Data Mobility Post-Brexit

From Dan Shearer CV

I am currently engaged in helping companies in the EU and in the UK make decisions about where their data is stored, how it is accessed, and how to keep things as stable as possible over the next few years.

This is a rapidly-evolving area, and in 2024 there is no one correct answer for all situations. Stability and certainty appear to be decreasing in the UK and increasing in the EU.

There are also some non-controversial requirements, in the sense that there is no debate about them. For example, any UK company offering services to EU residents must have a representative based in the EU to process personal data of EU persons. That is in GDPR Article 27 and the UK ICO explains this well. Companies have received big fines for failing to do this.

Background

The UK has historically been a trusted destination for international data storage, and certainly for UK companies. There have been numerous political and legal decisions to chip away at that, including interpretations of the two Investigatory Powers Acts, and Brexit. A common view expressed in technical circles since 2014 or so is that master encryption keys should not be kept in the UK, and Brexit has brought up many additional questions about privacy and security. This is usually more difficult to accept from a businesses point of view.

In 2020, the US CLOUD Act was quickly signed by the UK. This is out of step with the EU and other jurisdictions who are increasingly uncomfortable about the CLOUD Act and seem unlikely to sign.

Also in 2020, the Five Eyes countries signed a statement Promoting Mathematically Flawed End-to-End Security, joined by India and Japan. The EU does not agree with this position (EU security services are also unhappy about effective end-to-end security, but there is no move to ban it.)

Adequacy decision 2021

On 28 June 2021, the European Commission adopted two UK adequacy decisions, stating that in 2021 the UK has not diverged from Europe on privacy standards, and therefore EU personal data may be processed and held in the UK. These do not absolve companies from needing an EU representative, as per GDPR Article 27.

There are two key points made many times in these adequacy decisions and associated official comments:

  1. We have significant safeguards [in the decisions] and if anything changes on the UK side, we will intervene. EU representatives have stated they do not trust the UK to keep its promises on data standards, and that they are very alert.
  2. For the first time, regardless of anything else, the EU issued these adequacy decisions with a sunset clause, valid for four years maximum. At most it will be June 2025 before the adequacy assessment process starts again for the UK.

Data protection facts as of 2024

The EU has good reason to be suspicious of UK intentions regarding data protection:

  • The UK parliament Retained EU Law (Revocation and Reform) Act 2023 was enacted in June 2023, and proposes to repeal the UK GDPR (also called the Data Protection Act) on 31st December 2023. The proposed replacement is the Data Protection and Digital Information Bill (DPDI) but UK political turmoil has caused delays and this did not pass in 2023. The DPDI aimed to improve and simplify the UK GDPR, but there is uncertainty about what it will contain as it passes through various revisions.
  • The UK shows little interest in replacing US cloud companies or punishing them for bad behaviour. The opposite is true in many EU countries and in the EU institutions.
  • Successive UK governments seem strongly inclined to derogate from or withdraw from the European Convention of Human Rights, even though its membership and history is not related to the EU, and even though it had substantial UK input in its design and operation. This is not a new idea - withdrawal from the ECHR was in the 2012 UK Conservative Manifesto.
  • A 2021 UK case on surveillance relied on Common Law rather than human rights law, which is a step away from internationally-recognised rights standards.
  • The UK is one of the Five Eyes countries, whose behaviour lead to US Cloud companies being banned in some circumstances in Europe as I analysed here. The UK has repeatedly been identified as conducting spying on US citizens that is illegal in the US, and since Brexit the UK has the same "third country" relationship to the EU as it does to the US.

The problems that US cloud has relate to legal and espionage facts as revealed by many including Edward Snowden.

However the relevant issues go far beyond and include technical and mathematical facts such as:

  • Fibre optic connectivity to the EU from the UK is excellent, meaning that a datacentre in France or Germany is practically as close as London or Glasgow for most companies in the UK.
  • It is mathematically possible to store data from the UK so that only someone with keys based in the EU can read it. This is conceptually a kind of drop box.
  • It is mathematically possible to detect whether (a) any individual or (b) a specific authorised individual has (c) accessed or (d) changed data. This means that EU and UK-specific audit trails can be implemented with a level of assurance that the EU is likely to accept.
  • It is not mathematically possible to be sure that nobody has accessed information if master keys for that information are held by someone in an untrusted jurisdiction (i.e. one that is judged inadequate by the EU)
  • It is inconvenient and technically difficult to store master encryption keys in the UK secure from the UK government. This is related to the UK Regulation of Investigatory Powers Act, and the UK Terrorism Act, and UK interpretations of self-incrimination (ie the circumstances of handing over passwords and the like.) Unfortunately, many ordinary businesses are caught up in these matters of personal liberty and state powers of compulsion. While there can be similar situations in the EU, the EU Human Rights-based approach reduces that risk.
  • Connectivity across the Atlantic often goes via Europe in any case, with no or little difference in transit time

What Are the Options?

The question "should I keep personal data in the UK" is not theoretical. Data storage decisions can involve a lot of money and need to be stable for as long as possible, and UK companies often have global or European customers with specific requirements.

It is not a simple fix to host data in the EU. Even though the differences may be just milliseconds and users will never notice a change in the application, hosting in the EU means that ultimate passwords must be held on EU soil, not UK soil. It also means that ultimate decision making must be in the EU, not in the UK. There are financial and organisation implications. These are factual statements rather than opinions about what might be possible. The implications can be confronting for UK companies, and as of 2024 most companies have not considered them.

This is not a theoretical consideration
Evolution-tasks.png

Splitting Database Hosting Between EU and UK customers

It can be possible to split the UK and EU customers of a company.

Analysis will show case-by-case:

  • whether UK customers gain or lose by this arrangement;
  • whether UK customers should be given the choice of jurisdiction;
  • whether it is possible for any UK company to know accurately whether one of their customers is an EU citizen or not (almost certainly no, it is not possible);
  • whether there is a definitive answer for customers who are both EU and UK

In other words, in many cases, accurately dividing customers by perceived jurisdiction is not possible. It would often be very difficult to defend the decision in court, or to a privacy enforcement body, or to a customer who has made a subject access request.

Hosting all data in the EU

This might sound simple, but it has implications for UK company structure and decisionmaking. If you're hosting in the EU, then ultimate password authority must be managed by an independent EU contractor (perhaps a law firm.) There are many data storage companies in the EU with equivalent technical capabilities to UK and US companies, so question is the corporate constraints, not technical constraints. UK CEOs and boards of management often feel uncomfortable when they realise that they will not be able to decide definitively what will happen to data that they are storing regarding their own customers. It may contradict certain duties in law unless the corporate structure is changed.

Splitting the IT data management functions of the company

This means establishing a new data storage company that is 100% based in Europe, in the eyes of EU law. This will meet the independence requirements and tests, so long as the company is not a subsidiary of the UK company. It may also open up business opportunities. This is not compatible with traditional monolithic IT department organisation.

It helps to remember that under increasingly broad circumstances US Cloud Companies are becoming illegal to use in Europe, and that the UK has chosen to become a third country towards the EU in the same way that the US, Peru and any other country is. The status of the UK on this issue is murky, as of 2024.

Other Options

  • View the data storage requirements as a form of outsourcing, and then engage a third-party EU storage company.
  • Take advantage of the special situation of Northern Ireland. This is looking less useful as the Brexit process progresses in 2024. There would still be business uncertainty even in the humorous hypothetical case of a datacentre with movable data racks sited precisely on the Irish border between the EU and the UK.