{"id":24,"date":"2026-04-11T17:01:29","date_gmt":"2026-04-11T16:01:29","guid":{"rendered":"https:\/\/michiel.vanotegem.nl\/?p=24"},"modified":"2026-04-11T17:02:47","modified_gmt":"2026-04-11T16:02:47","slug":"data-residency-is-dumb-for-most-data","status":"publish","type":"post","link":"https:\/\/michiel.vanotegem.nl\/index.php\/2026\/04\/11\/data-residency-is-dumb-for-most-data\/","title":{"rendered":"Data Residency is Dumb (for most data)"},"content":{"rendered":"\n

Data residency is the idea that data should be stored within a country, and only within that country. The idea behind data residency is that only a country\u2019s jurisdiction applies and that therefore no other country can legally<\/em> access that data. The reality is that legal access risks tell a different story.<\/p>\n\n\n\n

Note: this post has been updated several times to include latest events, but has not been updated to reflect risks associated with sanctions by a government. If I post an article on that, I will link to it here.<\/em><\/p>\n\n\n\n

First, legal access doesn’t necessarily stop at the border. Under certain conditions, requesting data that is stored in another country is possible. The United Stated CLOUD Act is referenced most in this context, but considering most laws in many countries predate the global digitization, it is safe to assume there are countries with laws that can be interpreted to giving government the authority to gain legal access to data outside the country. Even in my own country this doesn’t seem to be clear cut<\/a>.<\/p>\n\n\n\n

Second, the risk of legal access by a foreign jurisdiction is extremely small, regardless of where data is stored. To get an idea of the risk, you can look at the Government Requests for Customer Data Report<\/a> that Microsoft publishes. It provides the numbers around government access, grouped by country. While the by country numbers say nothing about whether it was a cross-border request, it is striking that absolute number of requests done by countries in Europe is far higher than the United States. I have no idea why that is, but I hope it is because European law enforcement is better at its job. The cross-border requests by the United States are called out specifically in the report and for as far as these reports go back (which is almost a decade now), the number of cross-border requests is pretty low (around 50 per 6 months) and about 10% lead to disclosure of data (which means 90% are successfully redirected or fought in a court of law). In the grand scheme of things, these are very low numbers and you can bet these have to do with international terrorism, drug trafficking, child pornography or other heavy crimes.<\/p>\n\n\n\n

Another risk commonly cited is data access requests from intelligence agencies and these are a bit murkier. Microsoft also reports<\/a> on this kind of access, specifically for the US Foreign Intelligence Surveillance Act (FISA) and National Security Letters, and these numbers are given in ranges, which is already quite something considering this is considered sensitive information.<\/p>\n\n\n\n

However, even if you include access for intelligence purposes, there are several areas that pose significantly higher risk than the jurisdictional risk of data not being resident:<\/p>\n\n\n\n