Data Localization Laws by Country (2026)
Data localization laws require that certain personal data be stored on servers within a country's borders. Requirements range from hard localization, such as Russia's Federal Law 242-FZ, which prohibits primary citizen databases from leaving Russia, to soft models permitting conditional transfers. Over 60 countries enforce some form of data residency requirement as of 2026.
Data localization laws require organizations to store, process, or maintain copies of certain data on servers physically located within a specific country's territory. These laws have proliferated rapidly since 2015, driven by national security concerns, privacy protection goals, economic development strategies, and geopolitical considerations around digital sovereignty.
The scope and strictness of localization requirements vary dramatically. Some countries mandate that all personal data about their residents remain within national borders. Others apply localization only to specific sectors like banking, healthcare, or telecommunications. Several countries take a middle ground, requiring a local copy while permitting transfers abroad under certain conditions.
This guide provides a country-by-country overview of data localization requirements as of 2026, explains the distinction between hard and soft localization, covers sector-specific rules, examines the EU position, surveys the economic debate, and outlines practical compliance strategies.
Hard Localization vs. Soft Localization
Understanding the difference between hard and soft localization is critical for compliance planning.
Hard Localization
Hard localization prohibits certain data from leaving the country entirely. The data must be collected, stored, and processed exclusively on local servers. No copies may be transferred abroad, regardless of safeguards. Russia's personal data law and certain categories under China's data protection framework represent hard localization.
Soft Localization
Soft localization requires that a copy of the data be maintained on local servers, but permits transfers of copies to other countries, usually subject to conditions such as government approval, consent, or contractual safeguards. India's approach to certain categories of data and Indonesia's regulations represent soft localization.
Conditional Transfer Models
Some countries do not require local storage but impose conditions on cross-border transfers that function as practical localization. For instance, requiring government approval for each transfer, mandating security assessments before export, or limiting transfers to countries with "adequate" protection. These conditional models can be as burdensome as formal localization requirements.
Country-by-Country Data Localization Requirements
The following table summarizes data localization requirements across major jurisdictions. Detailed analysis of key countries follows below.
| Country | Type | Scope | Key Law |
|---|---|---|---|
| China | Hard/Conditional | Personal information, important data, CII data | PIPL, DSL, CSL (amended Jan 2026) |
| Russia | Hard | Personal data of Russian citizens | Federal Law 242-FZ, 266-FZ |
| India | Soft/Sector | Payment data (hard); other data conditional | DPDP Rules 2025, RBI directions |
| Indonesia | Soft | Public electronic system data | GR 71/2019, PDP Law (Oct 2024) |
| Vietnam | Soft/Conditional | Personal data, state security data | Decree 13/2023, Decree 53/2022 |
| Nigeria | Soft/Sector | Government data, critical infrastructure data | NDPA 2023, NITDA Act |
| Turkey | Conditional | Personal data | Law 6698 (KVKK) |
| Saudi Arabia | Conditional/Sector | Personal data, financial, government data | PDPL (enforced Sept 2024) |
| Brazil | None (conditional) | No localization; conditional transfer rules | LGPD |
| South Korea | Conditional | Personal information | PIPA |
| Australia | None (conditional) | No localization; APP 8 transfer rules | Privacy Act 1988 |
| Kazakhstan | Soft | Personal data of citizens | Law on Personal Data (amended Feb 2024) |
| UAE | Sector | Financial, health, government data | Various sector regulators |
| Thailand | Conditional | Personal data | PDPA |
| South Africa | Conditional | Personal information | POPIA |
| Japan | Conditional | Personal information | APPI (amended 2022) |
China: The Most Complex Localization Regime
China operates one of the world's most comprehensive data localization frameworks, built on three interconnected laws: the Cybersecurity Law (CSL) of 2017, the Data Security Law (DSL) of 2021, and the Personal Information Protection Law (PIPL) of 2021.
Critical Information Infrastructure (CII) Operators
CII operators must store personal information and "important data" collected and generated in China within the country. Transfers abroad require a government security assessment conducted by the Cyberspace Administration of China (CAC). CII sectors include energy, transportation, finance, public services, e-government, defense, and technology.
CSL Amendment Effective January 1, 2026
The Standing Committee of the National People's Congress passed amendments to the CSL on October 28, 2025, effective January 1, 2026. The January 2026 amendments do not alter the core data localization requirement for CII operators under Article 39 but significantly change the enforcement landscape:
- Maximum penalties for CII operators whose violations cause especially grave consequences now reach RMB 10 million (approximately USD 1.4 million).
- The CSL's extraterritorial reach expanded beyond activities harming domestic critical infrastructure to cover any overseas organization or individual engaging in activities that harm China's cybersecurity broadly.
- AI governance obligations are now explicitly integrated into the CSL framework, including state support for AI innovation, training data resource development, and AI risk assessment and security governance.
- Penalties for selling uncertified network security equipment include fines of up to ten times the purchase amount.
Personal Information Handlers and the March 2024 Threshold Changes
Under the PIPL, organizations processing personal information of Chinese residents that need to transfer data abroad must satisfy one of four conditions: pass a CAC security assessment, obtain certification from a recognized institution, enter into a standard contract filed with the CAC, or comply with other applicable conditions.
On March 22, 2024, the CAC issued the Provisions on Regulating and Promoting Cross-Border Data Flows, effective immediately. These provisions significantly relaxed the prior rules:
- Security assessment by the CAC is now required only for transfers of personal data of more than 1 million individuals in a calendar year, or sensitive personal data of more than 10,000 individuals in a calendar year.
- Transfers of personal data of fewer than 100,000 individuals per calendar year are exempt from the standard contract filing requirement.
- CAC-approved security assessments are now valid for three years, extended from the prior two-year term.
- Organizations in designated free trade zones may follow a negative list: the FTZ formulates a catalog of restricted data, and all data outside the catalog may be transferred freely. The Shanghai FTZ published its first general data catalog in May 2024, covering automotive, biopharmaceuticals, and mutual fund sectors.
Important Data
The DSL introduced a separate category of "important data" subject to localization and export restrictions. Sector-specific regulators are tasked with defining what constitutes important data in their domains. The automotive, financial services, and healthcare sectors have issued draft or final important data catalogs.
Practical Impact
China's regime represents the most burdensome localization framework for multinational companies. Organizations operating in China typically maintain entirely separate data infrastructure, with dedicated in-country data centers and Chinese cloud providers (Alibaba Cloud, Tencent Cloud, Huawei Cloud) handling local processing.
Russia: Strict Personal Data Localization
Russia's data localization law, Federal Law No. 242-FZ (amending the Personal Data Law No. 152-FZ), took effect on September 1, 2015. It requires that all databases used to collect, record, systematize, accumulate, store, update, modify, or retrieve the personal data of Russian citizens be located on servers within the Russian Federation.
Scope
The law applies broadly to any operator (Russian or foreign) that collects personal data from Russian citizens. This includes online services, e-commerce platforms, social media companies, and any business that collects employee or customer data from Russian residents.
Cross-Border Transfers and FZ-266 Changes (2023)
Federal Law No. 266-FZ (signed July 14, 2022; principal provisions effective September 1, 2022; cross-border transfer provisions effective March 1, 2023) substantially updated the cross-border transfer framework. Since March 2023, operators must notify Roskomnadzor of their intention to transfer personal data abroad before doing so. Transfers to countries not recognized as providing adequate protection now require explicit permission from Roskomnadzor.
The prior two-tier system (Council of Europe Convention 108 countries vs. others) remains relevant for determining which countries are presumed adequate. However, the pre-transfer notification requirement now applies regardless of destination.
The primary data storage requirement is unchanged: the master database of Russian citizens' personal data must remain on Russian-territory servers. Copies may be provided abroad, but the originating database must stay in Russia.
Enforcement
Russia's data protection authority, Roskomnadzor, has enforced the localization requirement through blocking actions. LinkedIn was blocked in Russia in 2016 for failing to comply with the localization requirement. Penalties for localization violations now range from RUB 60,000 to RUB 18,000,000, with repeated violations potentially resulting in website blocking.
India: Evolving Localization Landscape
India's data localization framework has shifted considerably. The Digital Personal Data Protection Act (DPDP Act) of 2023 replaced the earlier Personal Data Protection Bill, which had included strict localization provisions.
Current Framework: DPDP Rules (November 2025)
The DPDP Rules were finalized and published in November 2025. Rule 15 provides: "A Data Fiduciary may transfer personal data outside India except where the Central Government restricts such transfer." This is a negative-list model: transfers are permitted to all destinations unless the government specifically restricts a country through notification. Full cross-border transfer compliance is required by May 2027 (18 months after November 13, 2025). As of May 2026, the government has not published its negative list of restricted countries.
This approach is notably more permissive than earlier drafts of the Bill, which had proposed strict whitelisting. India chose the negative-list model over the adequacy-based approach used under the GDPR.
Payment Data Localization
The Reserve Bank of India (RBI) issued a directive in April 2018 requiring all payment system data to be stored exclusively in India. This applies to domestic transaction data processed by payment system operators, including card networks, payment aggregators, and wallet providers. The requirement is one of the strictest sector-specific localization mandates globally and forced companies like Visa, Mastercard, and PayPal to establish Indian data centers. This mandate remains fully in force and is not affected by the DPDP framework.
Sector-Specific Requirements
The Securities and Exchange Board of India (SEBI) issued a circular in 2024 imposing data residency requirements on regulated entities using cloud service providers, requiring that regulatory and compliance data remain in India. The Insurance Regulatory and Development Authority of India (IRDAI) imposes conditions on where insurance data may be processed and stored. These sector rules operate independently from the DPDP framework.
Vietnam: Cybersecurity and Data Storage
Vietnam's Cybersecurity Law (Law 24/2018), effective January 1, 2019, and two implementing decrees impose layered localization requirements. It is important to distinguish the two decrees:
- Decree 53/2022/ND-CP (effective October 1, 2022) implements the Cybersecurity Law and governs data localization.
- Decree 13/2023/ND-CP (effective July 1, 2023) is Vietnam's personal data protection regulation and governs cross-border transfer procedures.
Under Decree 53/2022, domestic enterprises providing telecommunications, internet, data storage, e-commerce, online payment, transportation app, social network, messaging, gaming, and related services must store three categories of data in Vietnam: personal information of service users, user-generated data (account names, session timestamps, credit card information, email addresses, IP addresses, registered phone numbers), and relationship data (friends and groups the user has connected with).
For foreign enterprises, the localization requirement is trigger-based rather than automatic. A written request from the Ministry of Public Security activates the requirement if the foreign enterprise's services were used to violate Vietnamese cybersecurity law or if the enterprise failed to comply with prior requests. Once triggered, the enterprise must comply within 12 months and retain the specified data for at least 24 months from the receipt of the request.
Decree 13/2023 requires organizations transferring personal data of Vietnamese citizens abroad to prepare a Transfer Impact Assessment and file it with the Ministry of Public Security. A registration certificate is required before transfers may proceed.
Indonesia: Government Regulation on Electronic Systems
Indonesia's Government Regulation No. 71 of 2019 (GR 71/2019) on Electronic Systems and Transactions requires public electronic system operators to place their data centers and disaster recovery centers in Indonesian territory. Private electronic system operators may locate data outside Indonesia subject to conditions: the offshore location must not diminish government supervision effectiveness, and access must be provided for supervision and law enforcement.
Indonesia's Personal Data Protection Law (Law No. 27 of 2022) was enacted in October 2022. The two-year transition period for compliance ended on October 17, 2024, and organizations are now required to fully comply. The PDP Law allows data controllers to store personal data either in Indonesia or offshore, maintaining consistency with GR 71/2019's approach for private operators.
The financial services sector faces additional requirements from Indonesia's Financial Services Authority (OJK), which requires banks and financial institutions to maintain primary data centers domestically.
Nigeria: NDPR Upgraded to Statutory Law
Nigeria's data localization requirements are now grounded in the Nigeria Data Protection Act (NDPA) of 2023, signed into law in June 2023. The NDPA superseded the 2019 Nigeria Data Protection Regulation (NDPR) and elevated the data protection framework to statutory law. It established the Nigeria Data Protection Commission (NDPC) as a statutory body replacing the earlier regulatory arrangement under NITDA.
The NDPA does not impose blanket localization but requires that personal data transferred outside Nigeria receive adequate protection in the destination country or that appropriate safeguards be implemented. The United States is not recognized by the NDPC as providing adequate protection, meaning US-bound transfers require standard contractual clauses or other safeguards.
A 2024 government order designated several critical systems as Critical National Information Infrastructure (CNII): the Bank Verification Number (BVN) database, the National Identification Number (NIN) database, and the Nigerian Interbank Settlement System (NIBSS). CNII-designated systems are subject to stricter data handling and localization rules.
Government data faces additional requirements. NITDA guidelines require government data and data processed on behalf of government agencies to be hosted within Nigeria. The Central Bank of Nigeria (CBN) requires financial institutions to maintain local data storage and obtain approval for certain cross-border transfers.
Saudi Arabia: PDPL Now Fully Enforced
Saudi Arabia's Personal Data Protection Law (PDPL) came into force on September 14, 2023, with a one-year grace period for compliance. Full enforcement began September 14, 2024. The PDPL applies extraterritorially: it covers processing of personal data of Saudi residents by entities outside Saudi Arabia.
In August 2024, the Saudi Data and AI Authority (SDAIA) issued the Regulation on Personal Data Transfer Outside the Kingdom of Saudi Arabia. The Transfer Regulations permit cross-border transfers if: the destination country provides adequate protection, or the controller implements appropriate safeguards, or one of the specified legal bases applies (consent, contractual necessity, vital interests, or public interest).
SAMA (Saudi Arabian Monetary Authority) regulations require financial institutions to maintain primary data storage in Saudi Arabia. The National Health Information Center imposes additional requirements for health data. The National Cybersecurity Authority (NCA) requires government data to remain on Saudi soil.
Turkey: Conditional Transfer Framework
Turkey's Personal Data Protection Law No. 6698 (KVKK) does not impose strict data localization but creates a conditional transfer framework that can function as practical localization.
Cross-border transfers require either explicit consent from the data subject or an adequacy decision by the Personal Data Protection Board (KVKK Board). In March 2024, the KVKK Board updated its approach, allowing transfers based on binding corporate rules, standard contractual clauses, or other approved safeguards, bringing Turkey's framework closer to the GDPR model. This update aligns with Turkey's long-standing ambition toward GDPR adequacy recognition. See our [Turkey data privacy laws](/world-laws/world-data-privacy-laws/turkey-data-privacy-laws) guide for full details.
Kazakhstan: Localization with 2024 Amendments
Kazakhstan's Law on Personal Data and Its Protection (Law No. 94-V) requires operators handling personal data of Kazakhstani citizens to store that data on servers located within Kazakhstan. Amendments effective February 11, 2024 (passed December 11, 2023) introduced new obligations: organizations must notify the Ministry of Digital Development of any personal data security breaches, with the notification requirement effective July 1, 2024. Collecting and processing physical copies of identity documents is now prohibited. The Ministry gained authority to conduct unscheduled compliance inspections.
Sector-Specific Localization Patterns
Several patterns emerge across jurisdictions where localization applies to specific sectors rather than all data.
Financial Data
Banking regulators worldwide frequently impose the strictest localization rules. India's RBI payment data mandate, Indonesia's OJK requirements, Nigeria's CBN directives, China's banking data rules, and Saudi Arabia's SAMA regulations all require some degree of local storage for financial data. Financial data localization is the most globally consistent sector pattern.
Healthcare Data
Health data localization appears in Australia (My Health Records Act), Turkey (health data regulations), Saudi Arabia (National Health Information Center requirements), and several EU member states that impose additional restrictions on health data beyond the GDPR baseline.
Telecommunications
Telecom metadata and subscriber data face localization requirements in Russia, China, Vietnam, India (through telecom license conditions), and several African countries. These rules often derive from national security and law enforcement access concerns.
Government and Public Sector Data
Almost universally, countries require government data to be stored domestically. This includes Indonesia's GR 71/2019 for public electronic systems, Nigeria's NITDA guidelines, India's government cloud policy, and Saudi Arabia's NCA requirements.
Artificial Intelligence Training Data
China's AI governance regulations, which are now integrated into the CSL framework as of the January 2026 amendments, include localization components for AI training data processed by CII operators. Organizations training AI models on data collected from Chinese users within CII sectors must ensure that training data remains subject to the standard localization and security assessment requirements.
The EU and Data Sovereignty
The GDPR does not require data localization within the EU or EEA. Instead, it permits cross-border transfers to countries with adequate protection or through approved transfer mechanisms such as Standard Contractual Clauses, Binding Corporate Rules, or adequacy decisions. The GDPR framework is built around transfer conditions, not storage mandates.
However, the EU is not entirely free of data sovereignty pressures.
The European Cybersecurity Certification Scheme for Cloud Services (EUCS), developed by ENISA under the EU Cybersecurity Act, has been the subject of prolonged debate over sovereignty requirements. Earlier EUCS drafts included explicit sovereignty requirements for the highest certification tier (High+): EU headquarters location, EU jurisdictional control, and no legal obligation to disclose data to third-country governments. These requirements would have effectively excluded major US cloud providers from achieving the top certification tier. In September 2024, the EU Council urged ENISA and the European Commission to accelerate the EUCS process and clarify how sovereignty criteria would be incorporated. Adoption by the European Cybersecurity Certification Group (ECCG) was targeted for 2025, though the sovereignty question remained contested.
Several EU member states impose sector-specific localization requirements that go beyond the GDPR baseline. Germany, France, and the Netherlands impose additional requirements for health data. Multiple member states require government-related data to remain on national soil. These member-state rules coexist with the GDPR's general transfer framework.
The Economic and Trade-Policy Debate
Data localization requirements carry measurable economic costs. The Information Technology and Innovation Foundation (ITIF) has identified 154 cases of explicit or de facto data-localization regulations in 66 countries. Using an OECD-derived data-restrictiveness index, ITIF estimates that a 1-point increase in a country's data restrictiveness reduces its gross trade output by 7 percent, slows productivity by 2.9 percent, and increases downstream prices for data-reliant industries by 1.5 percent over five years.
The most data-restrictive countries in the ITIF analysis are China (29 localization measures), India (12), Russia (9), and Turkey (7).
At the World Trade Organization, digital trade discussions within the Joint Statement Initiative on Electronic Commerce have addressed cross-border data flows. Several WTO members have proposed binding commitments on data flow liberalization, but no binding multilateral agreement on data localization has been concluded.
Proponents of localization argue that it serves legitimate interests: national security (preventing foreign intelligence access to citizen data), law enforcement access (ensuring data is available for investigations within the jurisdiction), economic development (building domestic cloud industries and keeping data-processing jobs local), and privacy protection (keeping citizen data under national law). Critics argue that localization fragments the global internet, raises compliance costs for businesses operating across borders, disadvantages developing countries that lack domestic cloud infrastructure, and duplicates infrastructure at significant economic cost without commensurate security benefits.
The balance between these interests is not resolved. The global trend is toward more localization, not less, even as some countries (notably India with the DPDP Act) have moved toward more permissive baseline frameworks than their earlier drafts proposed.
Recent Developments (2024-2026)
Several significant developments have occurred since the previous review of this page (March 2026):
China. The CSL amendments took effect January 1, 2026, increasing maximum penalties to RMB 10 million, expanding extraterritorial reach, and integrating AI governance. The March 2024 CAC cross-border provisions relaxed transfer thresholds and introduced FTZ negative lists, representing the most significant easing of China's cross-border rules to date.
India. The DPDP Rules were finalized and published in November 2025. Rule 15 establishes the negative-list cross-border transfer model. Full compliance is required by May 2027. The negative list of restricted countries has not yet been published.
Saudi Arabia. The PDPL grace period ended September 14, 2024. SDAIA issued the cross-border transfer regulation in August 2024. Saudi Arabia's data protection regime is now fully operative and enforceable.
Nigeria. The NDPA, signed June 2023, replaced the NDPR as the statutory basis for data protection. The 2024 CNII designation of BVN, NIN, and NIBSS added new critical infrastructure localization obligations.
Indonesia. The PDP Law's two-year transition period ended October 17, 2024. All organizations were required to achieve full compliance as of that date.
Russia. The FZ-266 cross-border transfer notification requirement (effective March 2023) added a mandatory pre-transfer notification step to Roskomnadzor for any cross-border personal data transfer.
Kazakhstan. February 2024 amendments introduced breach notification obligations (effective July 2024) and prohibited physical identity document collection.
Compliance Strategies for Multinational Organizations
Organizations operating across multiple jurisdictions with different localization requirements can adopt several strategies.
Regional Data Center Architecture
Deploying data centers (or contracting with cloud providers) in key jurisdictions ensures local storage compliance. Major cloud providers like AWS, Microsoft Azure, and Google Cloud offer region-specific data residency options. Organizations can configure data residency policies to ensure that data from specific countries remains within designated regions. Major providers have also introduced sovereign cloud offerings: Google's Sovereign Cloud, Microsoft's EU Data Boundary, and comparable products allow organizations to contractually commit that certain data never leaves a defined geographic zone, which can satisfy soft localization requirements without the capital expense of dedicated infrastructure.
Data Segregation and Classification
Implementing data classification frameworks that tag data by jurisdiction and category allows organizations to apply localization rules selectively. Not all data from a given country requires localization; often only specific categories (financial, health, government) are subject to local storage requirements.
Hybrid Architectures
Some organizations maintain local "hot" storage for compliance purposes while processing or analyzing data centrally. This approach satisfies localization requirements while preserving the efficiency of centralized analytics. The key is ensuring the local copy meets the "primary storage" requirement where applicable.
Transfer Mechanism Layering
In soft localization jurisdictions, organizations can maintain local storage while using transfer mechanisms (SCCs, adequacy decisions, consent, or contractual clauses) to export copies of data for global operations.
Regulatory Monitoring
Localization laws change frequently. Organizations need a systematic process for tracking legislative and regulatory developments in every country where they operate. The 2024-2026 period saw significant changes in India, Saudi Arabia, Indonesia, Nigeria, Kazakhstan, and China. Quarterly compliance reviews are a minimum for organizations with significant presences in these markets.
This is general legal information, not legal advice. Organizations navigating data localization requirements across multiple jurisdictions should consult an attorney licensed in the relevant jurisdiction for advice specific to their situation. This page reflects information available as of May 2026.
Sources and References
Sources and References
- China PIPL(npc.gov.cn).gov
- China Data Security Law(npc.gov.cn).gov
- China Cybersecurity Law (as amended January 2026)(npc.gov.cn).gov
- China CSL Amendment (October 2025, effective January 2026)(gov.cn).gov
- CAC Cross-Border Data Flow Provisions (March 2024)(chinalawtranslate.com)
- CAC Standard Contract for Data Export (2023)(cac.gov.cn).gov
- Russia Federal Law 242-FZ(pravo.gov.ru).gov
- Council of Europe Convention 108(coe.int).gov
- India DPDP Act 2023(meity.gov.in).gov
- RBI Payment Data Storage Directive(rbi.org.in).gov
- Vietnam Cybersecurity Data Localization (US ITA)(trade.gov).gov
- Nigeria Data Protection Act 2023(cert.gov.ng).gov
- Nigeria Data Protection Commission(ndpc.gov.ng).gov
- Turkey KVKK Law 6698(mevzuat.gov.tr).gov
- Indonesia GR 71/2019(jdih.kominfo.go.id).gov
- Saudi Arabia PDPL Implementing Regulations(istitlaa.ncc.gov.sa).gov
- Saudi Arabia ICT Cross-Border Transfer Enforcement (US ITA)(trade.gov).gov
- Kazakhstan Data Localization Overview (Morgan Lewis 2024)(morganlewis.com)
- ITIF: Barriers to Cross-Border Data Flows(itif.org)
- ITIF: EU Cloud Service Restrictions (2025)(itif.org)
- Hogan Lovells: EUCS Sovereignty Debate(hoganlovells.com)