The GDPR and soft data localization

I used to say that the GDPR did not have a data residency or data localization requirement. So long as a data controller transferred data to a country with an adequacy decision or complied with the safeguards, such as the standard contractual clauses or binding corporate clauses, it could send data outside of the EU.

Then the Court of Justice of the European Union (CJEU) issued the Schrems II decision. By requiring that EU personal data maintain essentially equivalent protection outside of the EU, it drastically limited the ability of businesses to export personal data. Now, before a business can export data, it must assess the law of the foreign country and determine if adequate safeguards can be put into place to maintain essentially equivalent protection.

Making this assessment of a foreign country's laws will not be simple or inexpensive. It is basically a mini-adequacy decision. While large businesses have the resources to perform the assessment and update it, most other businesses do not. Thus, these businesses will probably opt to keep their EU personal data within the EU to avoid having to perform the assessment (ie, a soft data localization).

Photo by Andrea Piacquadio from Pexels