International: Understanding data residency – Part three: EMEA perspective
Many jurisdictions are increasingly enacting laws and regulations governing how and where data must be stored either within their respective borders or abroad. What has resulted is a constantly evolving network of rules and restrictions for the location of data. In this three-part series, OneTrust DataGuidance provides an overview of key trends in data localisation and data residency, outlining underlining approaches to the same, as well as common trends associated with sector and categories of data.
Residency and localisation trends across EMEA
The most remarkable trend is the noticeable increase in localisation requirements within newer data protection laws. This is accompanied by changes in the public and private sector practices in relation to data storage procedures.
Scattered data centres
Hand in hand with this has been the expansion of data centre hotspots to meet global residency and localisation requirements. The Middle East, with localisation requirements in the UAE and Saudi Arabia for instance, is a commonly quoted example where requirements are particularly stringent. However, discussions have taken place as to whether the Court of Justice of the European Union's ruling in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case') has created localisation requirements through the backdoor. As a result, some international organisations are deciding to set up data centres in Europe to avoid the complex restrictions for transferring personal data outside of its Member State territories.
Residency requirements for the gambling sector
A slightly lesser discussed area for localisation requirements is the gambling sector. Notwithstanding important trends in the financial and healthcare sectors (as the preceding Insights in this global Understanding Data Residency series have spotlighted), the gambling sector has some crucial global requirements. In the EU, the Malta Gambling Authority requires real-time replication of regulatory data in their technical infrastructure guidelines. Furthermore, Romania's gambling ordinance requires gaming servers to have a registration system capable of identifying the gamers and a system which stores and transmits data to a backup servicer which is situated on Romanian territory.
International trade and PNR agreements
Various international trade agreements contain clauses which require the relevant states to ensure free flow of data between the countries, sometimes for specified purposes such as Passenger Name Records ('PNR') or law enforcement purposes, or something just as a general statement. Free-flow of data is a crucial aspect of trade agreements, removing barriers to trade and facilitating digital trade.
Article 14.10 of the UK-Australia Free Trade Agreement ('FTA')1, as drafted post-Brexit and published in December 2021, explicitly requests that '[n]either Party shall prohibit or restrict the cross-border transfer of information by electronic means, including personal information, if this activity is for the conduct of the business of a covered person. Article 14.11 of the FTA continues, '[n]either Party shall require a covered person to use or locate computing facilities in that Party's territory as a condition for conducting business in that territory. The agreement is not yet in force. Both the UK and Australia are required to complete their respective domestic procedures for the agreement to come into effect. Once approved by both parliaments, businesses will be able to trade under its terms.
Similarly, in February 2021, the UK signed its first Digital Economy Agreement ('DEA') with Singapore. The UK-Singapore DEA promises the free flow of trusted data between the UK and Singapore for business purposes by preventing unjustified restrictions to cross-border data transfer2.
The DEA further guarantees that UK businesses will be able to avoid the cost of setting up servers and storing data in Singapore as a result of unjustified data localisation requirements.
As a caveat, both the UK-Singapore DEA and the UK-Australia FTA provide that parties may be able to impose restrictions to data transfers or computing facility location requirements which are proportionate to their purpose and necessary for public policy reasons, for example, personal data protection.
PNR may need to be stored within a jurisdiction. Even where the European Commission has issued adequacy decisions to approve transfers of personal data, further restrictions may apply to PNR data without a dedicated PNR agreement in place for public authorities to transfer PNR data, notably for the purposes of law enforcement and terrorism prevention. Article 6(8) of Directive (EU) 2016/681 of the European Parliament and of the Council of 27 April 2016 on the use of Passenger Name Record (PNR) Data for the Prevention, Detection, Investigation and Prosecution of Terrorist Offences and Serious Crime ('the PNR Directive') states that the storage, processing, and analysis of PNR data by the Passenger Information Unit ('PIU') shall be carried out exclusively within a secure location or locations within the territory of the Member States. So far, the EU has only signed PNR agreements with the USA and Australia, whilst ongoing negotiations continue with Canada and Japan.
Further clarifications are also needed on the impact of the Schrems II Case on the EU-US PNR agreement and post-Brexit following the adoption of a general adequacy agreement.
Variety of trends across Africa
Across Africa, there exists a range of requirements from both explicit localisation to de facto approaches. Part X of the Zambian Data Protection Act No. 3 of 2021 contains heavy residency obligations. Section 70 requires controllers to process and store personal data on a server or data centre within Zambia. Exceptions to this localisation requirement for certain categories of personal data can be issued by the Minister in charge or in limited instances by the Data Protection Commissioner (but sensitive data must always be stored therein). In Burkina Faso, health data must be hosted within the territory, unless an exemption is granted by the data protection authority. In Kenya, the Data Protection (General) Regulations, 2021 require a data controller or data processor who processes personal data for the purpose of strategic interest of the state to process such personal data through a server and data centre located in Kenya or to store at least one serving copy of the concerned personal data in a data centre located in Kenya. The Egyptian Personal Data Protection Act requires licenses for any cross-border data transfers.
General residency requirements – case of Saudi Arabia
Saudi Arabia's new Personal Data Protection Law ('PDPL') implemented by Royal Decree M/19 of 17 September 2021 approving Resolution No. 98 dated 14 September 2021 provides stringent requirements with regards to transfers of data outside the Kingdom in its Article 29. Article 28 of the Draft Executive Regulations supplementing the PDPL request controllers to store and process personal data within the geographical boundaries of Saudi Arabia. Personal data may not be stored or processed outside of Saudi Arabia before conducting an impact assessment and obtaining the written approval of the regulatory authority after the regulatory authority has liaised with the competent authority on a base-by-case basis.
Awaiting the commencement of the PDPL and final Executive Regulations, in the meantime the National Data Management Office ('NDMO') has developed the National Data Governance Interim Regulations ('the Interim Regulations'), which encompass the Personal Data Protection Interim Regulations and the Data Sharing Interim Regulations. In relation to cybersecurity requirements, the Interim Regulations apply to all personal data processing activities and include requirements on localising all personal data within the country. Although the Interim Regulations remain applicable along with national sectoral legislation, additional sectoral localisation requirements in Saudi Arabia are various, spanning cloud computing, cybersecurity, financial and payment services, and Internet of Things ('IoT') devices, among others.
With regards to the IT/cloud services sector, the Cloud Computing Regulatory Framework of 20193 ('the Cloud Framework') regulates cloud service providers ('CSPs') who conclude agreements for cloud services with customers resident or having an address in Saudi Arabia and restricts the international transfer of 'Level 3' and 'Level 4' content.
In relation to cloud computing, the National Cybersecurity Authority's ('NCA') Cloud Cybersecurity Controls 2020 ('the CCC 2020') contains various cybersecurity controls in respect of cloud services including in relation to localisation and on information security considerations, as well as the NCA's Critical Systems Cybersecurity Controls 20194 ('the CSCC 2019') which contains localisation requirements and a prohibition on remote access for identity and access management of critical systems. In terms of the CCC 2020 controls, cloud providers would be required to provide cloud services from within Saudi Arabia, including from infrastructure hosted inside Saudi Arabia.
In relation to payment services, Section 2.6.2 of the Regulatory Rules for Prepaid Payment Services in the Kingdom of Saudi Arabia 20125, issued by the Saudi Arabian Monetary Authority ('SAMA'), require that personal data collected during client recruitment and client transactions activity is stored in facilities housed in Saudi Arabia.
Further to the above, and in relation to the IoT sector, the Communications & Information Technology Commission ('CITC') stated, in Section 7 of the Internet of Things ('IoT') Regulatory Framework6, that IoT service licensed providers and Indoor IoT network implementers must host all servers used in providing IoT services, and store all data inside the Kingdom of Saudi Arabia ('KSA').
Underlying government approaches to data residency
Dissecting underlying government approaches to data residency is a controversial and challenging undertaking, not least due to political dimensions at play. However, patterns emerge on the type of records and data that is being targeted by localisation and residency laws.
The General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') does not legislate on supranational data localisation requirements, and instead allows national bodies this area to national sectoral laws. Chapter V, although prohibits cross border data transfer under many conditions, works in the greatest part to facilitate them. It does, however, require businesses to secure their data within the EU first.
For non-personal data, Regulation (EU) 2018/1807 of the European Parliament and of the Council of 14 November 2018 on a framework for the free flow of non-personal data in the European Union prohibits data localisation requirements for non-personal data, unless they are justified on grounds of public security in compliance with the principle of proportionality.
Lively debate exists around a potential protectionist digital policy in Europe. The French data protection authority ('CNIL'), in its annual report for 2020, noted that data sovereignty is one of the main recurring themes in 2020 and that it is their responsibility to develop an ambitious policy of European digital data sovereignty7.
The UK's approach to localisation is as of yet uncertain but there are some elements of a pro-economy approach, whilst continuing to address challenges related to privacy, data protection, intellectual property rights, and security. The UK's G7 Digital and Technology Ministers investigated the impact of localisation on micro, small, and medium sized enterprises ('MSMEs')8 as part of the G7 Roadmap for Cooperation on Data Free Flow with Trust9. The Ministers acknowledged that localisation was less of a barrier for larger companies but could lead to small businesses exiting the market. Also acknowledged was that many MSMEs are female owned and led (in the UK and globally) and that the impacts of localisation on women need to be better understood.
Common sector-specific residency requirements
Localisation laws know no bounds; there are localisation laws covering a range of sectors, including telecoms, health, financial, insurance, tax/VAT acts, credit, virtual assets, and government-related. There must be some sort of interest, which could be economically motivated, surveillance motivated, or the intention to protect some citizen rights, such as privacy.
No general, various sectoral – A case study of the UAE
Looking at the UAE's landscape, we can see a focus on regulating transfers related to Big Data and emerging tech. Although the new federal data law does not seem to include localisation requirements, Article D.6 of the Regulatory Framework For Stored Values and Electronic Payment Systems10 requires electronic payment service providers to store and retain all user and transaction data exclusively within the borders of the UAE for a period of five years from the date of the original transaction. The data must also not be stored in the UAE Financial Free Zones.
Article 6 of the Central Bank of the UAE's ('CBUAE') Outsourcing Regulation for Banks outlines that banks must ensure that the master system of record, which includes all confidential data, is continuously maintained and stored within the UAE. As an exception to this, and subject to CBUAE approval, branches of foreign banks may comply with this requirement by retaining a copy of the record within the UAE. However, bank customer's confidential data must not be shared outside the UAE without the approval of the CBUAE and obtaining prior written consent from the customer. Banks must also obtain written acknowledgement from the customer that their confidential data may be accessed under legal proceedings outside the UAE in such circumstances.
According to Federal Law No. 2 of 2019 on Information and Communication Technology in the Health Field, it is not permitted to store, process, generate, or transfer data and health information related to health services outside the UAE, except where it has been allowed by a decision taken by the Ministry of Health and Prevention.
There are some overarching requirements for consent for data transfers or particular information that should be considered, for instance in the Penal Code and CBUAE Consumer Protection Regulations.
Article 379 of the UAE Penal Code requires consent for disclosure of a 'secret':
'Shall be subject to a jail sentence for a minimum period of one year and/or to a minimum fine of twenty thousand Dirhams, whoever by virtue of his profession, craft, position or art is entrusted with a secret and divulge it in cases other than those allowed by law or if used for his own personal interest or for the interest of another person, unless authorized by the confiding person to disclose or use it.
The penalty shall be imprisonment for a term not exceeding five years in case the perpetrator is a public servant or a person in charge of a public service who was confided the secret because or on the occasion of discharging his duties or performing his service'.
CBUAE Consumer Protection Regulations
Sections 188.8.131.52 to 184.108.40.206 of the Standards accompanying the Consumer Protection Regulations ('CPR') outline that:
'6.1.12. Licensed Financial Institutions must protect Consumer Data and maintain the confidentiality of the Data, including when it is held, accessed or used by Authorized Agents.
220.127.116.11 Licensed Financial Institutions are responsible for ensuring Data protection and individual Consumer confidentiality with respect to any profiling, Data mining, marketing and sale of financial services through use of new technologies and social media.
18.104.22.168 Licensed Financial Institutions must provide a safe, secure and confidential environment in all of its delivery channels to ensure a high level of confidentiality and privacy of Personal Data.
22.214.171.124 Licensed Financial Institutions have a legal obligation of confidentiality towards a Consumer except: a. When disclosure of Consumer Data is properly imposed by a legal authority; or b. When disclosure is made with the expressed consent of the Consumer, or through a representative nominated by the Consumer'.
Section 6.1.3 of the Standards outline further conditions for expressed consent by consumers. For example, Section 126.96.36.199 states that '[t]he Consumer must give his/her expressed consent freely and explicitly to a request for the use and/or sharing of Personal Data by the Licensed Financial Institution. The request for consent must be expressed in clear and plain language and inform the Consumer of his/ her right to refuse to provide expressed consent'.
UAE - ADGM
Within the UAE's Financial Free Zones, specific regulations may also apply. This is the case for Abu Dhabi Global Market ('ADGM') accounting and employee records, among others. According to Article 377 of the Companies Regulations 201511, if accounting records are kept at a place outside the ADGM, accounts and returns with respect to the business dealt with in the accounting records so kept must be sent to, and kept at, a place in the ADGM. According to Article 11 of the Employment Regulations 201512, an employee must keep the following records for every employee at its principal place of business in the ADGM:
- a copy of the employee's contract of employment;
- the employee's name, date of birth, occupation, telephone number, and contact address (both residential and postal);
- the date on which the employment began;
- the employee's wages (gross and net, where applicable), and the applicable pay period;
- the contractual hours which the employee has agreed to work;
- the benefits paid to the employee by the employer;
- each deduction made from the employee's wages and the reason for it;
- the dates of the national holidays taken by the employee and the amounts paid by the employer;
- the dates of the vacation leave taken by the employee, the amounts paid by the employer, and the days and amounts owing;
- sick leave and other special leaves of absence; and
- the amount of any end-of-service gratuity payment and any other severance payment paid to the employee on termination of the employment.
Government-related data in the EU
Although there may not be a general residency requirement across all sectors in the EU, many governments require that data related to government or public sector activities remain in the relevant jurisdiction. This is the case in France whereby the GDPR applies, as personal data may leave the jurisdiction, with exceptions to this rule for data or records considered as national treasures or national defence secrets.
Data or records related to cloud computing are frequently subject to residency requirements due to the delocalised nature of the service. In South Africa, there exists no data localisation requirements under the Protection of Personal Information Act (‘POPIA'). However, on 1 April 2021, the draft for the National Data and Cloud Policy opened for public consultation. If passed, it would have widespread repercussions for data transfers in the region. It calls for data sovereignty for data that is classified or identified as critical information infrastructure can only be processed and stored within South Africa. Moreover, the draft policy requires localisation for copies of all data transferred outside of South Africa for law enforcement purposes. More widely, any related data generated in South Africa becomes the property of South Africa, even if the technology company is not incorporated in the territory.
Since the GDPR does not provide any localisation requirements, there have not been any enforcement actions or fines for violations of such provisions. Nevertheless, there has been a new wave of authority decisions following the Schrems II Case. EU supervisory authorities have been entrusted with a new responsibility to enforce Chapter V under these terms. There has been an increased regulatory interest on data transfers and, as a by-product, this has raised questions on global data localisation and storage requirements.
Both the CNIL and the Portuguese National Data Protection Commission (‘CNPD') have prohibited or suspended transfers to US service providers in light of the Schrems II Case.
Slightly more recently, the European Data Protection Board announced that the first joint investigatory initiative under the coordinated enforcement framework would investigate GDPR compliance of public bodies using cloud services.
Questions are coming around the future of data transfers and where localisation requirements sit within this story. It is a crucial time for businesses to examine closely the requirements of data protection laws (not just in EU, but in the Middle East and Africa too) and what their data protection authorities are doing to enforce them.
Amelia Williams Senior Privacy Analyst
1. See: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/1040551/uk-australia-free-trade-agreement-fta-chapter-14-digital-trade.pdf
2. See: https://www.gov.uk/government/publications/uk-singapore-digital-economy-agreement-explainer/uk-singapore-digital-economy-agreement-final-agreement-explainer#data-flows
3. See: https://www.dataguidance.com/legal-research/cloud-computing-regulatory-framework-2019
4. See: https://www.dataguidance.com/legal-research/critical-systems-cybersecurity-controls
5. See: https://www.dataguidance.com/legal-research/regulatory-rules-prepaid-payment-services-kingdom-saudi-arabia-2012
6. See: https://www.dataguidance.com/legal-research/internet-things-regulatory-framework-2019
7. See: https://www.cnil.fr/fr/la-cnil-publie-son-rapport-dactivite-2020
8. See: https://www.gov.uk/government/publications/uk-g7-presidency-statement-digital-and-tech/g7-digital-technology-roundtable-investigating-data-localisation-impacts-on-msmes-and-alternative-policy-responses
9. See: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/986160/Annex_2__Roadmap_for_cooperation_on_Data_Free_Flow_with_Trust.pdf
10. See: https://www.dataguidance.com/legal-research/regulatory-framework-stored-values-and-electronic-payment-systems-2017
11. See: https://www.dataguidance.com/legal-research/adgm-companies-regulations-2015
12. See: https://www.dataguidance.com/legal-research/adgm-employment-regulations-2015-0