In 2017, 35 countries had laws requiring some form of local data storage. By 2026, that number has grown to 62, according to the Information Technology and Innovation Foundation. Not a single one of those laws has been repealed. The trajectory points in one direction, and compliance teams that operate across borders need a clear‑eyed understanding of where data‑localization requirements apply, how strict they are, and what the penalties look like when you get it wrong.
This guide focuses on the jurisdictions that matter most for data‑localization compliance. It’s not just a checklist of countries; it explains what the laws actually demand, what counts as compliant, and how enforcement has played out in real life.
How to Read This Guide: Hard vs. Soft Localization
Before you dive in, let’s sort out the two main flavors of data‑localization rules:
Hard localization (strict) – Certain data must stay inside the country’s borders at all times. No encryption tricks, no contractual safeguards can move it abroad. Think Russia, and for specific categories, China.
Soft or conditional localization – Data can leave the country if you meet defined conditions such as adequacy decisions, Standard Contractual Clauses (SCCs), explicit consent, or a regulatory approval. The EU, India (for non‑critical data), Brazil, and most of Southeast Asia fall into this camp.
On top of these baseline rules, many sectors—finance, health, telecom, government—impose extra layers of restriction. Those sector‑specific requirements often trump the general framework.
The Jurisdiction‑by‑Jurisdiction Breakdown
European Union
The GDPR doesn’t force you to keep EU personal data inside the bloc, but it does police cross‑border transfers. You need an adequacy decision, SCCs, Binding Corporate Rules, or a specific derogation. As of early 2026, the EU trusts the UK, Canada (commercial), Japan, South Korea, and the US (under the EU‑U.S. Data Privacy Framework). Transfers to China or Russia lack adequacy and need SCCs plus a Transfer Impact Assessment—a tall order given China’s surveillance rules and Russia’s FSB oversight.
What this means for you: You can run EU workloads anywhere in the EEA, but you must document a transfer mechanism for any data leaving the region. Most firms rely on updated SCCs with a thorough Transfer Impact Assessment, especially after Schrems II.
United Kingdom
Post‑Brexit, the UK GDPR mirrors the EU’s approach. Transfers out of the UK need an adequacy decision or SCCs with UK‑specific annexes. The UK has granted adequacy to the EU, EEA, Andorra, Argentina, Canada (commercial), Faroe Islands, Israel, Japan, Jersey, New Zealand, Korea, Switzerland, Uruguay, and the US (via the UK‑US data bridge). For most commercial purposes, the UK‑US bridge handles the paperwork.
China
China’s data‑sovereignty regime is the toughest you’ll encounter. Three laws overlap:
- Cybersecurity Law (2017) – Critical Information Infrastructure Operators (CIIOs) must store “important data” domestically and undergo security assessments for any cross‑border move.
- Data Security Law (2021) – Classifies data into core, important, and general tiers; core and important data face strict outbound limits.
- Personal Information Protection Law (PIPL, 2021) – Requires localization for “sensitive personal information” and mandates security assessments or CAC‑approved SCCs for transfers.
The most common path for foreign firms is a CAC security assessment, which can take 45 + working days. The process is slow, but it’s the only reliable route for most multinational companies.
Bottom line: If you collect personal data from Chinese residents, you must store it in China and go through a CAC assessment before moving it elsewhere.
Russia
Russia’s Federal Law 242‑FZ (amending Law 152‑FZ) imposes a hard localization rule: all personal data of Russian citizens must be collected, stored, and processed on Russian soil. No exceptions, no SCCs. Roskomnadzor fined foreign firms over 300 million rubles (≈ $3.3 million) in 2023‑2024, and LinkedIn ultimately left the market rather than comply.
What you need: A Russian legal entity, Russian‑hosted servers, and registration with Roskomnadzor. There’s no workaround.
India
India’s Digital Personal Data Protection Act (DPDP Act), effective August 2023, does not impose blanket localization. However, it gives the central government power to block transfers to specific countries via executive notification. No country has been blacklisted yet, but the risk is real.
More concrete is the Reserve Bank of India’s 2018 directive: all payment‑system data generated in India must stay on Indian servers. This applies to any company—foreign or domestic—handling Indian payment data, including AI pipelines that train on transaction records.
Takeaway: Build your architecture with Indian‑local storage for payment data from day one; you’ll avoid a costly redesign later.
Indonesia
Indonesia’s Government Regulation GR 71/2019 (Electronic Systems and Transactions) requires public‑sector operators to keep at least one data copy in the country. The 2025 update (PP 17/2025) keeps the rule but adds clearer guidance for private firms.
Financial services face extra pressure from the OJK, which mandates local storage of customer financial data. Telecom operators must comply with KOMINFO rules for subscriber and traffic data.
Practical tip: If you serve Indonesian customers in finance or telecom, plan for a local data replica. For other sectors, a single copy in Indonesia usually satisfies the law.
Vietnam
Vietnam’s Decree 13/2023 on personal data protection requires local storage for companies operating in‑country and tightens cross‑border transfer rules. The 2018 Cybersecurity Law adds a “important data” classification that covers banking, telecom, and logistics.
Transfers need Ministry of Public Security approval or must meet a long list of conditions. Expect a drawn‑out approval process and extensive documentation.
Bottom line: Treat Vietnam as a hard‑localization environment for personal and “important” data. Build local storage first, then work on the approval pipeline.
Brazil
Brazil’s LGPD mirrors the GDPR: no blanket localization, but cross‑border transfers need adequacy, SCCs, or a derogation. The ANPD issued its first adequacy decisions in 2025 for the EU, UK, and Switzerland. Transfers to the US rely on SCCs because the EU‑U.S. Data Privacy Framework does not automatically apply.
Implication: No need for Brazilian data centers for most use cases. Just keep SCCs up to date.
Nigeria
Nigeria’s NDPR and the NITDA Act focus localization on government data and certain personal‑data categories. The Central Bank of Nigeria (CBN) requires local storage for financial data. Cross‑border transfers must be to countries with adequate protection and backed by contractual safeguards.
What to do: If you handle Nigerian financial or government‑related data, provision local storage. Otherwise, SCCs will usually suffice.
Saudi Arabia
Saudi Arabia’s Personal Data Protection Law (PDPL), effective 2021, generally requires personal data to stay within the Kingdom unless you obtain government approval or rely on an adequacy decision from the Saudi Data Protection Authority (SDPA). The National Cybersecurity Authority (NCA) adds extra rules for critical‑infrastructure sectors.
Action step: Treat Saudi Arabia as a soft‑localization jurisdiction, but default to local storage for personal data and be ready to request approvals for any cross‑border flow.
Australia
Australia’s Privacy Act does not impose data‑localization, but APP 8 (Cross‑border disclosure) obliges you to take reasonable steps to ensure the overseas recipient handles the data in line with Australian standards. While you can keep data overseas, you must have a solid contractual framework and be prepared for regulator scrutiny.
Key Takeaways
- Hard vs. soft rules: Russia and China enforce hard localization; the EU, Brazil, and many ASEAN nations use soft, condition‑based rules.
- Sector matters: Finance, health, and telecom often trigger stricter requirements than the baseline law.
- Transfer mechanisms: SCCs, adequacy decisions, and security assessments are your main tools—keep them current.
- Local entities: Russia, Saudi Arabia, and India’s payment‑data rule require a local legal presence or at least local infrastructure.
- Enforcement is real: Fines in Russia, China’s lengthy assessments, and Nigeria’s active regulator show that non‑compliance is costly.
What to Do Next (Actionable Steps for Compliance Teams)
- Map your data flows – Identify where personal or sensitive data originates, where it is processed, and where it is stored.
- Classify by jurisdiction – Tag each data set with the country‑specific localization rule (hard, soft, sector‑specific).
- Select the right transfer mechanism – Deploy SCCs, adequacy certifications, or obtain security assessments as required.
- Set up local infrastructure where needed – For hard‑localization markets (Russia, China, India‑payment data, Saudi Arabia), provision on‑prem or cloud regions within the country.
- Maintain documentation – Keep Transfer Impact Assessments, security‑assessment reports, and registration certificates up to date.
- Monitor regulatory updates – Laws evolve quickly; subscribe to alerts from the GRC Overview and the Data‑Privacy Bulletin.
- Run periodic audits – Test your architecture against the checklist above at least twice a year.
Conclusion
Data‑localization laws are no longer a niche concern; they’re a core component of any global data‑strategy. From the hard‑stop rules in Russia to the conditional frameworks of the EU and Brazil, the landscape demands a mix of technical controls, legal safeguards, and ongoing vigilance. By mapping your data, choosing the right transfer mechanisms, and building local storage where the law insists, you can keep your organization compliant and avoid the hefty fines that have already hit firms in Russia, China, and beyond.
Staying ahead means treating data‑localization as a continuous program, not a one‑time checklist. Keep your documentation fresh, watch for regulatory shifts, and make sure your cross‑border data flows are always backed by a solid legal basis. With the right processes in place, you’ll turn a complex compliance maze into a manageable, predictable part of your global operations.