Data-Localization

Russia’s data localization law, effective September 2015, requires personal data of Russian citizens to be stored within Russia. The primary database must be on Russian territory; copies may exist abroad, but the original recording and storage must occur domestically. This has forced international companies to establish Russian infrastructure or exit the market. LinkedIn was blocked in 2016 for non-compliance. The law serves multiple purposes: enabling domestic surveillance (data is accessible to SORM), reducing dependence on foreign services, and building domestic cloud industry. Combined with SORM backdoor requirements and Yarovaya retention mandates, data localization ensures Russian authorities have access to personal data of Russian citizens regardless of what foreign service they use—if the service operates in Russia, the data must be stored there.

China’s Cybersecurity Law of 2017 establishes foundational requirements for network security. Critical Information Infrastructure Operators (CIIOs) in sectors like telecoms, energy, transport, and finance must localize personal information and ‘important data’ collected in China. Cross-border transfers require government security assessments. Network products and services used by CIIOs must undergo security reviews. The law requires network operators to maintain logs for at least six months and provide technical support to public security organs for investigations. Real-name registration is required for online accounts. The law’s broad definitions and vague language create compliance uncertainty. Combined with the National Intelligence Law, it means Chinese network operators must both assist intelligence work and implement technical capabilities for lawful access.