Brexit effects on data transfer between the EU and UK

The inability to transfer data across borders presents an existential threat to UK businesses post-Brexit.

---

UPDATES:

Since first publishing this article in September 2019 matters have moved on.

(1) Specifically, the UK missed the deadline set by the EU to submit evidence that UK law qualified for the concept of “data equivalence” – ie; provided the same or better protection to personal data as law inside the EU – and, though granted more time to provide that evidence a final decision was issued on 20 June 2020 that the UK fails to meet EU data privacy laws. So, that’s it – as soon as the transition period comes to an end the UK is (in my view, rightly) a data pariah, no more trusted by the EU with personal data than the U.S. and adding multiple additional layers of paperwork to every business relationship beyond the weight of VAT, customs and freight declarations that will be required.

(2) Except … a “transitionary arrangement” was included in the Christmas Eve 2020 trade agreement allowing six months continuation of data transfers between the EU<=>UK. Yet again, before the end of June 2021 the EU will decide whether the UK has sufficient protection of private data to allow “adequacy” with legislation in place inside the EU. UK businesses and organisations are well advised to make use of this short time to ensure that ALL their data and data processing takes place inside the UK as I believe it unlikely that the UK will demonstrate “data equivalence” with EU law and at the end of this extended period the shutters will come down on bulk transfers of personal data from the EU to the UK. It is essential that UK based organisations verify that all their data processing and storage takes place inside the UK. This includes a check on external service providers that process or store data. I have come across several organisations that use (for example) third-party email gateways (to perform border protection – eg; anti-spam, antivirus and phishing protection etc) where the service providers split incoming email between servers physically located inside the UK and inside the EU. One substantial local authority published two DNS MX entries (that specify the servers that accept incoming email messages) with EQUAL ranking (ie; it is as likely that a message will be deliver to server A as server B) where one server was located in London and the other in Paris – the effect of this arrangement is that if the EU->UK data transfer shutters come down this organisation will suddenly lose a full half of its incoming email messages.

---

I have been warning organisations for almost a year (since late 2018) that a far bigger threat to UK businesses than having goods delayed at border crossings is the sudden cut-off of data flows between the EU and UK. While a 3~4 delay in delivery of goods is likely to have a variable impact on businesses the sudden removal of communications and data critical business systems is likely to prove the death of many businesses.

As I write (September 2019) and post this the news has just broken that the UK Supreme Court has just handed down a verdict that the prorogation (suspension) of Parliament by Prime Minister, Boris Johnson, is unlawful and has no effect. That does not, in my opinion, affect the outcome of Brexit – even at the extremes of a No Deal Brexit or revocation of Article 50 so that the UK remains an EU member. This article discusses an issue about which businesses must act to mitigate a potentially terminal risk to their existence.

The problem is that as soon as Britain leaves the EU (under any circumstances) it becomes an untrusted “Third Party” as far as the EU’s data protection laws are concerned and therefore no longer able to be seen to comply with EU GDPR and other data protection regulations as it is while an EU member state.

Further, new legislation is passing through the EU legislature that will further tighten controls and protection of personal data which I believe will not be replicated in equivalent UK law putting any “adequacy” arrangement (whether politically agreed or enshrined in any treaty) at permanent risk of sudden withdrawal – leaving UK organisations with no access to their data.

Even under the best outcome – a deal including a transitional arrangement – the legality of data flowing between the EU and the UK remains uncertain and dependent upon the UK achieving an “adequacy” status on data protection from the EU before the end of any transition period agreed.

Though it is thought unlikely that the shutters will come down immediately on Brexit Day (or the final day of a transition period) and I personally think it highly unlikely you will be finding the UK ICO (or EU equivalent) knocking on your door any time soon that is not your worry.

Your worry is that the relevant data protection law applies inside the EU and makes it illegal for companies storing or processing data of the kind required by businesses simply to operate every day from leaving the EU – so while you may have no problems (say) updating a database held on a server or cloud located in the EU you will be unable to get that data back.

While your company will be committing no offence under UK law, your worry is that large cloud service providers (whether just acting as storage for “your” database or providing higher level services – email, ERP, CRM, data analytics …) would be committing an offence inside the EU if they transfer data to you in the UK.

So, the question you must ask is – how long will even large cloud service providers (such as Google, Microsoft or Amazon) continue to risk their businesses by committing breaches of law inside the EU.

Business today relies on the free flow of data for everything from ordering materials through production to delivery – including all other essential processes such as marketing, sales, communication and coordination.

The threat does not only affect car or aircraft manufacturers who rely on just-in-time delivery of goods. It threatens every business that uses any cloud-based service (even for email) in any part of its business process.

And that description covers just about every business in the UK from the smallest SME to the largest multi-national.

Few have taken any notice (even the British Computer Society only seemed to partially wake up this month by including a reference to a Cambridge University academic article in one of its emails sent to its members – hardly likely to make the evening news. The Institute of Directors, in its advice on how businesses should tackle Brexit suggests that companies should sign up for new “cloud based services” – staggeringly bad advice!

In case you are among the many that have not yet realised the disaster about to befall cross-border data transfers between the EU and the UK should a “No Deal” Brexit come to pass may I suggest a read of this article from Wired UK magazine https://www.wired.co.uk/article/no-deal-brexit-data-adequacy-gdpr which sets out a few of the problems that would arise.

In short, businesses who currently pass data covered by GDPR and earlier EU legislation FROM the EU ==> TO the UK will encounter problems  immediately following Brexit.

As the Wired article explains, following a No Deal Brexit (or even a “soft” Brexit without a declaration of “adequacy” of the UK’s data protection regime) it will become illegal to pass bulk personal data from an EU state to the UK. ‘Bulk personal data’ simply defines the regular passing of personal (so protected) data from the EU to the UK. It will remain possible forn an individual (say, a customer) o send an individual email from within the EU to a UK recipient organisation but if that email is directed to a server physically located inside the EU it is then illegal to access that data – as both onward email servers and even desktop email clients themselves transfer messages in bulk.

This covers any data that includes personal identifying data. Some examples of personal identifying data are name, address, phone number, email address … precisely the information you need to, say, accept and process an order, issue invoices or deal with some suppliers. Even your own name and email address are personal identifying data so fall under EU data protection and would not be legally transferable to the UK in the circumstances discussed.

What does that mean? A few examples might help:

• If your business uses an email service whose servers are located in an EU state it will become illegal for that email service to deliver emails addressed to you. Such email services include Google, Microsoft (Outlook and hotmail), Yahoo and many more provided by ISPs that simply back on to these larger services. If you have your own domain name (eg; “mybusiness.co.uk”) but have delegated your email service to one of the big providers (Google, Microsoft etc) that make it easy to have all your email dealt with by their services, be aware that you will also be affected.
  • One quote from the Wired article “Disrupting the flow of data could be disastrous. To take one example: in a recent study, researchers from University College in London point to the fact that the university’s own email system, Microsoft Outlook, only works because data can be transferred from servers in Ireland to servers in the UK.“
• If you use an on-line (cloud based) system for your business accounting or more complex aspects of your business (such as a full ERP system) or CRM systems such as SalesForce.com and the servers used to deliver those services are located in the EU it becomes illegal on “Brexit Day” for the companies operating those services to transmit “your” data to you – at least insofar as that data includes any personal identifying data, such as customer names …

The Wired article explains that, post Brexit, (a) the EU will no longer consider (as a simple matter of law) the UK to comply with its data protection laws and (b) even though the UK currently has slightly stronger data protection legislation in place than the EU generally it will assume that the UK might change its position at any time to weaken those protections – something the current UK government has already stated it is considering. There is also the small matter of the UK both being a member of the “Five Eyes” group of countries (the other four – USA, Canada, Australia, New Zealand – already being non-EU member states) who collect and share personal data for “security reasons”.

Beyond this, the UK already has legislation in existence that breaches EU data privacy laws – that is currently ignored under a generic provision that the EU does not interfere in member states “security” arrangements – which would immediately fall foul of EU law once those exemptions no longer apply. As the UK continues to diverge from the EU position (and at least several of the other Five Eyes countries could be considered to have an anti-privacy stance) this alone will make it problematic for the UK to regain an “adequacy” status from the EU’s EPDA regulator – a process that normally takes between 18 months and five years in any case.

A more worrying concern is that the EU will shortly “beef up” GDPR with even stricter data privacy and consumer safeguard legislation – and unless the UK enacts equivalent or better protections it may be far longer than five years – if ever – that the UK achieves a third-part adequacy standing.

What Can you do to protect your business?

Let me say the one thing you cannot do – that is to sit back and hope someone else sorts out this mess before it happens. With just a few weeks left until a possible No Deal departure by the UK from the EU sudden loss of access to business critical systems will bring most unprepared businesses to an equally sudden dead-stop.

Forgive my scepticism but as someone who lives in France and must (to take but one example) change my UK driving licence – until now a perfectly acceptable document acceptable across the EU – for a French driving licence it has become known that the UK Government “forgot” to include provisions enabling the simple transfer so while I (and the few hundred thousand other British citizens who live in France) filled in the simpple on-line form provided by the French Government and awaited our new French licences the whole process has ground to a halt – leaving us between the rock of a deadline (end 2021) by which we must have EU acceptable licences and two hard places (1) that our UK licences are only valid for 6 months (as for tourists from any no-EU state) and (2) the absolute inability to exchange our licences – instead we will all be applying and having to take French driving lessons (mandatory) before taking a French driving test.

So, do not sit back and expect the British Government to sort this out – IMHO that is unlikely to happen.

An action plan

It is impossible to give any but generic advice in an article but as a minimum I would suggest all businesses (SME or multinational) do the following:

1. Perform and audit of ALL computer systems in use throughout the organisation
2. For each, determine
   1. The importance of the system to continuation of business activity.
   2. Where in the world the DATA and the PROCESSING SOFTWARE are located – eg; on server(s) located in Ireland / the U.S. / …
   3. In the case of cloud based services (eg; clients of Amazon AWS or Microsoft Azure …) have you a contractual statement that the location of your data and services are in a specific location? If so, is that location a region or a specific country?
3. For EVERY system identified do you have a FULL backup of the DATA inside the UK as well as continued access to the process software inside the UK?
   1. Whatever your answer, take the time to review your data and system backup strategy and ensure that you maintain a full, current backup of your data inside the UK – apart from being essential business practice this would at least preserve your data in case of loss of access to processing systems – such as could occur where the processing company or the servers it uses are based in the EU.
4. For EVERY system that processes the slightest sliver of personal data
   1. Take action to ensure that both the data and the processing software is hosted on servers physically located inside the UK.
   2. Be very aware that as the UK has enacted GDPR legislation inside the UK you may be operating illegally if you transfer personal data to a country outside the UK. This factor is already in place (though widely ignored) because many organisations simply add a cloud compute or storage instance to their system without giving thought to where in the world that instance is physically located. To be legal all such instances used by UK companies must currently be located inside the EU. Post-Brexit all those instances must be physically located inside the UK to avoid the problem of loss of data access from the EU.
   3. If you currently have servers or cloud instances currently located inside the EU holding and processing UK personal data DO NOT be tempted to simply move them to a third country outside the UK (eg; the U.S.) without first checking the legality of storing and processing that data in that physical location. Reason? Countries such as the U.S. currently have far weaker data protection laws than Europe (by which I mean the EU including the UK) and as even post-Brexit the UK will have GDPR equivalent legislation in place it is likely to be illegal to store or process personal data in those locations. o illustrate, even “big-tech” companies such as Google Microsoft and Facebook currently operate servers located in Ireland in order to serve EU citizens – each of these companies has had to locate servers inside the UK in preparation for Brexit as they are fully aware that failure to do so would prevent them from serving customers and users based in the UK
5. If you are so unfortunate come across a situation where a cloud based systems provider can offer no UK located servers or instances you will have to plan for a platform change to a provider who can provide UK based servers. This is vital even though it may cause major disruption because, depending on how the politics play out and therefore how hard or lenient a stance the EU regulators take if you continue to use EU located servers for any service or system you risk having it removed without warning.

Longer term

There is a current and developing strong argument for organisations to move away from cloud computing (where data and processing is performed in uncertain physical locations – in practise, large data centres somewhere – to be replaced by edge computing where data and processing is stored and processed on premises – protected by on-site firewalls and intrusion detection and prevention systems.

This trend is driven by lowered cost and increased speed and availability of Internet connections alongside technical advances that, in simple terms, allow even a small organisation to implement an “own-cloud” platform – retaining the ability to create and destroy instances of development, test and production software and data stores on demand. Another major factor is data security. If a businesses’ data is always held inside its own premises there is no possibility for incidents such as the repeated highly costly and reputation staing loss of private data that occurs when a technician opens yet another cloud based instance to temporarily store a copy of the organisation’s entire data store but forgets to put the most basic password protection on it – leaving the data swinging in the breeze for as many hackers can grab it over a multi-Gigabit data pipe as you could ever have nightmares over.

Brexit poses huge and costly threats to businesses – especially in the realm of data storage and processing.

But, wherever a problem arises an opportunity lies on its opposite side. Time may be against you but use the opportunity to :

• save your and your customers’ data
• ensure that you are complying with all current data protection legislation
• where you must or you are forward planning take heed of technology changes that may make it more desirable for many reasons to bring data and processing back in-house