Excellent question. Again, we deal with a lot of those questions from our clients. And now, I’m sure you’ve heard that the privacy shield and validation — it’s becoming even more difficult. Let me first explain two points. Data residency is a practice when a company can decide where their data is. Data residency, they decide, “We’re going to keep our data here, and we’re going to use contractual means and obligations to make sure that data doesn’t leave the country.” Now, what you mentioned about China and Russia, those are data localisation laws. The data that originates in this country or a region — sometimes, for China, it’s a region —must stay in the same territory. The reason why I’m distinguishing between those two is because with data residency, again, it’s a strategy: Where do you go?
Let me talk about that one first. When we talk about data residency, when you decide where the data is, you want to prevent cross-border data transfers. Just picture this example: Let’s say that — you mentioned Germany. Germany and France, they do have special localisation requirements that are not as strict as China’s. Let’s just play out the scenario that you decided that your data is going to be in Germany, for example. If company engineers are in India and they are accessing that data from India, they’re not physically transferring the data. They’re only accessing that data in Germany. In that scenario, it’s still considered a move, and the residency is broken.
When you think about data residency, you really have to ask yourself, “Am I doing it for compliance reasons? Am I doing it for protection of the data, making sure you know where it goes, or something else?” I always tell my clients that if you can keep your data in Europe, it’s much easier for you to comply. Realistically, with this global footprint and how we’re all accessing data, that virtual transfer happens very easily unless you put a perimeter around your European data center, where nobody can get in and out. That’s one point.
The second point: For data localisation laws — and I’ll start with China because it features the most comprehensive list of strict requirements, and I know they are changing slightly — but that law defines two operator types: the network operator and the critical infrastructure operator. Those definitions are so broad. Most of the time, they apply to all foreign organisations. With this requirement, all personal information that’s collected in China must be stored on servers located in China. If you want to transfer that data outside of the country, you have to receive government permission, and you have to undergo a security review. It’s a pretty strict requirement. There are some other ones in China where providers of telecommunications and internet firms must also provide encryptions keys to the Chinese government, and there are some limitations on financial services data.
Now, with Russia, it’s a little bit less strict. Again, with Russia, it’s a pretty new requirement, but, based on their data, the personal data law, all data operators that collect data in Russia must first store that first copy of the data in Russia. Then, once you store the initial data in Russia, you can take that and move it to other countries. Russians just want to be able to have access to that information and have it on-premise because it is data collected about their Russian citizens. Telecommunications companies and internet service providers, they have some additional requirements where they have to also work with the government to make sure that the government approves the operations. Other than that, it’s a little bit easier in Russia.