At the dawn of the information age, optimists and techno-utopians believed that the Internet would tear down all restrictions between international information sharing. The swathe of concerns around privacy that have arisen over the course of the past two decades have put such optimism to the test, culminating with the introduction of laws such as the EU’s General Data Protection Regulation (GDPR). This is because regulations such as GDPR, along with preventing governmental and business overreach into privacy, indirectly create an obstacle to the liberal passage of data across borders.
While privacy regulations don’t hamper the lawful transfer of data within a jurisdiction, they do present new issues when transferring data across jurisdictions with different regulatory regimes. The most recent - and one of the most notable - flare-ups of these concerns came between the US government and TikTok. The app now faces a ban in the US, as lawmakers fear China’s weaker privacy regime could allow the Chinese government to access TikTok users' data. Even between liberal nations with relatively robust privacy regulations there are new “protectionist” concerns regarding the sovereignty of data, as seen most recently in the European Court of Justice decision in July to strike down the EU-US Privacy Shield mechanism for data sharing due to fears of US government overreach.
For multinational organizations, this necessarily throws up a range of concerns, especially as Brexit approaches. What developments should organizations be monitoring on data sovereignty debates? And how should organizations change their cloud strategy as a result?
Developments in data sovereignty
When it comes to data flows within the UK and the EU, the overarching concern regarding data sovereignty has been Brexit for some time. British data protection law is currently enforced by the Data Protection Act 2018, which applies and supplements the GDPR in the UK. A common concern is that, at the end of the Brexit transition period on December 31st 2020, data storage between Europe and Britain will break down.
However, this is highly unlikely. When it comes to data transfers from the UK to the EU, Britain has laid out no plans to restrict the flow of personal data. And when it comes to data transfers from the EU to the UK, while Britain will become a third country at the end of the Brexit transition period, all this means is that the European Commission must perform an adequacy assessment on the suitability of Britain’s data protection law to allow personal data to be transferred to Britain. It is almost certain that Britain will pass such an adequacy test, as upon the end of the transition period, GDPR will be transposed directly into British law and become referred to as “UK GDPR."
Instead, the major current concern is regarding data transfers from the EU to the US. Until recently, data transfers between the US and EU (in addition to Switzerland) were protected by the Privacy Shield. However, in July a decision by the European Court of Justice rendered the EU-US Privacy Shield Framework to be an invalid means to comply with EU data protection requirements when transferring personal data from the European Union to the United States, with Switzerland’s courts ruling the same in September. Now, organizations transferring data from the EU to the US must rely on Standard Contractual Clauses (SCCs).
Building data sovereignty into your cloud strategy
SCCs mean that the data protection afforded to companies are only as good as a particular cloud vendor is willing to offer. This means that, for EU companies that want to guarantee that their cloud strategy consistently reflects EU standards, they should ensure that their data is stored in cloud buckets that are stored in a European data center, which is bound to have to comply with GDPR.
Of course, many European data centers are owned by or partnered with US data centers, so organizations will need to ensure that their contract with their cloud vendor guarantees that their data won’t be copied or moved to a US data center. Keeping EU data in Europe is established practice as is, but with the lapse of the Privacy Shield it’s important to remain vigilant.
Although the Privacy Shield has lapsed as a legal framework between the US and EU, it still remains as a standard that vendors can follow in their architecture and embrace the ethos of. While this may not have legal force, it does show a commitment by a vendor to following the standard of data privacy that their customers expect. Recent developments in the data sovereignty debate suggest that, if privacy and data sovereignty is a concern for a company, their best next step would be to choose a cloud vendor that is committed to the values reflected by that jurisdiction’s privacy laws.