The General Data Protection Regulation (GDPR) transformed the world of privacy—mostly for the better. However, while Europe’s landmark policy set the standard for the protection of consumer information online, it also triggered a cascade of regulatory actions based on the dubious idea that localizing data makes it more private and secure.
Data protection laws with localization provisions existed in some jurisdictions before GDPR, often for national security purposes. But since GDPR went into effect in 2018, at least 30 countries have adopted new data protection laws or amended existing ones, according to data from the United Nations Commission on Trade and Development, and many of them place restrictions on transferring personal data to certain other countries.
Data privacy is my passion, and it’s never gotten more attention. I think about it all the time, and I’m glad so many other people—regulators and businesses alike—are thinking about it, too. But localizing data does not make it more private. In fact, the increasing pressure to comply with sometimes inconsistent and incompatible data localization rules can make it harder for organizations to protect the privacy of the data they process. And failure to comply is costly, as Meta learned when Irish regulators fined it €1.2 billion for transferring locally created data to the United States.
GDPR is generally viewed as a gold standard for privacy protection. It enshrines the rights of data subjects and mandates data handling practices that have been copied by lawmakers in other countries. In addition, due to the GDPR’s comprehensive requirements, many companies took the approach of applying the GDPR’s standards to all personal data they process. As a result, the personal data of billions of people globally is protected at the level set by the GDPR, whether they live in Europe or not.
One of GDPR’s (perhaps unintended) effects, though, has been the emergence of geography as a proxy for privacy. Prior to GDPR, there were limited use cases for data localization. Governments wrote localization requirements into contracts to shield certain data from foreigners, or authoritarian states mandated it to allow for government access to private data. But GDPR intensified the focus on regulating cross-border data transfers. When the European Court of Justice’s Schrems II decision invalidated the EU-US Privacy Shield in 2020, it spurred a number of regulators to take the view that no transfer of EU data to the United States would be permissible under the standard set by that court. And since some of the biggest cloud providers are based in the U.S., that decision had major repercussions for businesses around the world.
The idea behind data localization — that data should be stored and processed in the same place it’s generated — is appealingly simple. If the data of a country’s citizens stays on servers inside the country – the thinking goes – then the country can keep that data safe and ensure the data will be handled in accordance with local laws. In practice, however, it creates a more fragmented Internet where actual privacy and safety are harder to achieve. By creating artificial geographic silos, data localization actually diminishes our ability to identify and proactively act on vulnerabilities. When data on bot trends in India can’t be shared with cyber security experts in Indiana, for example, the Internet gets more perilous for everyone. And keeping data local can have dangerous impacts on a country’s national security too, as Ukraine found out when Russia invaded in 2022.
That’s the big-picture effect. For individual organizations trying to operate as localization mandates proliferate, the existence of so many national, regional, and local regulations is a big problem. Cobbling together IT infrastructure that satisfies all of them without sacrificing performance is daunting.
It’s daunting but not impossible if you ask the right questions as you assess security and data protection solutions. You can meet regulatory obligations as well as customer and user demands with products and vendors that prioritize proactive compliance, resiliency, and visibility.
When evaluating whether a security tool can help you satisfy data localization requirements and deliver the results your users expect, consider these 3 key questions:
Does it have a truly global presence and mindset?
A tool won’t give you control over data location without underlying software and hardware that’s already operational and in compliance in many countries and regions. And you’ll want to choose a vendor that has given careful thought to the nuances of data protection compliance in each jurisdiction where it has users.
Does it give you a view into where (and how) your data is being handled?
You can’t be sure you’re complying with local data handling mandates without ready visibility into where your data is and clear explanations for what happens to it in transit and at rest.
Is the vendor committed to privacy and security?
The company backing the product should have a full suite of privacy-focused certifications from standards organizations and government agencies. It should also have a record of maintaining user data encryption, regardless of local policies wherever that data resides. And it should have experience standing up to government data requests that conflict with the data protection laws of the data subject’s home jurisdiction.
At Cloudflare, we believe that how you safeguard data is more important than where you do it. We’ve built a global cloud network that puts privacy first by putting security first, And we have the certifications to validate our approach—ISO 27701 and ISO 27018, plus validation under the EU-U.S. Data Privacy Framework and the EU Cloud Code of Conduct.
But because we recognize that some of our customers require localization tools, we’ve put the power of that global network into our customers’ hands with a suite of localized tools that offer centralized visibility into the state of their data and control over where it’s used and stored.
This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.
Emily Hancock — @emilyhancock
Chief Privacy Officer, Cloudflare
After reading this article you will be able to understand:
How geography became a proxy for data privacy
The shortcomings of data localization
3 key questions to ask when evaluating security tools