The impact of the United Kingdom vote to withdraw from the European Union could have far-reaching consequences for international companies which will need to rethink their data management policies.
Whilst the UK is part of the EU it has the same data sovereignty laws as other countries in the EU. When the UK breaks away, those laws will change. US Companies operating in Europe may have to manage one set of data privacy laws for the UK and another for EU-member countries. The issue will impact both cloud and managed service providers who may need to offer additional options for customers to host data across Europe, and enterprise end users who may need to reconsider where their data is stored in Europe.
With an increasing number of companies at risk from data breaches, compliance with data protection legislation is a growing issue. Companies with operations in the UK should ensure they are aware of the potential consequences for compliance, particularly with regard to the new EU General Data Protection Regulation (GDPR).
The UK is unlikely to implement legislation in line with the GDPR. Companies operating solely in the UK with UK customers, and storing data only in the UK, would therefore be unlikely to have to implement significant changes in their data protection processes. However, US companies also operating within the EU would still have to ensure compliance with the GDPR for the data of their EU customers, and should therefore consider taking the steps outlined below.
On leaving the EU, the UK would have a number of options to ensure compliance with EU regulations:
- The UK could seek ‘adequate jurisdiction’ status – currently held by a number of countries, including Canada, Israel, Switzerland and Uruguay – implying that the UK’s laws provide ‘essential equivalence’ regarding data protection.
- The UK could alternatively seek European Free Trade Association (EFTA) or European Economic Area (EEA) membership, implying that the UK has legislation in line with the GDPR, will implement the GDPR, or will provide additional guarantees of essential equivalence.
- It is most likely that the UK would seek an agreement to govern data transfers using the model of the EU-US Privacy Shield. Under this model, companies would be required to ensure EU customers’ and clients’ data is treated in line with GDPR regulations.
It is likely that there will be a period of time in which international companies will have to rely on Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs) - the EU’s legal mechanisms for data transfers. In entering into these agreements, companies will be required to treat EU citizens’ data in line with the GDPR, following the conditions outlined above, as well as complying with any legal obligations within the boundaries of the SCCs and BCRs.
In such cases, companies should be aware of the following:
- Companies will be required to treat EU citizens’ data in line with the GDPR. This will mean taking the same measures that will be required if the UK remains in the EU. Companies should refer to the guidance above on GDPR compliance, which will not apply to UK citizens’ data.
- Companies will be required to hold premises within the EU that are responsible and accountable for the treatment of EU data. This will entail designating an office within the EU as the company’s primary office. This office will report to the supervisory authority of the country in which it is based on behalf of the entire company, as that company’s primary authority.
- Companies will have to have legal alternatives to the GDPR in place to prevent disruption of services. The EU has already issued two sets of model SCCs, which may be used verbatim if needed; however, any necessary changes must be approved by the relevant EU member state’s data protection authority. Companies should work with their legal department to ensure both SCCs and BCRs comply with EU law.
Unless the UK harmonizes with the new EU rules, US companies may lose the ability to process European consumer data in the UK, unless they adopt policies suggested by the EU or approved by an EU data protection authority. This could impact companies that want to use data centers in the UK—even as backups if their data centers in other EU countries go down.
Regional cloud-computing businesses are particularly vulnerable to the complications of a split regulatory region. Cloud companies function more efficiently when they can easily shift loads from one data center to another. Restricting the types of data that can be stored in specific locations hampers that flexibility.
Content Sources: Financial Times, Bloomberg, Control Risks, Network World, TechWeek Europe