FEATURE
Law and Decree 53 add data-localization and approval requirements for certain transfers.
In Canada, federal reform stalled in 2025, so obligations lean on provinces such as Québec’ s Law 25, which requires transfer privacy impact assessments.
Regional perspectives
Data sovereignty is interpreted differently across markets, so compliance paths vary by region. France requires Health Data Hosting certification for hosting personal health data and the updated scheme requires physical hosting within the EEA with specified controls.
SecNumCloud further limits eligible cloud services through EU or EEA data residency, EU control of operations and safeguards against extra-territorial access.
In the UK, data centres have been designated Critical National Infrastructure, and the Cyber Security and Resilience Bill is expected to tighten incident reporting and supply-chain requirements. The Data Use and Access Act 2025 reforms UK data law, with changes phasing in through 2026.
In Japan, amendments to the Act on the Protection of Personal Information strengthened rules for third-country transfers, including disclosure and ongoing monitoring obligations. This sits alongside the EU – Japan agreement for an economic partnership, reinforced by a protocol in 2024 that supports the free and trusted flow of personal data between the two jurisdictions while maintaining high privacy standards.
The protocol highlights how state-level cooperation is becoming a prerequisite for frictionless cross-border data exchange. Customers often seek practical guidance against this backdrop, particularly where workloads span domestic and international infrastructure.
Design strategies
As frameworks evolve at different speeds and across regions, adaptability becomes a design requirement. Data centres can no longer be built as static assets; instead, they must evolve in step with regulation and demand.
Modular construction has become a key pillar of data centre strategies, reducing risk by allowing flexibility to adapt with demand or regulatory requirements mid-programme and enabling adjustments without complete redesigns. Operators can introduce new security zones and monitoring controls that improve resilience in later phases while keeping earlier phases operational. This gives customers the option to migrate sensitive workloads into new halls designed with stricter compliance standards while leaving other environments unchanged.
Instead of a single monolithic facility, capacity arrives in repeatable blocks that can be finetuned in phases. When retrofits are required, the
38
INTELLIGENT CIO NORTH AMERICA www. intelligentcio. com