VIDEO: Proskauer’s Mathews Gives In-Country Data Storage Tips

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Jimmy H. Koo

Companies concerned about laws in Russia and elsewhere that require local storage of data should first verify the types of data they collect and identify whether they store information in such countries, Kristen Mathews of Proskauer Rose LLP told Bloomberg BNA in a video interview.

Data localization laws, which require companies to store personal data of a country’s citizens in databases located inside the country, come in “all shapes and sizes,” and vary in scope and application, Mathews, who heads Proskauer’s privacy and cybersecurity practice in New York, said. Some of the laws apply only to internet service providers, while others apply s to all companies, Mathews said. Some laws apply to all data, while some apply only to specific types of data, she said.

Carrying out a compliance risk analysis is crucial, Mathews said. Companies must look at whether countries that require local storage of data are actively enforcing the law, she said.

Kristen Mathews

Russia’s data localization law, which took effect in September 2015, is of particular interest to companies. Russia’s law is very broad in scope and the kinds of data to which it applies, she said. Russia’s privacy regulator is actively enforcing the law and has performed more than 1,000 audits, Mathews said. In November 2016, the Russian government blocked LinkedIn Inc.'s website and now the application isn’t available in Russian app stores, she said.

“This is very scary for companies that are in business globally,” Mathews said.

Companies need to understand the types of data they collect and inventory the data that they already have on hand to comply with data localization laws, Mathews said. But companies can’t stop there, because some laws have extra elements, including explicit prohibitions on storing data in certain foreign countries.

Companies need to establish an automatic procedure to distinguish between data that needs to be stored in a certain geographic location and other information that creates no data localization compliance issues. “You don’t want to do this manually,” Mathews said.

To contact the reporter on this story: Jimmy H. Koo in Washington at

To contact the editor responsible for this story: Donald Aplin at

For More Information

The full interview video is available at

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security