected, processed, and stored in a way that meets different expectations.
Ready to take the next step with data residency?