Data Sovereignty Laws by Country

Simply put, data sovereignty defines the rules and regulations to which data must be subject. For example, the European Union stipulates that data collected from its citizens is subject to the GDPR, regardless of where it is stored. In addition to regulations such as the right to be forgotten, the GDPR also includes measures for data sovereignty. Companies working with regulated data in Vietnam must comply with the following obligations: Based on the French Data Protection Act 2, when interacting with the personal data of its citizens – even if it processes the data outside the country`s borders – an organization must comply with French regulations in addition to the requirements of the GDPR. Design a formal compliance strategy. A formalized compliance strategy is important, especially in jurisdictions where companies must demonstrate compliance to local regulators in order to be allowed to export data and defend against a data breach. A comprehensive and in-depth strategy for respecting data sovereignty should be developed in accordance with applicable laws and available data maps. For jurisdictions with strict data localization requirements, organizations should consider local data storage options (such as setting up on-premises data centers or limiting covered data to on-premises servers offered by cloud providers). For jurisdictions where data may be transferred for offshore processing, a multinational company should confirm whether its current data transmission mechanisms are up to date. 2021 has been a very active year, during which we have seen many changes in the attitude of nations towards international data transfers, and 2022 is already becoming an equally active year. It is important for multinationals to evaluate or re-evaluate their privacy compliance programs when evaluating their business strategies in 2022 and beyond. Cloudian ensures the longevity and availability of your data.

HyperStore can back up and archive your data and provide you with highly available versions that you can restore when needed. Regulatory constraints can have a particular impact on organizations that use hybrid cloud strategies: they employ public cloud providers as well as on-premises data centers, and each cloud deployment must meet separate on-premises regulatory requirements. If California authorities determine a violation of CCPA guidelines, companies have 30 days to comply with privacy laws, according to the regulator`s official notice. One category of these laws focuses on data localization. In general, these laws require that data be stored and processed at the national level, with the ultimate goal of improving sovereign control over citizens` data. These laws are primarily motivated by concerns about interference by foreign governments, so their main purpose is to restrict foreign governments` access rights to data stored outside their jurisdiction. With the advent of these new data-dependent technologies and the increasing reliance on them in everyday life, the fear that foreign governments will access personal data (on demand or by force) has worsened. The fear of falling behind in technological development also motivates this policy, with a secondary objective being to make it more difficult for foreign companies to operate in domestic markets. Let`s show an example to understand why data sovereignty is crucial. Abu Dhabi Global Market (ADGM) is a free trade area and international financial center in the capital of the United Arab Emirates. There has been a data protection regulation since 2015.

In order to align its definitions with international standards and to clarify a number of points, certain amendments have been added to this law in the Data Protection (Amendment) Regulations 2018. The ADGM also set up a Data Protection Office (DPO) in December 2017 to enforce and monitor the rules. As the world continues to fight the Covid-19 pandemic, businesses are increasingly turning to digital service models that use the internet instead of in-person transactions. Many countries have reacted by clarifying or changing their regulations of the flow of data of individuals: Example: Brazil In accordance with the General Law on the Protection of Personal Data (LGPD), international data transfers are only allowed in certain situations, including when the recipient countries ensure an adequate level of data protection, when approved legal mechanisms (for example, 29 Source: ECIPE Digital Trade Estimates Database14,15 Information is considered personal data if it identifies a specific person. The location rules only apply to companies if they deliberately carry out certain measures: collection, recording, systematization, accumulation, storage, clarification (update and modification) and extraction of personal data. However, such a transfer is still acceptable if you agree to the application of the privacy principles of the GDPR or if you use a special data residency provider as a service that helps protect the data during transmission. (How correct is this saying?) Cory, Nigel. “The false appeal of data nationalism: why the value of data depends on how it`s used, not where it`s stored.” Foundation for Information Technology and Innovation, April 1, 2019. itif.org/publications/2019/04/01/false-appeal-data-nationalism-.. Data protection refers to data privacy. Keeping data private means not putting it in the hands of people who are not authorized to read or modify the data.

For example, the Health Information Protection and Availability Act (HIPAA) requires healthcare organizations and their business partners to keep patient data confidential. The only persons authorized to view a patient`s data are the patient, their healthcare providers and the respective insurance company. In this regard, HIPAA is a privacy law. For example, a company may move data to a specific country to benefit from favorable privacy regulations in that country, or try to conduct a number of business in a country to meet its tax benefit requirements. To do this, the organization could create a data residency policy that states that all data must be processed and stored within the borders of that country. Unlike the EU GDPR, the CCPA does not restrict the international transfer of data. Data in transit organizations often overlooks data in transit. It helps if you consider: Example: China According to Article 37 of the Cybersecurity Law of the People`s Republic of China (“CSL”), operators of critical information infrastructures (“CIOs”) must store personal data and important data generated from critical information infrastructures in China19. These requirements are subject to expansion by the Personal Data Protection Act, draft of which was published in October 2020.20 Under Canadian data sovereignty laws, an organization remains responsible for the protection of the data it transfers to a third party (even if the service provider is the one that processes or processes the information). Data protection report. “Russian Data Localization Law: Now with Fines,” December 20, 2019.

www.dataprotectionreport.com/2019/12/russian-data-localization-.. Hannah Ji-Otto is a lawyer specializing in privacy and technology transactions with extensive experience in in-house and legal firms. She is adept at helping companies build their global privacy compliance programs from scratch. Hannah strives to understand each client`s needs in terms of business model, practices, and goals to protect and benefit from their investments in data and technology. She uses her experience to advise various industries, including global manufacturers, healthcare conglomerates, software providers and insurance companies. 6. Develop norms and standards for the use of data in cooperation with allies, in particular with regard to data protection, security, the rule of law and human rights.1 Data sovereignty refers to who has power over the data. The Webster Dictionary defines sovereignty as extreme power, especially over a body politic, and freedom from external control.

When applied to data, sovereignty generally refers to the principle that data stored in a country is subject to the laws and regulations of that country. For example, data stored in the United States is subject to the laws of the United States, and data stored in Germany is subject to the laws of Germany. An additional layer of protection is that Germany and 27 other European states are members of the EU.