Many organizations wonder, “Does server location really matter under GDPR?”. This question arises from the complex landscape of data protection regulations. There is often a strong emphasis on the importance of the location of user data. However, in the context of the GDPR, data localization is not as important as many people think. Based on the requirements of the GDPR, securing the data when transferring, is actually a more crucial aspect compared to the issue of data localization.
Data localization is the practice of storing and processing data within a set geographical space. This is different than data residency which is often used interchangeably with data localization; however, it is slightly different. Data residency refers to the actual location of the servers and other infrastructure used to store and process the data. While data localization includes the concept of data residency, it also incorporates the idea of data sovereignty. Data sovereignty refers to the rights of the legal authority or any entity to exercise control over data within its borders. Data localization is the combination of both data sovereignty and data residency.
The EU’s General Data Protection Regulation (GDPR) prioritizes strong data protection practices and indirectly favors the storage of personal data within the EU. However, data localization is not a strict legal requirement therein.
What is required to transfer data outside of the EEA?
The GDPR does specify the need for “appropriate safeguards” for transferring data outside the EU. Articles 44 to 50 of the GDPR detail the requirements for storing and transferring data outside of the EEA, including adequacy decisions, standard contractual clauses, certifications and binding corporate rules as well as when processing activities are exempt from these requirements.
Standard contractual clauses as described in GDPR Art.46 are legally binding data protection clauses approved by the European Commission. Binding corporate rules (BCRs) as described in GDPR Art.47 internal rules adopted by multinational companies or groups of enterprises for transfers within a group. BCRs serve to ensure all members maintain appropriate levels of GDPR compliance regardless of their locations. If a company decides to rely on BCRs as a transfer mechanism, all its EU-based entities must adhere to the binding corporate rules when transferring data outside the Union. There are also certification mechanisms for transfers; however, these alone are not sufficient for data transfers outside of the EEA.
An adequacy decision states that a country outside of the EEA provides adequate data protection measures. If an adequacy decision is in place, then no additional data protection safeguards are required. There are currently adequacy decisions with the following countries: Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland , the United Kingdom under the GDPR and the LED, the United States (commercial organizations participating in the EU-US Data Privacy Framework) and Uruguay.
Addressing the US
Many tech companies and third party service providers are located in the U.S. The Schrems II case, in July 2020 invalidated the U.S. Privacy shield, which allowed for U.S.-EU data transfers. This was due to concerns related to data sovereignty. Essentially, the personal data of EU data subjects that was located in the U.S. could be processed and subject to U.S. surveillance, meaning that US laws did not actually provide adequate privacy protection in accordance with the GDPR for EU data subjects. This case made data localization within Europe more common to avoid transfers to the U.S. when possible.
The GDPR does not mandate data localization, but it outlines strict rules and requirements for processing data outside of the EEA. Storing and processing data of EU data subjects within the EU helps to make compliance with the GDPR easier; however, compliance is not just data localization, data security and minimization are also crucial to consider.
Understanding Data Practices
In recent years there has been a growing trend of organizations using third party services such as content distribution networks (CDNs) and cloud storage services. CDNs have become increasingly popular, serving a majority of web traffic, including traffic from major sites like Facebook, Netflix, and Amazon. Server location means where the servers physically are. Large service providers such as Amazon, Google or Cloudflare allow for companies to choose the location of the servers holding the information. While Amazon might be a US entity, information stored in an Amazon server located in Germany for example is subject to German legal requirements on data sovereignty.
In 2021, a report was published revealing that within the calendar year 44% of organizations experienced a data breach, and the majority of these data breaches were due to not properly assessing the risks of third party vendors. Many organizations see the use of third parties as a security risk, but not a high security risk leading to insecure and poor data management practices. It is important to utilize strong security practices such as always sending personal information using TLS and encryption as opposed to directly over HTTP. While location of the third parties utilized is important, arguably it is not as important as the data management practices or security practices implemented by said third parties.
The Global Landscape of Data Privacy and Data Localization
Some countries have stronger data localization laws. In 2017, there were 67 data localization laws; however, by 2021 that number had grown to 144. There is a growing trend towards regulating data localization. The most notable data localization laws effect: China, Brazil, Russia, and India.
- China has the personal information protection law (PIPL) which has various localization requirements in regards to personal information. It requires companies to store and process data within China’s borders.
- Russia enforces the Federal Law on Personal Data No.152-ФЗ, dated 27 July 2006 (PDL), and updated it in March 2023 to include strict data localization requirements, mandating the maintenance of data within Russia.
- India’s Digital Personal Data Protection (DPDP) Act, 2023, authorizes the Central Government to impose localization restrictions on certain data categories and potentially require storing specific types of personal data within the country.
There are other countries that require data localization, and when processing information about data subjects located in specific countries it is important to be aware of any data localization requirements. Specific industries such as healthcare have regulations that deal with data residency requirements, such as UAE Health Data Law.
Conclusion
While data localization can facilitate compliance and potentially simplify certain regulatory aspects, based on the GDPR: the ultimate focus must remain on implementing strong, consistent data protection practices. The GDPR prioritizes securing data through comprehensive safeguards, regardless of physical location, and emphasizes mechanisms such as standard contractual clauses, binding corporate rules, and adequacy decisions to ensure protection across borders. There is an increase in a trend towards data localization as more regulations are requiring data residency, and this article does not take into account other possible local regulations. Furthermore, the evolution of global data privacy laws suggests a continuous shift towards balancing data sovereignty with international data flows, underscoring the importance of robust security practices over mere geographic constraints.
Therefore, when asking, “Does server location really matter under GDPR?”; the answer lies in balancing data security and compliance measures, regardless of geographical constraints. TechGDPR can help to better understand how to navigate data privacy regulations and ensure a high level of compliance.