At the end of this year, the Brexit transition period will end and with it, the UK’s membership in the ‘safe data’ club*. When the transition period ends, the UK will become a ‘third country’ outside the EEA, meaning its data protection laws have to be assessed by the European Commission and determined to be either adequate or non-adequate. There are two potential problems here, which will affect you if you're using cloud storage:
1. The adequacy assessment may not be complete by the end of the transition period
2. There is a possibility the UK might not be deemed adequate
*The first rule of the safe data club is you don’t talk about the safe data club.
In the event of no decision or an assessment of non-adequacy, data transfers from the EEA to the UK would be illegal. There are ways of getting around this with SCCs (Standard Contractual Clauses), BCRs (Binding Corporate Rules), and other agreements, but these will all need to be put in place individually and can’t be assumed.
In other words: it’s a headache.
You might be thinking ‘This doesn’t affect me, I don’t do business with the EEA’. But for businesses using cloud-based data storage and tools, it might not be so clear-cut.
Where is my data stored?
Let’s say, for example, your business is using AWS, Amazon’s cloud service. Your data could be in a data centre nearby. Or it could be in another country entirely. AWS has 216 ‘points of presence’ and is available in 245 countries and territories – and since one of the great things about the cloud is that you don’t have to think about the servers, most users probably don’t know where in the world their data is stored.
Google customers are in the same situation. Google has 144 network edge locations and is available in 200+ countries/territories. Unless your cloud provider specifically advertises itself as being UK-based or UK-only, your data could be anywhere.
That hasn’t been a problem – up until now. But the future is uncertain. If your data is stored in the EEA after the transition period has ended and if the UK hasn’t received an adequacy decision, will you be able to access it?
The rules are changing all the time
This might seem like a silly question. If the UK has been allowed to receive EEA data up until now, why would that stop overnight? We are GDPR compliant, aren’t we?
The reality is that UK GDPR compliance is different to EU GDPR compliance.
In the UK, for example, the government has ruled that it is okay for security services to access data held by organisations without informing those organisations or the data subjects. In the EU, that is not allowed. That puts the UK in closer alignment with the US, which also gives security services access to private data without informing the data subjects or the data owners.
Up until recently, the US had a data protection agreement with the EU called the EU-US Privacy Shield, a kind of ‘freedom of movement’ agreement that allowed for easy data transfer between the EU and the US. In July 2020 the Court of Justice of the European Union struck down the agreement and ruled the US a non-adequate country to be transferred EEA citizens’ data because of privacy concerns around government snooping. This makes it considerably harder for personal data to be transferred between the EU and the US. It also raises the question of whether the UK will suffer the same fate, given the data access granted to security services by the 2016 Investigatory Powers Act.
Bring your data home
With so much uncertainty, the safest thing you can do is bring your data back to the UK. Talk to your cloud provider to see whether they can make that happen and if they can’t give you those assurances, look at other options. There are UK-based cloud providers and their capacity has been increasing since discussions of this uncertainty began to arise. You could also explore private cloud alternatives or consider repatriating your data and returning to privately-run systems that are totally within your control.
Don’t put it off
Tempting as it may be to leave this job on the ‘to do’ pile, it’s really important that you look into your existing data storage set-up now so that you are not left in the lurch on January 1st. Find out where your data is and make sure you will still be able to access it after the Brexit transition period.
If you’re in any doubt, move it back to the UK – and do it quickly. There is bound to be a rush as the year draws to a close, so act fast to beat the queue! And if you need a reliable UK-based private cloud and colocation provider, or just someone to talk through your options, 4D is here for you.