Following the UK’s vote to leave the EU, Richard Alexander asks how Brexit might affect data sovereignty for CIOs based in the UK.
Over the last few years we have discussed frequently the issue of data sovereignty, in particular in relation to Cloud Computing. Some the key issues we have covered have included: Vague locations, possible unauthorised access by firms complying with the USA Patriot Act, and varying security standards, laws and regulations.
The history of data protection and privacy in the UK goes back to Margaret Thatcher and the 1988 Data Protection Act. This allowed UK companies to process personal data on Europeans – for instance allowing a bank in London to use its UK data centres to store and use account information related to customers in Germany or France.
More recently, there has been much debate about the USA Patriot Act, which essentially means data housed or passed through the United States electronically is vulnerable to interception by authorities. Debate has particularly focused on and how the Patriot Act sits with EU data protection principles. In short, the EU position, which is focussed on protecting the individual rather than the state, is at odds with the US law.
What’s more, one solution designed to overcome that conflict, known as Safe Harbor, was ruled invalid last year. Since then, a provisional deal called Privacy Shield has since been signed – but, crucially, it is an EU deal. Brexit, then, means that UK organisations won’t enjoy the benefits – their data will not be protected when dealing with US companies. The UK will have to develop and negotiate its own arrangements to protect citizens and their data.
No problem on the face of it, but if it is European data a UK organisation is holding, then, as the Information Commissioner puts it:
“…if the UK wants to trade with the Single Market on equal terms we would have to prove ‘adequacy’ – in other words UK data protection standards would have to be equivalent to the EU’s General Data Protection Regulation framework starting in 2018.”
It is quite possible then, that companies will be required to locate data centres in mainland Europe (or Ireland) with European data residing on EU soil.
Meanwhile, if Britain becomes part of the European Economic Area (EEA) she will be bound by existing EU frameworks – and similarly, if she joins the European Free Trade Association (EFTA), a US style arrangement might be required.
The point is CIOs need to address these issues now, if they have not already.
One solution for multi national corporations would be to have their EU-based divisions provide data storage. However those without that existing capacity should recognise that now is the time to look for a partner who can help locate European data on European soil.
Either way if UK companies want to do business with Europeans, they may well have little choice but to cede a degree of their data sovereignty.