Data localisation as a risk area for global businesses is picking up steam. Recently, the United Nations Conference on Trade and Development (UNCTAD) recommended that developing nations should examine data localisation policies to “develop domestic digital capacities and digital infrastructure.” However, data localisation policies can damage not just the digital sector, but the entire economy, by benefiting a few companies at the cost of blocking innovation for others, particularly SMEs.
The financial services sector is on the front lines: heavily reliant on cross-border data transfers and often a first target for policy makers pursuing localisation. But who are the worst offenders?
Since March 2017, the Reserve Bank of India has maintained guidelines requiring mobile payment product providers to establish a local entity in order to access the market.
On April 6, 2018 the Reserve Bank of India ordered all system providers to store their data in a system located in India, including end-to-end transaction details, collected and processed information, and payment instruction; although for the “foreign leg” of a cross-border transaction, the data can be also stored in that country. India’s IT sector has been a key and growing export, and the benefit for local companies is likely to be outweighed by the loss of business with foreign companies.
Financial service providers were required to report their compliance with the ban on sending financial data abroad to the Reserve Bank of India by 15 October 2018.
In 2012, Indonesia passed Government Regulation 82 (“GR82”) to implement aspects of the Electronic Information and Transactions Law, with a focus on ensuring that electronic system operators for public services use Indonesian data centres. The most serious data localisation requirements, however, stem from an upcoming draft amendment to GR82, which will specify which entities are forced to comply with these strict data localisation requirements by creating a new definition of “strategic electronic data.”
Firms defined as electronic system operators — potentially including financial service providers — that provide a public service and store strategic electronic data would be required to store the data in local data centres. They would not be allowed to send, exchange, or copy the data outside of Indonesia; and wouldn’t be allowed to manage, process, and store the data through cloud computing.
Fortunately, GR82’s risks to the digital sector was highlighted by stakeholder coalitions, with the data centre provision noted as a particular issue, and the draft is being revised in collaboration with the Ministry of Law and Human Rights and the State Secretary.
Additionally, Bank of Indonesia’s Circular Letter 9/30/DPNP states that financial institutions cannot place data centres in a jurisdiction where access to information by OJK (the Indonesian financial services regulator) can be obstructed by legal or administrative restrictions.
Under the Chinese Cybersecurity Law, there is no binding regulation specific to the financial sector relating to data localisation. However, a draft regulation on the treatment of personal information and important data from the Cyberspace Administration of China would create stringent data localisation requirements for the financial sector.
The 2014 Federal Law 242-FZ, an amendment to the 2006 Federal Law 152-FZ, requires the personal data of Russian citizens to be stored and primarily processed in Russian data centres. In its current interpretation, this creates significant data localisation requirements for financial companies.
Viet Nam’s Law on Cybersecurity requires that personal information — which explicitly includes credit card numbers — must be stored in Viet Nam for the duration of the service supplied to a customer. It remains unclear whether the measures will be interpreted as strict localisation, thereby prohibiting cross-border transfers, or as data mirroring.
The Guidelines for Nigerian Content Development in ICT (2013) require foreign and local businesses to locally store the data of Nigerian citizens and establish local content requirements for hardware, software, and services. While technology providers (such as global cloud computing companies that serve the financial sector) can currently apply for a waiver, the Nigerian Information Technology Development Agency is considering a draft cloud policy containing data residency requirements and a separate data classification framework.
In 2012, Luxembourg’s financial regulator (the Financial Sector Surveillance Commission, or CSSF) issued a circular creating high requirements that encouraged an institutional preference for storing data in country.
While the circular does not openly require that processing centres be physically located in the country, it imposes requirements to ensure that the third-party provides an adequate level of security for confidential data. Combined with additional requirements for “quick and unfettered access” to stored information, several financial institutions have interpreted these requirements as de-facto localisation.
Sweden’s Financial Supervisory Authority requires “immediate” access to data in its market supervision, which is interpreted as physical access to servers, amounting to de-facto localisation. Additionally, Sweden requires companies to store data on current company records and accounts in Sweden for seven years.
The Personal Data Protection Act prohibits data users from transferring any personal data outside Malaysia without special approval. Similar to European rules, a foreign jurisdiction must be deemed adequate to receive Malaysian data. The first draft of a list of such countries was published for consultation in 2017. In the absence of a finalised list, firms have to get explicit consent from the data subjects, prove that the transfer is necessary for the performance of a contract or necessary to the interests of the subject, or prove that the data user has taken all precautions to ensure the data is adequately protected in the recipient country.
Staying on Top of Regulatory Barriers
Rules are evolving quickly and several countries, like Viet Nam, Nigeria, and India, are considering regulatory changes that will have a direct impact on financial sector data. While data localisation requirements hurt all sectors, data localisation requirements specific to the financial sector increase barriers to trade and investment and harm the efficiency of businesses operating across multiple jurisdictions. As a result, these businesses need to keep informed about regulatory developments not only around data localisation, but other data protection requirements as well.
Access Partnership has developed an International Data Policy Database (IDPD) to help companies do exactly that, then manage compliance and proactively reimagine their own data management strategies. The Data Governance and Advisory Team (DGAT) continuously manages and updates this database, tracking regulations in up to 200 jurisdictions across nine sectors and eight issue areas, including data localisation, privacy and cybersecurity laws.
Contact DGAT at +1 202 503 1570 to find out how you can leverage the IDPD and our data governance and risk assessment toolkit to create a tailored analysis of the risk you face and a strategy to manage it.
Want to find out more about what leading companies are doing to comply with new requirements? Register for our upcoming webinar: Ensuring Your Company’s Privacy Compliance in 2019 and Beyond on 17 January at 10am EST/3pm GMT.