Global - Data Residency Laws - Compliance options for Multinationals As noted in this months' editorial and in country-specific updates throughout this LegalBytes issue, a new data residency requirement applies in Russia as of September 1, 2015. Multinationals have to take a position on how to react: Wait and see, adapt, or consider existing the Russian market. As a possible response to data residency requirements, multinationals could theoretically establish an additional full-scope data center in each jurisdiction that enacts data residency requirements, while simultaneously keeping data in their respective territories. While this would address data residency requirements, it would also raise costs, create tax issues (each new local server with a data base may create an additional taxable presence), provoke privacy concerns from customers and trigger data privacy law compliance issues arising from additional data transfers to the newly established server. Instead of storing data locally, service providers could also reconfigure the architecture in a manner that gives customers the option to only have certain data stored locally, e.g., Russian data in Russia. This will counteract some of the benefits cloud technologies offer and require additional investments, that providers will very likely try to pass on to their customers. Another option may be to record and store only personally identifying data in Russia (a portion of the database containing full names, contact details, etc.), while processing pseudonymised user transaction data in data centers located abroad. This would also require changes to companies' IT infrastructures and may employ tokens or similar features. But, any solution that caters only to the letter of the data residency law in question (by keeping personal data local), without addressing the spirit of the law (enabling local data access) bears the risk of ultimately being rejected by local governments. A technologically easier and cheaper way to ensure the availability of databases locally is to make and keep (partial) copies of databases locally, for example, by way of continuously creating local back-up copies of data, which are subject to residency requirements on a local, external data storage device. If the local company that is subject to data residency requirements uses a standard storage device and back-up software program, this approach would not create any significant additional costs and could prevent more significant disruption of cloud architectures. It should also largely satisfy a foreign government’s objectives to secure easy access to personal data of its citizens. But, it may not satisfy the letter of any law that requires that the primary data base (as opposed to a current copy) has to reside locally. The Russian data protection authority ("Roskomnadzor") for example has issued a non-binding opinion in October 2014 to the effect that only databases located within Russian territory may be used for processing of personal data of Russian citizens (recording, correction, alteration, extraction etc.). Companies that do not wish to change their IT infrastructures and processes can comply with data residency requirements also by ceasing to collect any data from affected jurisdictions. Cloud and Internet service providers with a global customer base could decide to stop targeting customers in countries with data residency requirements and affirmatively exclude them from contracts. Multinationals with local presences can liquidate the local presences or at least sever technology ties by setting up separate, local data bases for their affected subsidiaries. Users of cloud and Internet services in countries that impose data residency requirements can expect a reduction in available options and offerings if foreign companies are unwilling or unable to accommodate the data residency requirements. Smaller, charge-free services are likely to become unavailable, at least until local offerings develop. Foreign news and media companies could also be blocked based on failure to comply. Perhaps this will boost the development and establishment of local, home-grown information technology services providers. But, since economies of a global scale will not be available to local alternatives, an increase in prices and reduction of available offerings could also be a more permanent consequence. Consumers and companies in countries with strict data residency requirements will likely not be able to benefit from the full potential of cloud computing solutions. This will possibly slow down local technological progress and further increase the global digital divide. As long as Russia remains the only jurisdiction with a broad data residency requirement, most multinational companies can develop a one-off solution or workaround or simply suspend business with Russia. If more countries or any markets with more economic significance for global businesses follow suit, users and providers of information technology solutions have to reconsider architectures more seriously. For more information, please contact Lothar Determann, Edward Bekeschenko, Vadim Perevalov, Alexander Tarasenko, Mark Innis, or Anne-Marie Allgrove.