Data Mobility Post-Brexit
I am currently engaged in helping companies in the EU and in the UK make decisions about where their data is stored, how it is accessed, and how to keep things as stable as possible over the next few years.
This is a rapidly-evolving area, and in 2021 there is no one correct answer for all situations. Stability and certainty appear to be decreasing in the UK and increasing in the EU.
Background
The UK has historically been a trusted destination for international data storage, and certainly for UK companies. There have been numerous political and legal decisions to chip away at that, including interpretations of the two Investigatory Powers Acts, and Brexit. A common view expressed since 2014 or so is that master encryption keys should not be kept in the UK, and Brexit has brought up many additional questions about privacy and security.
In 2020, the US CLOUD Act was quickly signed by the UK. The EU and other jurisdictions are increasingly uncomfortable about the CLOUD Act and are unlikely to sign.
Also in 2020, the Five Eyes countries signed a statement Promoting Mathematically Flawed End-to-End Security, joined by India and Japan. The EU does not agree with this position (EU security services are also unhappy about effective end-to-end security, but there is no move to ban it.)
Facts In 2021
On 28 June 2021, the European Commission adopted two UK adequacy decisions, stating that in 2021 the UK has not diverged from Europe on privacy standards, and therefore EU personal data may be processed and held in the UK.
There are three key points in these decisions:
- The period of no change is not expected to last long, which is highly relevant to companies making data storage and jurisdiction decisions that will last for many years.
- The EU said we have significant safeguards [in the decisions] and if anything changes on the UK side, we will intervene. EU representatives have stated they do not trust the UK to keep its promises on data standards.
- These adequacy decisions are only valid for four years maximum, ie at most until June 2025.
There is reason expect the UK to quickly diverge from Europe on data standards:
- The UK is one of the Five Eyes countries, whose behaviour lead to US Cloud companies being banned in some circumstances in Europe as I analysed here. The UK has repeatedly been identified as conducting spying on US citizens that is illegal in the US, and since Brexit the UK has the same "third country" relationship to the EU as it does to the US.
- The UK shows little interest in replacing US cloud companies or punishing them for bad behaviour. The opposite is true in many EU countries and in the EU institutions.
- The UK seems strongly inclined to derogate from or withdraw from the European Convention of Human Rights, even though its membership and history is not related to the EU, and even though it had substantial UK input in its design and operation. A 2021 UK case on surveillance relied on Common Law rather than human rights law, which is a step away from internationally-recognised rights standards.
There are some technical facts too:
- Fibre optic connectivity to the EU from the UK is excellent, meaning that a datacentre in France or Germany is practically as close as London or Glasgow for most companies in the UK.
- Connectivity across the Atlantic typically goes via Europe, mostly through the Netherlands.
- It is inconvenient and technically difficult to store master encryption keys in the UK such that the UK government cannot force their disclosure. This is related to the UK Regulation of Investigatory Powers Act, and the UK Terrorism Act, and interpretations of self-incrimination (ie handing over passwords and the like.) Unfortunately perfectly ordinary businesses are caught up in these matters of personal liberty and state powers of compulsion.
What Are the Options?
Before discussing the options, companies need to accept that this is not theoretical. Even though the differences may be just milliseconds and users will never notice a change in the application, hosting in the EU means that ultimate passwords must be held on EU soil, not UK soil. It also means that ultimate decision making must be in the EU, not in the UK. There is no doubt about these statements, but the implications are can be confronting for UK companies.
The options available depend on the company:
- Splitting hosting for databases for EU and UK customers. The question are: whether UK customers gain or lose by this arrangement; whether UK customers should be given the choice of jurisdiction; and how it is possible for any UK company to know whether one of their customers is an EU citizen or not (no, it is not possible.)
- Hosting all data in the EU, with ultimate password authority managed by an independent EU contractor such as a law firm. There are many data storage companies in the EU with equivalent capabilities to UK and US companies, for most technical purposes.
- Splitting the IT data management functions of the company and moving them to Europe. This will meet the independence requirements and tests, so long as the company is not a subsidiary of the UK company. It may also open up business opportunities. On the other hand, this is an uncomfortable change for any traditional monolithic IT department.
- Viewing the data storage requirements as a form of outsourcing.
- Taking advantage of the special situation of Northern Ireland, however this is looking less and less useful as the situation progresses. Even in the case of a datacentre sited precisely on the border in Ireland between the EU and the UK with movable data racks - even then there will remain business uncertainty.