Data Mobility Post-Brexit
From time to time I am engaged to help organisations in the UK and in the EU make decisions about where their data is stored, how it is accessed, and how to keep things as stable as possible over the next few years.
This is a rapidly-evolving area, and in 2024 there is no one correct answer for all situations. Organisations need as much certainty as they can get for making decisions which are expensive to change in the future.
There are also some non-controversial requirements, in the sense that there is no debate about them. For example, any UK company offering services to EU residents must have a representative based in the EU to process personal data of EU persons. That is stated in GDPR Article 27 and the UK ICO explains this well. Companies have received fines for failing to do this, and it applies to some non-commercial organisations too.
Background
The UK has historically been a trusted destination for international data storage, and UK companies have regarded themselves as having a natural advantage from this point of view. Various political and legal decisions have chipped away at that, including interpretations of the two UK Investigatory Powers Acts, and Brexit. A view expressed in technical circles since 2014 or so is that master encryption keys should not be kept in the UK, and since Brexit took effect in 2020 many additional questions arise about privacy and security. This has progressed from being a technical curiosity to an urgent matter affecting core business operations.
In 2020, the US CLOUD Act was quickly signed by the UK, which was at liberty to do so due to Brexit. This put the UK out of step with the EU, who continues to develop data sovereignty initiatives, the first of which comes into effect in 2025. 2025 is also when the UK's adequacy for handling EU data expires (see below.)
Also in 2020, the Five Eyes countries signed a statement Promoting Mathematically Flawed End-to-End Security, joined by India and Japan. The EU does not agree with this position. EU security services are also unhappy about mathematically correct end-to-end security, but there is no move to ban it, so this also increases distance between default EU and UK positions.
Adequacy decisions 2021-2025
On 28 June 2021, the European Commission adopted two UK adequacy decisions expiring in June 2025. These state that as of 2021 the UK has not diverged from Europe on privacy standards, and therefore EU personal data may be processed and held in the UK. These do not absolve companies from needing an EU representative, as per GDPR Article 27.
There are two key points made many times in these adequacy decisions and associated official comments:
- We have significant safeguards [in the decisions] and if anything changes on the UK side, we will intervene. EU representatives have stated elsewhere that they do not trust the UK to keep its promises on data standards, and that they are very alert.
- For the first time, regardless of anything else, the EU issued these adequacy decisions with a sunset clause, valid for four years maximum. At most it will be June 2025 before the adequacy assessment process starts again for the UK. This is evidence of mistrust.
The 2025 expiry of adequacy is significant uncertainty for UK organisations. There are no guarantees, but there are some strategies to reduce risk.
Data protection facts as of 2024
The EU has good reason to be suspicious of UK intentions regarding data protection:
- The UK parliament Retained EU Law (Revocation and Reform) Act 2023 was enacted in June 2023, and proposed to repeal the UK GDPR (also called the Data Protection Act) on 31st December 2023. The proposed replacement was the Data Protection and Digital Information Bill (DPDI) 3322 but UK political turmoil caused delays and it was withdrawn in March 2023. Now we have the Data Protection and Digital Information Bill (DPDI) 3430 which as of October 2024 is progressing through UK parliament. There seem to be legitimate ongoing doubts about compatibility with the EU regime, and substantial pressures to diverge.
- The UK shows little sustained interest in restraining or replacing US cloud companies or insisting that non-compliant behaviour stop ("non-compliance" as defined by the GDPR and/or court decisions, in all of the EU, UK and US.) The opposite is true in many EU countries and in the EU institutions.
- Successive UK governments seem strongly inclined to derogate from or withdraw from the European Convention of Human Rights, even though its membership and history is not related to the EU, and even though it had substantial UK input in its design and operation. This is not a new idea - withdrawal from the ECHR was in the 2012 UK Conservative Manifesto. In 2024 the UK government felt a need to state that proposed DPDI was consistent with the EUCHR, which indicates the level of concern (and stating this does not make it true; everything is still unclear.) This is not something any organisation can be sure about.
- A 2021 UK case on surveillance relied on Common Law rather than human rights law, which is a step away from internationally-recognised rights standards.
- The UK is one of the Five Eyes countries, whose behaviour lead to US Cloud companies being banned in some circumstances in Europe as I analysed here. The UK has repeatedly been identified as conducting spying on US citizens that is illegal in the US, and since Brexit the UK has the same "third country" relationship to the EU as it does to the US.
The National Security Act 2023 was passed in part to respond to aspects of UK mass surveillance being ruled as illegal by the EU Court of Human Rights (ECtHR) in 2021. This general issue is not settled.
The reasons US cloud service are inappropriate relate to legal facts (where US Acts and Presidents claim global access to all data), and espionage facts as revealed by many including Edward Snowden.
Even these facts can be somewhat arguable, and of course many US companies operating in the EU/UK do so, awaiting further decisions by the highest EU courts. However there is little uncertainty about technical and mathematical facts such as:
- Fibre optic connectivity to the EU from the UK is excellent, meaning that a datacentre in France or Germany is practically as close as London or Glasgow for most companies in the UK.
- It is mathematically possible to store data from the UK such that only someone with keys based in the EU can read it. This is conceptually a kind of drop box.
- It is mathematically possible to detect whether (a) any individual or (b) a specific authorised individual has (c) accessed or (d) changed data. This means that EU and UK-specific audit trails can be implemented with a level of assurance that the EU is likely to accept.
- It is not mathematically possible to be sure that nobody has accessed information if master keys for that information are held by someone in an untrusted jurisdiction (i.e. one that is judged inadequate by the EU)
- It is inconvenient and technically difficult to store master encryption keys in the UK in a way that is legally secure from the UK government. This is related to the UK Regulation of Investigatory Powers Act, and the UK Terrorism Act, and UK interpretations of self-incrimination (ie the circumstances of handing over passwords and the like.) Unfortunately, many ordinary businesses are caught up in these matters of personal liberty and state powers of compulsion. While there can be similar situations in the EU, the EU Human Rights-based approach reduces that risk.
- Connectivity across the Atlantic often goes via Europe in any case, with no or little difference in transit time
These technical and mathematical facts show that is it possible, and sometimes preferable, for UK companies to handle personal data in the EU rather than in the UK. That does not mean it is easy, just easier than the alternatives.
What Are the Options?
The question "should I keep personal data in the UK?" is not theoretical. Data storage decisions can involve a lot of money and need to be stable for as long as possible, and UK companies often have global or European customers with specific requirements.
It is not a simple fix to host data in the EU. Even though the differences may be just milliseconds and users will never notice a change in the application, hosting in the EU means that ultimate passwords must be held on EU soil, not UK soil. It also means that ultimate decision making must be in the EU, not in the UK. There are financial and organisation implications. These are factual statements rather than opinions about what might be possible. The implications can be confronting for UK companies, and as of 2024 most companies have not considered them.
This is not a theoretical consideration | |
---|---|
Hosting in the EU means that ultimate passwords must be held on EU soil, not UK soil, including the ultimate authority to use or change these passwords. | |
Splitting Database Hosting Between EU and UK customers
It can be possible to split the UK and EU customers of a company.
Analysis will show case-by-case whether, for a particular organisation:
- whether UK customers gain or lose by this arrangement;
- whether UK customers should be given the choice of jurisdiction;
- whether it is possible for any UK company to know accurately whether one of their customers is an EU citizen or not (almost certainly no, it is typically not technically possible at all. That may sound odd, but there are so many exceptions that this is a generally true statement);
- whether there is a definitive answer for customers who are both EU and UK
In other words, in many cases, accurately dividing customers by perceived jurisdiction is not possible. It would often be very difficult to defend the decision in court, or to a privacy enforcement body, or to a customer who has made a subject access request.
Hosting all data in the EU
This might sound simple, but it has implications for UK company structure and decisionmaking. If you're hosting in the EU, then ultimate password authority must be managed by an independent EU contractor (perhaps a law firm.) There are many data storage companies in the EU with equivalent technical capabilities to UK and US companies, so question is the corporate constraints, not technical constraints. UK CEOs and boards of management often feel uncomfortable when they realise that they will not be able to decide definitively what will happen to data that they are storing regarding their own customers. It may contradict certain duties in law unless the corporate structure is changed.
Splitting the IT data management functions of the company
This means establishing a new data storage company that is 100% based in Europe, in the eyes of EU law. This will meet the independence requirements and tests, so long as the company is not a subsidiary of the UK company. It may also open up business opportunities. This is not compatible with traditional monolithic IT department organisation.
It helps to remember that under increasingly broad circumstances US Cloud Companies are becoming illegal to use in Europe, and that the UK has chosen to become a third country towards the EU in the same way that the US, Peru and any other country is. The status of the UK on this issue is murky, as of 2024.
Other Options
- View the data storage requirements as a form of outsourcing, and then engage a third-party EU storage company.
- Take advantage of the special situation of Northern Ireland. This is looking less useful as the Brexit process progresses in 2024. There would still be business uncertainty even in the humorous hypothetical case of a datacentre with movable data racks sited precisely on the Irish border between the EU and the UK.