FEATURE
Yet, while international convergence is growing, the reality on the ground remains fragmented. GDPR continues to set the baseline across Europe; however, member states often add stricter national provisions, creating complexity for organizations hosting data across borders.
Outside Europe, China’ s Personal Information Protection Law governs outbound transfers through security assessments, standard contracts or certification. The 2024 Cyberspace Administration of China rules exempted some data exports yet maintained strict control for‘ important data’, extending data export security assessment validity to three years.
Japan’ s Act on the Protection of Personal Information allows transfers of data to designated countries or with consent and adequate safeguards. Vietnam’ s Cybersecurity Law and Decree 53 add data-localization and approval requirements for certain transfers.
In Canada, federal reform stalled in 2025, so obligations lean on provinces such as Québec’ s Law 25, which requires transfer privacy impact assessments.
Regional perspectives
Data sovereignty is interpreted differently across markets, so compliance paths vary by region. France requires Health Data Hosting certification for hosting personal health data and the updated scheme requires physical hosting within the EEA with specified controls.
SecNumCloud further limits eligible cloud services through EU or EEA data residency, EU control of operations and safeguards against extra-territorial access.
In the UK, data centres have been designated Critical National Infrastructure, and the Cyber Security and Resilience Bill is expected to tighten incident reporting and supply-chain requirements. The Data Use and Access Act 2025 reforms UK data law, with changes phasing in through 2026.
In Japan, amendments to the Act on the Protection of Personal Information strengthened rules for third-country transfers, including disclosure and ongoing monitoring obligations. This sits alongside the EU – Japan agreement for an economic partnership, reinforced by a protocol in 2024 that supports the free and trusted flow of personal data between the two jurisdictions while maintaining high privacy standards.
The protocol highlights how state-level cooperation is becoming a prerequisite for frictionless cross-border data exchange. Customers often seek practical guidance against this backdrop, particularly where workloads span domestic and international infrastructure.
Design strategies
As frameworks evolve at different speeds and across regions, adaptability becomes a design requirement. Data centres can no longer be built as static assets; instead, they must evolve in step with regulation and demand. Modular construction has become a key pillar of data centre strategies, reducing risk by allowing flexibility to adapt with demand or regulatory requirements mid-programme and enabling adjustments without complete redesigns.
Operators can introduce new security zones and monitoring controls that improve resilience in later phases while keeping earlier phases
38
INTELLIGENT CIO APAC www. intelligentcio. com