Difference between revisions of "Data Mobility Post-Brexit"
Line 1: | Line 1: | ||
I am currently engaged in helping companies in the EU and in the UK make decisions about where their data is stored, how it is accessed, and how to keep things as stable as possible over the next few years. |
I am currently engaged in helping companies in the EU and in the UK make decisions about where their data is stored, how it is accessed, and how to keep things as stable as possible over the next few years. |
||
− | This is a rapidly-evolving area, and in |
+ | This is a rapidly-evolving area, and in 2022 there is no one correct answer for all situations. Stability and certainty appear to be decreasing in the UK and increasing in the EU. |
== Background == |
== Background == |
Revision as of 16:50, 1 February 2022
I am currently engaged in helping companies in the EU and in the UK make decisions about where their data is stored, how it is accessed, and how to keep things as stable as possible over the next few years.
This is a rapidly-evolving area, and in 2022 there is no one correct answer for all situations. Stability and certainty appear to be decreasing in the UK and increasing in the EU.
Background
The UK has historically been a trusted destination for international data storage, and certainly for UK companies. There have been numerous political and legal decisions to chip away at that, including interpretations of the two Investigatory Powers Acts, and Brexit. A common view expressed since 2014 or so is that master encryption keys should not be kept in the UK, and Brexit has brought up many additional questions about privacy and security.
In 2020, the US CLOUD Act was quickly signed by the UK. The EU and other jurisdictions are increasingly uncomfortable about the CLOUD Act and seem unlikely to sign.
Also in 2020, the Five Eyes countries signed a statement Promoting Mathematically Flawed End-to-End Security, joined by India and Japan. The EU does not agree with this position (EU security services are also unhappy about effective end-to-end security, but there is no move to ban it.)
Facts In 2021
On 28 June 2021, the European Commission adopted two UK adequacy decisions, stating that in 2021 the UK has not diverged from Europe on privacy standards, and therefore EU personal data may be processed and held in the UK.
There are two key points made many times in these adequacy decisions and associated official comments:
- We have significant safeguards [in the decisions] and if anything changes on the UK side, we will intervene. EU representatives have stated they do not trust the UK to keep its promises on data standards, and they are very alert.
- For the first time, regardless of anything else, these are adequacy decisions with a sunset clause, valid for four years maximum. At most it will be June 2025 before the adequacy assessment process starts again for the UK.
The EU has good reason to be suspicious of UK intentions regarding data protection:
- The UK is one of the Five Eyes countries, whose behaviour lead to US Cloud companies being banned in some circumstances in Europe as I analysed here. The UK has repeatedly been identified as conducting spying on US citizens that is illegal in the US, and since Brexit the UK has the same "third country" relationship to the EU as it does to the US.
- The UK shows little interest in replacing US cloud companies or punishing them for bad behaviour. The opposite is true in many EU countries and in the EU institutions.
- The UK seems strongly inclined to derogate from or withdraw from the European Convention of Human Rights, even though its membership and history is not related to the EU, and even though it had substantial UK input in its design and operation. A 2021 UK case on surveillance relied on Common Law rather than human rights law, which is a step away from internationally-recognised rights standards.
The problem that US cloud has is based on law and espionage facts as revealed by Edward Snowden and others since. However the issues go beyond this to technical and mathematical facts including:
- Fibre optic connectivity to the EU from the UK is excellent, meaning that a datacentre in France or Germany is practically as close as London or Glasgow for most companies in the UK.
- It is mathematically possible to store data from the UK so that only someone with keys based in the EU can read it. This is conceptually a kind of drop box.
- It is mathematically possible to detect whether (a) any individual or (b) a specific authorised individual has (c) accessed or (d) changed data. This means that EU and UK-specific audit trails can be implemented with a level of assurance that the EU is likely to accept.
- It is not mathematically possible to be sure that nobody has accessed information if the master keys for that information are held by someone in an untrusted jurisdiction (i.e. one that is judged inadequate by the EU)
- It is inconvenient and technically difficult to store master encryption keys in the UK such that the UK government cannot force their disclosure. This is related to the UK Regulation of Investigatory Powers Act, and the UK Terrorism Act, and UK interpretations of self-incrimination (ie the circumstances of handing over passwords and the like.) Unfortunately perfectly ordinary businesses are caught up in these matters of personal liberty and state powers of compulsion. There can be similar situations in the EU, however the Human Rights-based approach reduces the risk.
- Connectivity across the Atlantic often goes via Europe in any case, with no or little difference in transit time
What Are the Options?
Before discussing the options, companies need to accept that the question of "should I keep personal data in the UK" is not theoretical. Data storage decisions can involve a lot of money and need to be stable for as long as possible.
Even though the differences may be just milliseconds and users will never notice a change in the application, hosting in the EU means that ultimate passwords must be held on EU soil, not UK soil. It also means that ultimate decision making must be in the EU, not in the UK. There is no doubt about these statements, but the implications can be confronting for UK companies.
This is not a theoretical consideration | |
---|---|
Hosting in the EU means that ultimate passwords must be held on EU soil, not UK soil, including the ultimate authority to use or change these passwords. | |
Splitting Database Hosting Between EU and UK customers
The questions are:
- whether UK customers gain or lose by this arrangement;
- whether UK customers should be given the choice of jurisdiction;
- it is possible for any UK company to know accurately whether one of their customers is an EU citizen or not (almost certainly no, it is not possible.)
Hosting all data in the EU
This might sound simple, but it has implications for UK company structure and decisionmaking. If you're hosting in the EU, then ultimate password authority must be managed by an independent EU contractor, which could be a law firm. There are many data storage companies in the EU with equivalent technical capabilities to UK and US companies, so this is about the corporate constraints, not technical constraints. UK CEOs and boards of management often feel uncomfortable when they realise that they will not be able to decide definitively what will happen to data that they are storing regarding their own customers.
Splitting the IT data management functions of the company
This means establishing a new data storage company that is 100% based in Europe, in the eyes of EU law. This will meet the independence requirements and tests, so long as the company is not a subsidiary of the UK company. It may also open up business opportunities. This is an uncomfortable change for any traditional monolithic IT department.
It helps to remember that US Cloud Companies are becoming illegal to use in Europe, and that the UK has chosen to become a third country towards the EU in the same way that the US, Peru and any other country is.
Other Options
- Viewing the data storage requirements as a form of outsourcing, and then just engaging a third-party EU storage company.
- Taking advantage of the special situation of Northern Ireland, however this is looking less and less useful as the situation progresses. Even in the humorous theoretical case of a datacentre with movable data racks sited precisely on the Irish border between the EU and the UK - even then there will remain business uncertainty.