Data Localization Laws by Country (2026)
Data localization laws require organizations to store, process, or maintain copies of certain data on servers physically located within a specific country's territory. These laws have proliferated rapidly since 2015, driven by national security concerns, privacy protection goals, economic development strategies, and geopolitical considerations around digital sovereignty.
The scope and strictness of localization requirements vary dramatically. Some countries mandate that all personal data about their residents remain within national borders. Others apply localization only to specific sectors like banking, healthcare, or telecommunications. Several countries take a middle ground, requiring a local copy while permitting transfers abroad under certain conditions.
This guide provides a country-by-country overview of data localization requirements as of 2026, explains the distinction between hard and soft localization, covers sector-specific rules, and outlines practical compliance strategies.
Hard Localization vs. Soft Localization
Understanding the difference between hard and soft localization is critical for compliance planning.
Hard Localization
Hard localization prohibits certain data from leaving the country entirely. The data must be collected, stored, and processed exclusively on local servers. No copies may be transferred abroad, regardless of safeguards. Russia's personal data law and certain categories under China's data protection framework represent hard localization.
Soft Localization
Soft localization requires that a copy of the data be maintained on local servers, but permits transfers of copies to other countries, usually subject to conditions such as government approval, consent, or contractual safeguards. India's approach to certain categories of data and Indonesia's regulations represent soft localization.
Conditional Transfer Models
Some countries do not require local storage but impose conditions on cross-border transfers that function as practical localization. For instance, requiring government approval for each transfer, mandating security assessments before export, or limiting transfers to countries with "adequate" protection. These conditional models can be as burdensome as formal localization requirements.
Country-by-Country Data Localization Requirements
The following table summarizes data localization requirements across major jurisdictions. Detailed analysis of key countries follows below.
| Country | Type | Scope | Key Law |
|---|---|---|---|
| China | Hard/Conditional | Personal information, important data, CII data | PIPL, DSL, CSL |
| Russia | Hard | Personal data of Russian citizens | Federal Law 242-FZ |
| India | Soft/Sector | Payment data (hard); other data conditional | DPDP Act 2023, RBI directions |
| Indonesia | Soft | Public electronic system data | GR 71/2019, PP 17/2025 |
| Vietnam | Soft/Conditional | Personal data, state security data | Decree 13/2023, Cybersecurity Law |
| Nigeria | Soft/Sector | Government data, certain personal data | NDPR, NITDA Act |
| Turkey | Conditional | Personal data | Law 6698 (KVKK) |
| Saudi Arabia | Conditional/Sector | Certain personal data, government data | PDPL, NCA regulations |
| Brazil | None (conditional) | No localization; conditional transfer rules | LGPD |
| South Korea | Conditional | Personal information | PIPA |
| Australia | None (conditional) | No localization; APP 8 transfer rules | Privacy Act 1988 |
| Kazakhstan | Soft | Personal data of citizens | Law on Personal Data |
| UAE | Sector | Financial, health, government data | Various sector regulators |
| Thailand | Conditional | Personal data | PDPA |
China: The Most Complex Localization Regime
China operates one of the world's most comprehensive data localization frameworks, built on three interconnected laws: the Cybersecurity Law (CSL) of 2017, the Data Security Law (DSL) of 2021, and the Personal Information Protection Law (PIPL) of 2021.
Critical Information Infrastructure (CII) Operators
CII operators must store personal information and "important data" collected and generated in China within the country. Transfers abroad require a government security assessment conducted by the Cyberspace Administration of China (CAC). CII sectors include energy, transportation, finance, public services, e-government, defense, and technology.
Personal Information Handlers
Under the PIPL, any organization processing personal information of Chinese residents that needs to transfer data abroad must satisfy one of four conditions: pass a CAC security assessment (mandatory for CII operators and large-scale handlers), obtain certification from a recognized institution, enter into a standard contract filed with the CAC, or comply with other conditions set by laws or regulations.
The CAC published standard contract provisions in February 2023 (effective June 2023) for organizations processing personal information of fewer than one million individuals. Organizations handling data from over one million individuals or transferring large volumes must undergo the security assessment route.
Important Data
The DSL introduced a separate category of "important data" subject to localization and export restrictions. Sector-specific regulators are tasked with defining what constitutes important data in their domains. The automotive, financial services, and healthcare sectors have issued draft or final important data catalogs.
Practical Impact
China's regime represents the most burdensome localization framework for multinational companies. Organizations operating in China typically maintain entirely separate data infrastructure, with dedicated in-country data centers and Chinese cloud providers (Alibaba Cloud, Tencent Cloud, Huawei Cloud) handling local processing.
Russia: Strict Personal Data Localization
Russia's data localization law, Federal Law No. 242-FZ (amending the Personal Data Law No. 152-FZ), took effect on September 1, 2015. It requires that all databases used to collect, record, systematize, accumulate, store, update, modify, or retrieve the personal data of Russian citizens be located on servers within the Russian Federation.
Scope
The law applies broadly to any operator (Russian or foreign) that collects personal data from Russian citizens. This includes online services, e-commerce platforms, social media companies, and any business that collects employee or customer data from Russian residents.
Cross-Border Transfers
Russia uses a two-tier system for cross-border transfers. Transfers to countries that are parties to the Council of Europe Convention 108 or that appear on Roskomnadzor's list of adequate countries can proceed with standard safeguards. Transfers to other countries require the data subject's consent or another legal basis.
However, the primary data storage must remain in Russia. The law does not prohibit making copies available abroad; it requires that the primary database (the "master copy") be located in Russia.
Enforcement
Russia's data protection authority, Roskomnadzor, has enforced the localization requirement through blocking actions. LinkedIn was blocked in Russia in 2016 for failing to comply with the localization requirement, in the first major enforcement action under the law. Fines for localization violations have increased significantly, reaching up to 18 million rubles for initial violations and up to 6 million rubles for repeated violations as of 2023 amendments.
India: Evolving Localization Landscape
India's data localization requirements have shifted significantly. The Digital Personal Data Protection Act (DPDP Act) of 2023 replaced the earlier Personal Data Protection Bill, which had included strict localization provisions.
Current Framework
The DPDP Act does not impose blanket data localization. Instead, it permits cross-border transfers of personal data to all countries except those specifically restricted by the central government through notification. As of early 2026, the government has not published its list of restricted countries.
Payment Data Localization
The Reserve Bank of India (RBI) issued a directive in April 2018 requiring all payment system data to be stored exclusively in India. This applies to domestic transaction data processed by payment system operators, including card networks, payment aggregators, and wallet providers. The requirement is one of the strictest sector-specific localization mandates globally and forced companies like Visa, Mastercard, and PayPal to establish Indian data centers.
Sector-Specific Requirements
The Insurance Regulatory and Development Authority of India (IRDAI) and the Securities and Exchange Board of India (SEBI) have their own data handling requirements that, while not always labeled as "localization," impose conditions on where data can be processed and stored.
Vietnam: Cybersecurity and Data Storage
Vietnam's Cybersecurity Law (Law 24/2018), effective January 1, 2019, and Decree 13/2023 on personal data protection impose layered localization requirements.
Under the Cybersecurity Law, domestic and foreign service providers that operate in Vietnam and collect user data must store certain data categories locally, including data related to national security and data about Vietnamese users of services such as telecommunications, e-commerce, social media, gaming, and messaging. These providers must also establish a local office or representative in Vietnam.
Decree 13/2023 requires organizations transferring personal data of Vietnamese citizens abroad to prepare a Transfer Impact Assessment dossier and file it with the Ministry of Public Security. The data must be stored locally, and the organization must obtain a registration certificate before transferring personal data across borders.
Indonesia: Government Regulation on Electronic Systems
Indonesia's Government Regulation No. 71 of 2019 (GR 71/2019) on Electronic Systems and Transactions requires public electronic system operators to place their data centers and disaster recovery centers in Indonesian territory. Private electronic system operators were initially given flexibility, though sector-specific rules apply.
In 2025, Government Regulation PP 17/2025 updated the framework, maintaining the public sector localization requirement while establishing conditions for private sector cross-border transfers, including impact assessments and coordination with relevant ministries.
The financial services sector faces additional requirements from Indonesia's Financial Services Authority (OJK), which requires banks and financial institutions to maintain primary data centers domestically.
Nigeria: NDPR and Government Data
Nigeria's data localization requirements come primarily from the Nigeria Data Protection Regulation (NDPR) of 2019 (now administered by the Nigeria Data Protection Commission) and sectoral guidelines.
The NDPR does not impose blanket localization but requires that personal data be stored in Nigeria where "it is reasonably practicable." Cross-border transfers require adequate protection in the destination country or appropriate safeguards.
Government data faces stricter requirements. The National Information Technology Development Agency (NITDA) has issued guidelines requiring government data and data processed on behalf of government agencies to be hosted within Nigeria.
The Central Bank of Nigeria (CBN) requires financial institutions to maintain local data storage and obtain approval for certain cross-border data transfers.
Turkey: Conditional Transfer Framework
Turkey's [Personal Data Protection Law No. 6698 (KVKK)](https://www.mevzuat.gov.tr/MevzuatMetin/1.5.6698.pdf) does not impose strict data localization but creates a conditional transfer framework that can function as practical localization.
Cross-border transfers require either explicit consent from the data subject or an adequacy decision by the Personal Data Protection Board (KVKK Board). For countries without adequacy status, transfers require a written commitment from the data importer providing adequate protection, approved by the KVKK Board. In March 2024, the KVKK Board updated its approach, allowing transfers based on binding corporate rules, standard contractual clauses, or other approved safeguards, bringing Turkey closer to the GDPR model. See our Turkey data privacy laws guide for full details.
Sector-Specific Localization Patterns
Several patterns emerge across jurisdictions where localization applies to specific sectors rather than all data.
Financial Data
Banking regulators worldwide frequently impose the strictest localization rules. India's RBI payment data mandate, Indonesia's OJK requirements, Nigeria's CBN directives, China's banking data rules, and Saudi Arabia's Saudi Arabian Monetary Authority (SAMA) regulations all require some degree of local storage for financial data.
Healthcare Data
Health data localization appears in Australia (My Health Records Act), Turkey (health data regulations), Saudi Arabia (National Health Information Center requirements), and several EU member states that impose additional restrictions on health data beyond the GDPR.
Telecommunications
Telecom metadata and subscriber data face localization requirements in Russia, China, Vietnam, India (through telecom license conditions), and several African countries. These rules often derive from national security and law enforcement access concerns.
Government and Public Sector Data
Almost universally, countries require government data to be stored domestically. This includes Indonesia's GR 71/2019 for public electronic systems, Nigeria's NITDA guidelines, India's government cloud policy, and Saudi Arabia's National Cybersecurity Authority (NCA) requirements.
Compliance Strategies for Multinational Organizations
Organizations operating across multiple jurisdictions with different localization requirements can adopt several strategies.
Regional Data Center Architecture
Deploying data centers (or contracting with cloud providers) in key jurisdictions ensures local storage compliance. Major cloud providers like AWS, Microsoft Azure, and Google Cloud offer region-specific data residency options. Organizations can configure data residency policies to ensure that data from specific countries remains within designated regions.
Data Segregation and Classification
Implementing data classification frameworks that tag data by jurisdiction and category allows organizations to apply localization rules selectively. Not all data from a given country requires localization; often only specific categories (financial, health, government) are subject to local storage requirements.
Hybrid Architectures
Some organizations maintain local "hot" storage for compliance purposes while processing or analyzing data centrally. This approach satisfies localization requirements while preserving the efficiency of centralized analytics. The key is ensuring the local copy meets the "primary storage" requirement where applicable.
Transfer Mechanism Layering
In soft localization jurisdictions, organizations can maintain local storage while using transfer mechanisms (SCCs, adequacy decisions, consent, or contractual clauses) to export copies of data for global operations.
Regulatory Monitoring
Localization laws change frequently. Organizations need a systematic process for tracking legislative and regulatory developments in every country where they operate. Several jurisdictions (India, Saudi Arabia, and Indonesia) have laws with implementing regulations still being finalized, meaning requirements could tighten.
This is general legal information, not legal advice. Organizations navigating data localization requirements across multiple jurisdictions should consult an attorney for advice specific to their situation.
Sources and References
Sources and References
- China PIPL(npc.gov.cn).gov
- China Data Security Law(npc.gov.cn).gov
- China Cybersecurity Law(npc.gov.cn).gov
- CAC Standard Contract for Data Export(cac.gov.cn).gov
- Russia Federal Law 242-FZ(pravo.gov.ru).gov
- India DPDP Act 2023(meity.gov.in).gov
- RBI Payment Data Storage Directive(rbi.org.in).gov
- Nigeria Data Protection Commission(ndpc.gov.ng).gov
- Turkey KVKK Law 6698(mevzuat.gov.tr).gov
- Indonesia GR 71/2019(jdih.kominfo.go.id).gov
- Council of Europe Convention 108(coe.int).gov