Chris Middleton explains why the free flow of data we currently enjoy has little to do with ‘the cloud’, and everything to do with EU trade deals.

While arguments rage about the risks of a No Deal Brexit and protests grow on both sides of the Leave/Remain divide about the role of Parliament in this matter, one important aspect of Brexit has remained largely ignored by politicians and the press: data location and transfer. A huge number of organisations, including banks, insurers, charities, healthcare providers, manufacturers, energy companies, utilities, retailers, and even the government itself may come to regret not recognising its importance sooner.

The context could best be described as a modern malaise. Many organisations have become used to saying that their data is ‘in the cloud’, as though it is part of some free-moving fog of code, accessible from anywhere and floating above and beyond national borders. But the problem with this hyper-successful piece of Silicon Valley marketing is simple: ‘the cloud’ doesn’t exist.

When people say their data or apps are in the cloud, what they are really saying is that they are held in a physical data storage and processing facility, built on land under national or regional laws – in most cases in continental Europe or the US.

Put another way, the free flow of data we have all become used to thanks to ‘the cloud’ is actually a direct benefit of membership of the EU, and of the many global trading deals that are in place as a result, not a technological given.

If the UK crashes out of Europe with no trade deal in place, it is also likely to crash out with no adequacy arrangement covering data transfers between the UK and the EU. Such a Brexit would not only adversely affect those who send or receive data to or from customers, partners, or subsidiaries in the EU, but also anyone using EU-based data hosting, processing, or platforms – knowingly or unknowingly.

So the day that C-level executives stop saying that their data is ‘in the cloud’ and start acknowledging it is held in a data centre in Poland, Belgium, or Czechia is the day they start making sensible decisions about the future – including business continuity.

But the next challenge, of course, is that many organisations have become so used to making data hosting and transfer into someone else’s problem (as an on-demand service) that they have no idea where their data is, and probably expect their cloud provider to tell them and to sort out the mess. That isn’t going to happen.

According to the UK’s Information Commissioner’s Office (ICO), the EU accounts for three-quarters of all of the UK’s cross-border data flows, so it’s likely that the vast majority of UK organisations host at least some of their data in continental Europe, or transfer it to or from there.

From October, if the UK crashes out of Europe with no deal in place – including one that explicitly covers data adequacy – then they may still be able to send data to Europe, but they may not be able to get it back.

In short, not only will existing trade relationships be severed, but so will organisations’ connections with their own remotely hosted data. At best, they will be impeded, complicated, and/or subject to burdensome investigation and regulation: vast amounts of extra red tape, not freedom from it.

The uncomfortable fact is that the current free flow of personal data between the EU and UK will simply no longer exist if the UK leaves Europe without an agreement that specifically provides for it. A new report from University College London exposes the problem in more detail.

EU-UK data flows underpin the services economy and are vital for virtually any business with customers, suppliers or operations in the EU. Disruption to EU-UK data flows would be unprecedented and extremely damaging for business and the UK economy, it warns.

“For data to continue to flow freely between the EU and the UK, the EU needs to issue an ‘adequacy decision’.

This would exclude the UK from the EU’s data protection governance framework, but would avoid costly disruption. The adequacy assessment would happen during the transitional period that follows the ratification of the Withdrawal Agreement and would be separate from the wider Brexit negotiations. There is no guarantee of a positive adequacy decision.”

Potential EU concerns could include: the possible incompatibility of the UK’s Investigatory Powers Act 2016 with EU law; membership of the Five Eyes intelligence sharing alliance; no fundamental right to data protection in the UK, post Brexit, as the UK is not retaining the EU Charter of Fundamental Rights; the potential for unprotected onward data transfers, especially to the US; and incompatibility of the ‘immigration exemption’ in the UK’s Data Protection Act 2018 with EU law.

“Unless the UK changes its national security and surveillance practices, it may not meet the threshold for adequacy,” warns the report, which explains that there are three possible ‘no-deal on data flows’ scenarios that would leave the UK without an adequacy decision. These are:

  •  No withdrawal agreement, leading to a cliff-edge Brexit – a real possibility in the current climate.
  • A last-minute withdrawal agreement agreed by Parliament, but with no adequacy decision covering data – also a possibility.
  • A data adequacy decision coming after the Brexit transition period ends, leaving everything until then in a state of flux. Even a positive adequacy decision could be revoked by the European Commission or invalidated by the Court of Justice of the European Union (CJEU) at any time.

In the absence of an adequacy decision, UK to EU data flows should not be affected, as the UK has pledged to honour them. EU to UK data flows might not stop completely, but they would be significantly disrupted, confirms the report, “due to the costs, resources, and bureaucracy which individual organisations would have to direct towards enabling data transfers to continue”.

Many large companies might be willing and able to absorb such costs (once they are made aware of them and have factored them into their contingency plans), but it will be harder for SMEs and startups – many of whom may already be affected by Brexit uncertainty.

The best that could be hoped for in data terms in a No Deal Brexit would be long-term legal uncertainty and bureaucracy during an already disruptive time for British businesses. Many organisations will not have set up the necessary alternative legal arrangements by then and could therefore face enforcement action and fines from EU regulators for unlawful EU-UK data transfers.

So how big is the problem? “It is not easy to measure data flows, due to their ubiquity and virtual nature,” acknowledges the report. “Also, unlike trade, there are no legal obligations to monitor the volume of data flows. In consequence, it is not easy to measure the importance of data flows to the economy, nor the economic impact of disruption to data flows.

“However, its importance can be inferred from proxy measures. For example, half of all trade in services is enabled by seamless cross-border data flows. Also, global data flows are estimated to have raised global GDP by three percent ($2.8 trillion) in 2014, and the UK is ranked as the third most connected country in the world for cross-border data flows.”

So where does this leave us? Brexit has always entailed an intractable trade-off between sovereignty and economic integration with the EU, concludes the report.

“If the UK seeks to break free from the EU’s economic model and pursue divergent regulatory standards it can, but there will be economic costs in the form of reduced market access, trade, and investment.

“If the UK aligns itself to the EU’s regulatory standards, trade and economic cooperation could continue unhindered and grow, but the UK would be a rule taker, with diminished sovereignty. This trade-off is starkly highlighted in the domain of data protection.

“Not many people argue that the UK should diverge from EU data protection laws and pursue its own model. Indeed, the consensus among politicians and business is that the UK should continue to follow GDPR, in part to enable the continuation of unhindered EU-UK data flows. Many businesses would comply with the GDPR regardless, in order to process EU citizens’ data.

“Furthermore, if the UK wants to retain a future adequacy decision, it will have to dynamically align with EU data protection laws as they change over time. The scope for UK data protection sovereignty is therefore minimal.”

Welcome to ‘taking back control’.

Read our latest news here.