Many of you will remember the time before the GDPR when there was a lot of activity to ensure that personal data was stored in the EU. A lot more storage was then built in the EU so that cloud service providers could meet demand.
While the GDPR did not mandate that, compliance was easier if the personal data being processed by organisations in the EU remained in the EU.
I want to explain why that was and what impact Brexit has had on this issue for UK organisations.
Third Country Transfers
The GDPR created enhanced data protection rights for individuals and more obligations for the organisations processing their data. In essence a higher standard of protection.
These standards should not be capable of being bypassed by an organisation in the EU simply choosing to store the personal data they are processing outside the EU.
This would be what is called a ‘third country transfer’ under Article 44 of the GPDR and in order for such a transfer to take place the organisation must ensure that essentially the equivalent protections are in place in that country.
So using a cloud service provider with a database in Mexico (or the US) does not get you off the hook.
The EU has decided that some countries offer this essential equivalence of protection. These are Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, and Uruguay.
Adequacy talks are ongoing with South Korea and of course with the UK. It is hoped that this will be granted in the next few weeks. But then the question is: how long will it last?
The US partial adequacy decision, Privacy Shield, was successfully challenged for the second time in the EU Court of Justice last year.
Other Transfer Mechanisms
There are other ways to ensure essential equivalence through contracts, either Standard Contractual Clauses or Binding Corporate Rules, but these were made more complex by the Schrems II decision in July 2020.
This held that due to the possibility of the US state authorities intercepting the digital communications of EU citizens and the lack of redress for privacy breaches for EU citizens in the US, Privacy Shield, which had allowed transfers to certain organisations in the US, was invalid as a transfer mechanism.
- Cloud First | DevSecOps transformation with Dr Wendy Ng
- Hybrid Cloud | Making the case for enterprise adoption
- European cloud market to blast past $140bn by 2028
The court also looked at the use of contractual mechanisms and decided that these alone were no longer adequate and that the solution was for any organisations transferring personal data to the US, and any third country, was to carry out a Transfer Impact Assessment – a risk assessment identifying any issues with state surveillance and rights of redress.
Then if any issues were identified they would have to be addressed through organisational, technical or contractual means which would be in addition to the contractual arrangements that were already being used.
The Current Position for the UK
If the EU does grant the UK an adequacy decision by the end of June 2021, then storing your data in a cloud server hosted in the EU will be straightforward – for now. No additional risk assessment or additional measures will be required.
However various EU institutions have been concerned about issues in the UK such as mass surveillance and bulk collection of communications data; the possibility that the UK will change the rules now that it is outside of the EU; the onward transfers of data (particularly to the US) and the immigration exemption that disapply data protection laws in the UK.
So even if the UK is granted adequacy, this may not last long. It will be reviewed by the EU at regular intervals, the usual interval being every four years. But it could be open to a challenge like the one brought in the Schrems case.
Currently, UK data protection law about international transfers is contained in the UK GDPR which is substantively the same as the EU version. So the rules about transfers to third countries, now any country other than the UK, are the same but narrower.
The simplest solution is to ensure your cloud service providers is hosting your data in the UK. Easy to say, perhaps not so easy to execute.
Join the Debate: Cloud First Summit
The legal and data protection ramifications of using cloud-based services will be a key area of discussion at the Cloud First Summit 2021, held virtually on the 23rd of June.
For more information and details on how to register for your free place at the Summit, please visit: www.cloudfirstsummit.com