A transition period was granted until 30 June, 2021, meaning that any transfer of personal data to the UK will be made under the current framework and not considered as a transfer of data to a third-party country. Once that six-month grace period ends, the UK becomes a “third country” under EU law.
All signs point to Brussels agreeing that the UK offers an adequate level of data protection and so transfers of personal data should continue without any further transfer mechanisms being required.
“This would be a welcome outcome for business, but it comes with the price of tying the UK’s data protection regime to that of the EU,” said Bridget Treacy, partner at Hunton Andrews Kurth. “In other words, adequacy is not a ‘one time’ assessment, but is an ongoing process.”
McKinsey, the consulting firm, estimated that the free flow of data contributed $2.8trn to the global economy in 2014, and predicted it would reach $11trn by 2025.
“Both the EU GDPR and the UK GDPR have extra-territorial effect, and businesses need to think about the impact which the two regimes will have.”
Simon Bollans, lawyer, Osborne Clarke
Standing in the way of increased data mobility are regulators and privacy advocates who have strengthened, but also fragmented, the standards required to send information around the world.
The big headaches for many corporates wanting to revamp their data strategies through 2021 are the UK’s ongoing compliance with the General Data Protection Regulation (GDPR), the legality of US data transfers outside of the states, and ongoing uncertainties around data sovereignty and residency.
GDPR and double compliance
The UK transposed the GDPR into national law as the Data Protection Act 2018, but upon leaving the European Union is now responsible for shaping its own rules in future. Any divergence from either Britain or Brussels will have an impact on companies that send or receive data from both jurisdictions.
“It is easy to think that data transfers between the EU and UK are the only concern for ongoing data protection compliance, but there are a number of other aspects to consider,” said Simon Bollans, lawyer at Osborne Clarke. “Both the EU GDPR and the UK GDPR have extra-territorial effect, and businesses need to think about the impact which the two regimes will have on their data flows, records of processing, contracts, policies and procedures, along with requirements to appoint EU data protection representatives.”
Many businesses will have to comply with both, but the pain won’t end there.
“In essence, organizations with pan-European operations are likely to have to comply with two separate, but similar legislative regimes, with the consequential risk of dual enforcement action in the event of any breach,” Bollans added. “This means that organizations need to consider carefully whether they are within just one or both regimes.”
Privacy shield replacement
Transfers from the UK to the US and to other non-adequate countries will also need a data transfer mechanism, just as they did when the UK was inside the EU. The courts have previously ruled that the Privacy Shield, the framework for regulating transatlantic exchanges of personal data for commercial purposes between the EU and the US, is invalid. Irish regulators then told Facebook to stop transferring its citizens’ data out of Europe in the wake of the ruling.
Finding a replacement for the Privacy Shield is a priority for President Biden’s new administration, and it is likely that the UK would adopt any new arrangement that is negotiated between the EU and the US.
Days after taking office, President Biden opened negotiations with Brussels on how personal information is moved between Europe and the US, underlining how important the matter is to business.
Residency complications
Existing frameworks like GDPR and its equivalent in the Golden state, the California Consumer Privacy Act, along with whatever replaces the Privacy Shield, are newer considerations during the boom in cloud computing and Software-as-a-Service (SaaS) solutions.
This increasingly complex web of laws has put issues of data sovereignty and data residency firmly in the spotlight.
The two phrases are often confused, and very different. Data sovereignty is a country-specific requirement that data is subject to the laws of the country in which it is collected or processed, and must remain within its borders. Russia, China, Germany, France and Indonesia are just a handful of countries that have this rule in place, requiring that their citizens’.
Data residency involves a business specifying that their data is held in a specific geographic location of their choice, perhaps to take advantage of a beneficial tax regime as an example.
For companies utilizing SaaS or the cloud, or perhaps building a data lake to generate enterprise insights, these over-lapping but hugely important factors are complicating compliance and operational strategies.
“Only time will tell if it can influence these regimes to loosen their regulations.”
Nallan Sriraman, global technology strategist, Unilever
A typical data lake architecture demands a single enterprise-wide lake hosted in one cloud region, but experts believe data localization laws are limiting what data can move from local storage to the larger enterprises’ central data lakes.
Executives hoping to glean sales insights or customer sentiment from teams in multiple continents will not have all the required information if there are restrictions on what they can interrogate.
“We expect cloud-based service providers that historically transferred EEA personal data to the US, or even accessed such data remotely from the US to provide services, to increasingly offer regionalized data hosting and support services within the EEA,” said Eve-Christie Vermynck of US law firm, Skadden Arps. “For vendors, this may prove a preferable solution to negotiating bespoke supplementary measures with a large number of customers.”
Harmonized standards remain long term goal
The World Economic Forum has also identified these information sharing barriers as a hindrance to better cybersecurity, healthcare and financial services provisions, and has called on governments to smooth out the wrinkles and standardize the rules.
Businesses will have to forge their own path in the mean-time; data localization laws are here to stay.
“Enterprises should work closely with their data lake technology providers and build their architecture adhering to these laws,” said Nallan Sriraman, global technology strategist at consumer goods multinational, Unilever. “They should follow the same technology architecture for their central data lake and the mini data lakes worldwide — and they should be connected only by the necessary data that doesn’t violate local laws.”
“Equally, cloud data lake providers must build easy-to-use tools that provide guard rails to enterprises and offer seamless integration between the central and local mini data lakes,” he added. “Only time will tell if it can influence these regimes to loosen their regulations.”