Data localization is about jurisdictions adopting policies with an aim to protect the jurisdictions' sovereignty over the data generated from within its geographic boundaries or from its residents. The policies are intended to help protect the jurisdiction and its residents from external entities (private or public).
Figure 1 shows the increase in Data Localization measures globally from 1960-2015. This increase indicates that this is a problem that will only get bigger as time goes by. The CBDC needs to understand and recognize it as a growing international trend.
The need for Data Localization is justified for different reasons, such as the protection of data from:
This usually takes the form of a mandate and/or a set of laws or regulations that require certain data to be physically stored on servers within the country of origin.
Data Localization policies tend to fall into three categories2):
|Localization Category||Description||Law or Regulation Examples|
|Local-only Storing, Transmission, and Processing|| |
This generally means an obligation to locally manage data or a prohibition of international data transfers. This is the strictest type of localization policy and is more likely to be descriptive of nations seeking broader control over citizen activities.
|Local Copy Required|| |
Companies are required to keep a copy of data in local servers or data centers. This allows for easier access to this data for regulation and law enforcement purposes, i.e., it is generally easier for local law enforcement agencies to access data stored locally than it is for them to access data stored in another jurisdiction.
|Narrower, conditional restrictions|| |
Transfers of data outside the country are only permitted if certain conditions are met by the transferee and/or by the recipient country.