Guest post: by Dr Kuan Hon
It’s a time of change and uncertainty for many, as we gear up for the anticipated EU referendum and reinforced EU data protection rules expected to become law this year in the form of the General Data Protection Regulation (GDPR). Organisations need to know the physical locations of their personal data, whether it’s the data of employees, customers, suppliers or others, at all times. This is because EU data protection laws do not allow any “transfers” (mainly interpreted as moving the physical location of personal data outside the EEA) without so-called “adequate protection”, “adequate safeguards” or a recognised exception.
Language can often be a barrier
Under EU data protection laws, “processing” includes mere storage of personal data, not just conducting active computational operations on the data – and “personal data” is a very broad concept, extending to much data that non-lawyers may think were not “personal”. It’s also important to note that, even with personal data physically located in the EEA (e.g. in a UK datacentre), any remote access to that data made from a third country, for example for support purposes, would normally also be considered to involve a “transfer” to that third country.
So, does this mean that UK controllers’ personal data must be physically processed in the UK only? Not necessarily. EU data protection laws require personal data to be kept in the EEA, not just the UK, so using datacentres say in Dublin, Amsterdam or Germany would be allowed. However, other laws or governmental policies (beyond data protection laws) might require storage of data, personal or not, locally. For example, many countries insist that data which might be relevant to national security must be processed only on local soil. Ironically however, under EU data protection laws, EU Member States may allow the transfers of personal data to third countries for certain purposes including national security or law enforcement.
So what’s considered “adequate protection”? The EU-US Safe Harbour scheme used to be recognised as providing adequate protection for transfers to certain US organisations, but that scheme was invalidated by the highest EU court, in October 2015. Political agreement was announced in February 2016 on a proposed “EU-US Privacy Shield”, meant to replace Safe Harbour. In mid-April 2016, EU privacy regulators, the Article 29 Working Party, issued their advisory opinion on the proposed Shield which, while tactfully-worded, showed that they did not consider the proposals wholly satisfactory to provide “adequate” protection for transfers of personal data to the US.
However, the Working Party’s views, while influential, are not decisive; if the so-called Article 31 Committee, comprising representatives from EU Member States, votes in May in favour of the proposed Shield, the European Commission may proceed to issue an official decision approving the Shield in any event. If so, transfers may be permitted to US organisations that sign up to the Shield, but it is still possible, indeed perhaps likely, that the Shield would be challenged, e.g. by regulators, all the way up to the EU’s highest court, as occurred with Safe Harbour.
In the UK, controllers may self-assess the adequacy of protection for transfers. For instance, a controller might decide that there’s adequate protection when only encrypted personal data is stored in a cloud service using a non-EEA datacentre, at least where the decryption keys stay in the EEA. However, the GDPR will do away with self-assessment of adequacy; only the European Commission will be able to decide the “adequacy” of countries/regions (or sectors within a country).
Generally, the GDPR’s transfer restriction requirements will be much tighter than currently. Breaching the GDPR’s transfer restriction would expose transferring organisations to a fine of up to €20 million or, if higher, 4% of the last financial year’s total worldwide turnover, so the issue is worthy of boardroom attention.
The survey says…
Understanding the intricacies of these changing regulations is certainly a serious issue which many have yet to focus on, even though the clock is definitely ticking. VMware research revealed that more than a third (34%) of UK businesses’ data is currently located outside of the country, while three-quarters (76%) have at least some business-critical data residing overseas. With so much data stored offshore, almost seven in 10 businesses are concerned they may need to move their data for compliance reasons. Almost all – 96% – also admitted it would cost them a significant amount to move their data to a different location if need be, with the average cost being estimated at over £1.6 million, and an average timeline of three months to complete the migration.
Reading the small print
The highly-publicised GDPR is an attempt to modernise 20-year old EU data protection laws. Passed by both the EU Council of Ministers and European Parliament in April 2016, it will become law 20 days after its official publication, expected to be in July 2016 or earlier, and its rules will become effective directly in EU Member States (including the UK) two years later.
One critical change under GDPR is that organisations who are merely data processors will also be caught by the transfer restriction, and exposed to other legal liabilities if anything (or anyone else) in the supply chain goes wrong. “Processors” are those used by controllers to process personal data on behalf of the controller, such as when outsourcing payroll processing. Processors would include any service providers, like cloud providers, whose engagement involves the processing of personal data. So, from about mid-2018, both controllers and processors will need to know the locations of the personal data which they process.
Through the keyhole
What might be the impact of Brexit? Even if the UK leaves the EEA, many UK organisations will still be doing business in the EU/EEA anyway. Life would be tougher for them if they have to comply with two separate sets of data protection laws: one for the UK, and one for customers or employees etc. in the EU/EEA. Therefore, it’s not impossible that the UK government might want to retain or pass laws similar to the GDPR anyway. If so, again UK organisations might still be allowed to process their personal data in EEA locations. However, it is difficult to predict the possible Brexit implications at this stage as we head towards the referendum.
All these different elements and the changing EU landscape means that controllers, and even processors, will need more than ever to be able to track and control the physical locations of the personal data which they process, and also to track accesses and their geographical sources, including blocking accesses from certain countries.
Personally, I feel that law and regulation’s continued focus on physical access and insistence on physical datacentre inspections is misguided. Physical security is important, but I believe that the primary focus ought to be not on physical location, but on access to intelligible personal data, including remote access, and in particular, logical as well as physical security.
I think current and proposed data protection laws are not technologically-neutral, and may even discriminate against cloud. Where we need to get to is encouraging and recognising the analysis, under appropriate non-disclosure agreements, of cloud providers’ software/systems by third party experts, in order to verify logical access restrictions and other logical security (including code security), with the experts then issuing cloud-appropriate certifications that laws will recognise as providing adequate protection, regardless of physical location or legal contract. Maybe in another 20 years…
About the author
Dr Kuan Hon recently obtained a joint law/computer science PhD on international transfers in cloud computing. Kuan is a Consultant Lawyer for Pinsent Masons and a Senior Researcher working on cloud law projects at CCLS, Queen Mary, Universityof London, but this blog is written in a purely personal capacity and should not be taken to represent any views but Kuan’s own.
 Actual average cost is £1,671,923.