Data residency laws pushing companies toward residency as a service

Data residency laws require that companies operating in a country keep data about its citizens on servers located in that country. For companies that have customers or employees in multiple countries, the regulatory requirements can be onerous and difficult to keep up with.

Previously, “safe harbor” laws or tokenization-based approaches helped companies address the issue, but recent regulatory changes have made both approaches less workable. Meanwhile, countries like China, Russia and Brazil have been making changes to their data residency requirements.

• In 2020, European courts upended the previous data transfer mechanisms — the EU-U.S. Privacy Shield and standard contractual clauses. In summer 2021, new guidance was released, and companies now have until the end of 2022 to switch to new standard contractual clauses that comply with the new requirements.

• In summer 2021, China passed a new data security law, which went into effect in September, with significant financial penalties for companies that violate its new cross-border data transfer rules. This was soon followed by a personal information protection law, China’s answer to the EU’s General Data Protection Regulation (GDPR), which took effect in November.

• Brazil passed its own version of the GDPR in fall 2020 and began enforcing it in August 2021.

• Russia adopted a data localization law in 2014, then upped the fines on violations significantly in 2019. Last summer, a new law required companies with significant numbers of Russian users to have not just servers but physical offices in Russia. That law went into effect at the start of 2022.

According to the United Nations Conference on Trade and Development, 133 countries have legislation in place to protect data and privacy and another 20 are working on draft legislation. As a result of these and other changes, companies now either set up local servers for the jurisdictions where they do business and residency laws apply, use cloud providers that offer residency support, or work with a newly emerging class of vendors called residency-as-a-service providers.

Meeting data-residency requirements a pain point for CISOs

Last fall, when Jason Rader started his new job as senior vice president and CISO at Insight, he had to face the problem head-on. The Fortune 500 company provides technology services in 19 countries around the world. “A CISO’s job is crazy from that perspective,” he says. “Everybody thinks we automatically understand every privacy law.” But the laws vary greatly from country to country — and in the United States, from state to state.

Rader says that he relies on relationships with legal and compliance experts who have deep expertise in specific jurisdictions. Take China, for example. “China is going to be the biggest market on the planet and they’re probably the most restrictive of anyone I’ve dealt with,” he says. “If you’re going to do business in a country, you have to observe the laws. You need to prove you’re doing everything possible to comply — especially if it’s a market that you’re making a big investment in.”

Setting up dedicated servers inside those countries is the old approach, he says. “It’s super expensive and you need on-prem resources, human resources,” he says. “I don’t think anybody starting off fresh is trying to approach it that way, unless there’s some giant restriction associated with it.” Defense industry-related operations, for example, may require a secure local presence, he says.

For many companies, the quick way to address the issue is with residency-as-a-service providers. “You transfer the data residency aspect to an organization that has its own data centers,” he says. “Or you work with cloud providers with in-country data processing. Most of the major cloud providers have a way of doing data residency in places like Brazil and China.”

The one major exception is Russia, he says. None of the major cloud providers do business in Russia.

Since the laws keep changing, companies must be flexible, Rader says. “A law can change, and it can change your entire way of doing business.” Using cloud providers or residency as a service can help offer that flexibility. “I just point to a particular location, API or IP address, and those guys handle the data residency requirements.”

Insight currently uses on-premises resources that came with companies it has acquired around the world, in combination with cloud providers. In China and Brazil, Insight operates through business partners, he says. “We do very limited business in those countries and don’t have data facilities there,” Rader says.

“Partnerships are a way for us, as a U.S.-based organization, to have a more global presence,” Rader says. “Especially in the EU, where there are lots of different country requirements, you have to make sure your partnerships are solid.”

Insight does not operate in Russia at all. “In Russia, they have a very paranoid regime,” says Ilia Kolochenko, member of the Europol Data Protection Experts Network and CEO at cybersecurity vendor ImmuniWeb. “Personal data must be physically stored in Russia, which is why LinkedIn has been banned in Russia.”

Google, Meta and Twitter have all been hit with fines in the past two years as well for violating Russia’s data residency rules. “But the Russian market is pretty small,” Kolochenko says.

Data is the new oil, and data sovereignty is the new protectionism

Countries look to data-residency laws for many reasons, says Michael Bahar, partner at Eversheds Sutherland, a global top ten law firm. He is the co-lead of the firm’s global cybersecurity and data privacy practice, with a team of 150 people in 35 different offices around the world.

“I’ve been calling it the rise of data sovereignty,” Bahar says. “It’s troubling. Data is a bit like the new gold bullion or even oil. Countries are trying to get their hands around their own data at the expense of other countries. On the surface, the reason is national security, to protect their citizens’ personal data.”

Data is also fuel for advanced technologies like artificial intelligence (AI), Bahar says. “The more personal data you have, the greater your AI capabilities.”

Finally, there are repressive regimes. Some countries want to have access to information about their citizens, and don’t want anyone else to have that information because they see the power of it.

What the world needs, Bahar says, are international agreements. Until then, companies need to operate on a country-by-country basis. “Some countries are okay with exporting data as long as they keep a copy and there’s consent,” he says. “Or they may trust data to flow to this country and that country but not that one. You have to take time and care to map all this stuff out.”

Countries will also have different rules about encrypting data, Bahar says. Some will want to sign off on the encryption used, or restrict how it is used, or ban non-local encryption outright.

The rules may also be different for customer data and for employee data. “It also depends on the type of company and the industry you’re in,” Bahar says.

Even worse, it’s not enough to just know the letter of the law. “You need to take local implementation into account,” Bahar says. “The law can say one thing and can be implemented differently on the ground. I can’t stress that enough.”

Navigating global data privacy and sovereignty laws is an enormous issue, Bahar says. “It’s probably one of the most important issues facing companies today.”

Perfection is not attainable, Bahar says. “There are degrees of compliance, and every company is going to have a different risk tolerance and risk profile. When you’re complying with one country’s laws it may force you to be out of compliance with another country’s laws.”

The biggest concern for companies right now has to do with the recent changes in European laws. It’s known as the “Schrems II” decision, named after a complaint filed by Max Schrems against Facebook. The first Schrems decision challenged the transfer of data of European citizens to the United States and invalidated the Safe Harbor arrangement in 2015. It was replaced by the Privacy Shield arrangement — which was, itself, invalidated by the Schrems II decision in July of 2020.

“We are anticipating that the fines for violating this are going to become more predominant and more expensive,” says Bahar. “It’s going to have a humongous impact. That’s what we’re spending the biggest time on — how to navigate the Schrems II decision.”

Tokenization? Regulators aren’t buying it

A few years ago, many companies saw tokenization or anonymization as the way out. By replacing personally identifiable information with tokens, companies could still collect the rest of the data in a centralized way for processing and analysis.

Today, this approach is largely insufficient to comply with data sovereignty laws, says Bahar. “If you can put it back together, it can be used to identify who you are,” he says. “It’s still personal data.” Regulators have caught on.

Tokenization, anonymization and encryption do have roles to play in cybersecurity, he says, in protecting data in transit and data at rest. “No matter what you call it, if you can put it back together to identify somebody, then it’s not a way to avoid data sovereignty laws.”

Data privacy, residency laws make data a strategic business issue

The evolving data protection landscape does have one benefit, says Mark Sangster, author of the book, “No Safe Harbor,” and vice president and industry security strategist at eSentire. Although it increases operational costs and efforts, and may lead to hefty fines, all these laws do take data and information security and make it a business issue instead of a technology issue. “They force cybersecurity leaders, privacy experts, compliance judges and business leaders to come together,” he says. “These laws do not fall, under the purview, of one group or the other.”

Moreover, the laws do have some elements in common. By creating a holistic, enterprise-wide approach to compliance, by focusing on the spirit of the law and the purpose of these regulations, companies can get ahead of the problem.

Companies need to start with identifying all the critical data they collect, based on the definitions of protected data available in GDPR, the new Chinese regulations, and other data privacy laws. Sangster suggests that companies use asset management to control and classify the data and create access and privilege rules, as well as to enable geographic controls on data use or transfer.

“Perhaps five years ago, these laws were more about local compliance and less about strategic infrastructure decisions,” Sangster says. Today, these privacy and residency laws are central to massive decisions about technology infrastructure. More and more often, they have fundamental impact on core business models as well.

Residency-as-a-service vendors

The major cloud providers all offer some degree of data localization for their enterprise customers. However, some new companies specialize in residency as a service, offering more comprehensive data location services, compliance, and expertise. They include:

InCountry covers more than 90 countries with its country compliance research center and works with all major global cloud providers as well as Alibaba Cloud in China and Yandex Cloud in Russia.

Odaseva helps companies address data residency requirements for Salesforce, including in China and Russia, with general availability planned for 2022. The company plans to support other SaaS platforms as well, such as Workday.

Skyflow offers data residency as a service with data vaults that can be located anywhere in the world, using zero trust security, polymorphic encryption, tokenization and redaction.