Data Residency- One Piece of the Puzzle

In our last post on “Cross-Border Data,” we discussed the various challenges organizations face due to laws around data localization and their possible mitigations. With more countries adopting policies to enforce data residency, organizations are realizing the urgency of the matter and are compelled to look for simpler solutions to achieve compliance.


Recently, the Portuguese DPA ordered Statistics Portugal to suspend processing of personal data in any third country that does not meet the adequate privacy protections, including the US.


Similarly, the Bavarian DPA directed a German company to stop the use of email marketing platform Mailchimp in sending out newsletters to its European subscribers. The ruling concluded that the US-based Mailchimp could be subject to data access by US intelligence services.


Such concepts of hard data localization are bound to affect major data flows in several industries. The major challenge lies in the awareness of the data flow as the destination and reason for data transfer may not be clearly understood in all scenarios.


Even a seemingly simple online transaction requires data to be sent back and forth several times across boundaries. Even if the data is located in one country, its transmission may cross national borders.




To alleviate some of the challenges around data localization, Microsoft announced the EU Data Boundary for the Microsoft Cloud plan to enable its commercial or public sector customers in the EU to process and store their data within the EU. The plan will include any personal data in diagnostic data and service-generated data, and personal data used to provide technical support.


It will cover the Microsoft’s core cloud services of Azure, Microsoft 365, and Dynamics 365 at no additional cost for the added services. The company will follow the European Commission's revised SCCs and allow its customers to freely transfer data from the EEA to the rest of the world through the Microsoft cloud. However, the plan only aims to minimize transfers and not eliminate them entirely.


While the move is a step in the right direction, it does not solve all issues around cross-border data. US companies may be forced to provide client data to the government when requested on the grounds of national security, which is contrary to GDPR guidelines.


Additionally, a company’s global operations make it an international data transfer even when the data is at rest in Europe and is being accessed from overseas. Contrary to popular belief, even if traffic is sent from one user to another within the same country, it is transmitted through one or more countries for flexibility or better performance.


As part of a series of posts written by participants of a Georgia Tech conference, research engineer Dillon Reisman wrote—data can live ephemerally, in many copies and in many places. Like in cloud computing, the data is mostly stored, processed, and accessed in a different country.


In case the company manages to have the data processed within Europe, it will still fall under the extraterritorial effect of the US legislation as any US company or its subsidiary can be subject to requests for data.


In such a scenario, companies should not blindly rely on their cloud provider. It is crucial to know where your data is stored and how it is handled. The flow of data should be properly documented as such information can be valuable in case of any legal disputes. This re-establishes the importance of tracking your data.


The below steps will help you manage cross-border data in your organization:


1. Document current state: Identify the different jurisdictions and understand which legal entities are transferring what data

2. Define cross-