Background

Data localisation vs. data residency

An important first point of clarification is the concept of data residency vs. data localisation. Unfortunately, as a result of a lack of definitions in legislation within the Americas region, as well as many authorities using the terms interchangeably there is no definitive definition. However, conceptually we can define data residency as rules governing where a jurisdiction specifies their data must be stored geographically. On the other hand, data localisation can be defined generally as the rules which mandate that data created within a certain jurisdiction must be kept within the jurisdiction.

US

Although, from a US perspective, there is no comprehensive federal data protection law, there are sectoral laws relating to data residency/localisation or government access to certain types of data. In addition, many of the obstacles organisations faced with regard to the use of American citizens data abroad and data transfers to the US were addressed by mechanisms, including the EU-U.S. Privacy Shield. However, as a result of the Court of Justice of the European Union ('CJEU') decision in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case'), the EU-U.S. Privacy Shield was invalidated, leaving a significant regulatory gap for data transfers to and/from the US.

Canada

Similar to the US there is no explicit definition for either data residency or data localisation under Canadian law. Although the Personal Information Protection and Electronic Documents Act, SC 2000 c 5 ('PIPEDA') provides a comprehensive data protection legislation, its data residency obligations focus on how data can be transferred abroad instead of where data should be stored. Notably, there are quite strict localisation rules in Canada both at the federal level and provincial level associated with certain categories of data, e.g. government related data. This is a notable trend across many jurisdictions as governments look to protect data that could have impact on national security or public safety.

Latin America

Equally, in Latin America, there are limited sectoral examples of restrictive localisation measures as most laws govern restrictions on cross-border data transfers.

Trends

On a general note, there has been an increase in data protection legislation. In the Americas, many states, provinces, and countries are enacting new and comprehensive laws that deal with residency either explicitly or through rules governing onward transfers as mentioned above. In fact, the Office of the US Trade Representative ('USTR') released a report¹ which confirmed the rapid increase of legislation specific to data localisation, listing 21 jurisdictions that had localisation measures which the USTR identified as a barrier to digital trade.

As a result of the increase in restrictive localisation laws, many organisations have begun migrating to the cloud as a way to store data with a jurisdiction without having to be physically present and operating within the jurisdiction. From the Americas perspective, there is some hesitance to enacting restrictive laws regionally. Even as highlighted by the USTR report, which when referencing a newly enacted electronic commerce law in Algeria noted, "Such localization requirements impose unnecessary costs on service suppliers, particularly foreign firms, which are more likely to depend on globally distributed data centers". Across the region, many are concerned about the efficacy of data localisation measures, including the Business Council of Canada which stated, "requiring [organisations] to obtain consent for every transfer would be impractical and, in many cases, impossible".²

In this same vein, there is growing debate within the Americas region as to whether data residency rules are effective tools - with respect to national security concerns or increase control over nationally sensitive data. This has resulted in the inclusion of clauses in trade agreements which explicitly prohibit data localisation measures. Most recently, is the United States-Mexico-Canada Agreement which entered into effect on 1 July 2020, it stated that '[n]o party shall require a covered person to use or locate computing facilities in that Party's territory as a condition for conducting business in that territory'.³ There is similar language in clauses of other bilateral agreements between the US and its counter parts e.g. US-EU, US-Japan, and US-Kenya. In addition, similar sentiments are included in preferential trade agreements seen in Latin America.

Underlining approaches

Understanding the underlining approaches to data residency requirements can be a difficult exercise as many governments do not fully explain the reasoning behind such provisions. Additionally, because of the sensitivity of the categories of data, data localisation and residency requirements tend to be a highly political topic. From a US perspective, the laws are primarily driven to curb foreign government's access rights to data stored outside the US. This is evidenced by US laws, such as the Clarifying Lawful Overseas Use of Data Act ('the CLOUD Act'), as well as restrictive national security laws, like the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act of 2001 ('the PATRIOT Act').

The political nature of data residency is also apparent when jurisdictions enact laws in response to the enactment of laws in other countries. A clear example of this is Canada's localisation laws which were first introduced in response to the PATRIOT Act. In fact, in a Submission of the Office of the Privacy Commissioner of Canada ('OPC') to the Office of the Information and Privacy Commissioner for British Columbia, the then OPC, Jennifer Stoddart outlined that, "the concerns raised about the impact of the USA PATRIOT Act on the privacy of personal information about Canadians are really part of a much broader issue […] the enactment of the PATRIOT Act may simply have served as the catalyst that brought these issues to the fore".⁴

In Latin America, one of the main focuses of data protection/privacy legislation is the increased free flow of data between countries in the region ­- subject to restrictions on transfers. This focus may potentially result from the trading agreements within the region; Latin America has some of the largest preferential trade agreements within the region, as well as with Latin American countries as parties to such instruments. In addition, for many countries within the region data protection is still at its infancy.

Data residency requirements and associated categories of data

There are common restrictions on certain types of data. In particular, as previously mentioned, government-related data generally attracts residency requirements across all regions in the Americas. In addition, there are similar trends for accounting and tax data whereby either original copies must be kept within the region, or the transfer of such data must be authorised by relevant authorities, e.g. Argentina, Colombia, and Canada. Below are some examples of explicit and implicit residency and localisation requirements.

Explicit

US

CLOUD Act

All data in the possession, custody, or control, pursuant to lawful process, regardless of the location of the data is subject to access for enforcement purposes through the use of bilateral agreements entered with the U.S. Department of Justice and regulatory counterparts.

PATRIOT Act

Most categories of personal information, including phone records, computer records, credit history, and banking history, are subject to access by U.S. government agencies for the prevention and mitigation of terrorism.

Canada

Directive on Security Management - Appendix J: Standard on Security Categorisation

Data (categorised as either 'classified' or 'protected') must be kept within Canada or stored in a Government of Canada facility abroad.

British Columbia and Nova Scotia

Data held by certain public sector institutions, such as hospitals, schools, and government agencies, must be stored and accessed only in Canada, unless certain conditions are met (Nova Scotia's Personal Information International Disclosure Protection Act and British Columbia's Freedom of Information and Protection of Privacy Act).

Implicit

Most jurisdictions outlined above have implicit data residency requirements as a result of the common restrictions for cross-border transfers of personal data. A number of jurisdictions adopt a similar approach to that of the European Union's General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and set out restrictions, including authorisation from authorities, security measures, and adequacy requirements for countries where data will be transferred to.

Enforcement trends

Across the Americas, there are fairly limited enforcement trends with respect to data residency and localisation. However, in some jurisdictions, from a sectoral perspective, there are regulations being considered which may result in increased enforcement action.

Challenges and implications

One of the biggest challenges with data residency and localisation regimes is the cost of compliance. This has, among other reasons, led to the inclusion of clauses banning localisation rules in bilateral trade agreements, such as the United States-Mexico-Canada Agreement. Such clauses aim to lower the cost of moving data and provides increased certainty for organisations. In addition, there are varying definitions of data-types that attract residency requirements leading to increased confusion for organisations.

Conclusion

Data residency is an ever evolving concept with varying national approaches. Although there is still debate on the necessity of such rules, jurisdictions are increasingly enacting laws and regulations leading to more complex regulatory frameworks. Notably, as a result of the ubiquitous nature of residency, organisations must consider their obligations and keep a watchful eye on changing rules.

Edidiong Udoh Privacy Analyst
[email protected]

1. Available at: https://ustr.gov/sites/default/files/files/reports/2021/2021NTE.pdf
2. Available at: https://thebusinesscouncil.ca/report/data-driven/
3. Available at: https://ustr.gov/sites/default/files/files/agreements/FTA/USMCA/Text/19-Digital-Trade.pdf
4. Available at: https://www.priv.gc.ca/media/1296/sub_usapa_040818_e.pdf