Data Localization Snapshot

Active Measures Country Measure Details This regulation restricts the Personally Controlled Electronic exportation of any personally Health Record Provision identifiable health information. These two provincial laws Two provincial personal restrict the exportation of any information laws: Nova Scotia collected by or for and British Columbia public bodies. This law prohibits the off-shore Notice to Urge Banking Financial analyzing, processing, or storage Institutions to Protect Personal of Chinese personal financial Information information. This law requires that all servers Online Publishing Service China used for online publishing in Management Rules China be located within China. Guidelines for Personal This standard prohibits the Information Protection within overseas transfer of data China Public and Commercial without express user consent or Information Systems government permission. This law requires all credit information collected on Administrative Regulation on Chinese citizens to be processed China the Credit Information Industry and stored within China and and Credit Reference Agencies does not allow the transfer of that data outside of China’s borders. Population and Healthcare These measures prohibit the China Information Management overseas transfer of health and Measures medical information. This policy requires all data National Data Sharing and collected using public funds to Accessibility Policy be stored within the borders of India. This law mandates that any company which provides Regulation No. 82: Information internet enabled services and Electronic Transaction Law directly to the consumer must locate their data centers within Indonesia.

1

These amendments require that Amendments to Certain all personal data collected Legislative Acts on within Kazakhstan be stored Informatization within the country. This act, an update to a law Act on the Establishment and which originated in the Korean Korea Management of Spatial War era, greatly restricts the information cross-border transfer of mapping data. These guidelines require that all Guidelines for Nigerian Content consumer and subscriber data Development in ICT collected by companies in Nigeria be hosted within Nigeria. This law requires that all data Russia Federal Law 242-FZ collected on Russia citizens be stored within Russia. This law mandates that all bloggers (very loosely defined) with more than 3,000 followers Russia Blogger’s Law store all internet related data within Russia for up to six months while providing access to law enforcement. This law requires companies that provide e-payment services Turkey E-Payment Law to conduct all data processing within the borders of Turkey. These rules require that all cloud DoD Interim Rule on Network computing service providers United States Penetration Reporting and that work for the DOD to store Contracting for Cloud Services DOD data within U.S. Territory. This law mandates that all companies that provide a range Decree of Information of different internet enabled Technology Services services maintain at least one server within the borders of Vietnam.

2

Potential Measures Country Measure Details This law contains broad requirements for local processing and storage of “important data” related to China Draft Cyber-Security Law Chinese citizens and critical information infrastructure, with reference to unclear data export limitations or requirements. This law would require localization of data servers by any insurance institution Draft Supervision Rules on processing the personal data of China Insurance Institutions Adopting Chinese citizens. Additionally, Digitized Operations there are vague requirements for data residency that are yet to be defined. A proposed amendment to this law would require the storage of all French citizen’s personal data France Draft Bill for a Digital Republic within the EU and prohibit transfer of that data to non-EU countries. Draft Regulation Regarding the This law has a vague Provision of Application and/or requirement that OTT service Indonesia Content Services Through the providers place part of their Internet data centers within Indonesia. These pre-announced standards would require that all cloud computing providers separate Standards for Cloud Computing Korea public and private data centers, Services mandating public servers to be located within the borders of Korea. This draft law would require all Vietnam Draft OTT Circular OTT service providers to locate at least one server in Vietnam.

3