Article By Ian Sherratt, Services Director – Cloud Centres
The recent moves by big tech firms to build data centres in the UK and Ireland are a timely reminder that it’s not only Brexit that is causing headaches for organisations storing data far from their home turf. I’m talking here, of course, about the recent death of the EU-US privacy shield.
This week social media video giant Tik Tok issued plans for a $500 million data centre in Ireland while last month US cloud provider ServiceNow said it was building data centres in London and Newport. These moves were ostensibly Brexit related, but many boardroom discussions have focused on the ending of the Privacy Shield arrangement for some time.
And last month the inevitable happened. The European Court of Justice (ECJ) cancelled the Privacy Shield arrangement with immediate effect. Essentially, any organisations that have any personal data transfers with US firms have had to stop their operations forthwith (in theory at least).
What does it mean?
On July 16 the ECJ ruled to invalidate the EU-US Privacy Shield agreement on data sharing as a result of a legal case started by Austrian privacy campaigner Max Schrems. Schrems had complained to the Irish Data Protection Authority that Facebook, based in Ireland, was sending his personal data to the parent company, based in the US, and his data was being subjected to covert US government surveillance. Essentially, the argument is that US government agencies have carte blanche when it comes to nosing around anyone’s personal data without permission if they deem it necessary.
Consequently, the Privacy Shield was invalidated stating that US surveillance activities were contrary to GDPR and the safety of EU/EEA citizens’ personal data. Since the EU-US Privacy Shield replaced the Safe Harbor arrangement four years ago, thousands of UK and EU businesses signed up to Privacy Shield. They’d come to rely on the legal protection it provided when transferring data across the Atlantic. Indeed, tech megaliths such as Amazon and Facebook, along with others such as Zoom and Salesforce, were all enabled by the Privacy Shield arrangement. Likewise, a host of large and small businesses in the EU and UK benefited from the arrangement.
What to do about this?
Clearly, the US is not going to reform its national security laws any time soon and the defunct Privacy Shield will probably not be resurrected, certainly in its current form. For UK companies that have relied on the Privacy Shield, they’ll need to develop a new framework immediately. Lawyers on both sides of the Atlantic have emphasised there is no grace period for businesses that transfer personal data under the Privacy Shield, so be warned.
The ICO initially published this message shortly after the ECJ’s ruling stating:
“We are currently reviewing our Privacy Shield guidance after the judgment issued by the European Court of Justice on Thursday 16 July 2020. If you are currently using Privacy Shield please continue to do so until new guidance becomes available. Please do not start to use Privacy Shield during this period.”
However, this message had been taken down from their website within weeks as the potential legal implications of the ruling started to hit home. To emphasise the gravity of the issue lawyers were now starting to call the ECJ’s ruling against Privacy Shield GDPR 2.0.
Standard Contractual Clauses
One solution to the Privacy Shield problem is Standard Contractual Clauses (SCCs). These are individual agreements between suppliers and customers and they have been upheld in the ECJ ruling, albeit with caveats. In our next blog we’ll go into more detail on this, but SCCs have generally been fine for data controllers as an alternative data transfer mechanism. On July 16, the European Court ruled that SCCs were still valid, but it stressed that that EU GDPR requires that businesses relying on SCCs need “to verify, on a case-by-case basis”, effectively decreeing SCCs should be used carefully and with full scrutiny. There’s a big question mark hanging over the UK with regard to SCCs (and Privacy Shield) after December 31, this year.
It’s also worth noting that SCCs were designed to be specific to a single contract and will be a costly bureaucratic and legal exercise for many businesses, as they negotiate and sign thousands of new contracts. These costs will be particularly difficult for business startups and small enterprise.
Ultimately, it’s clear that the internet is not going to be turned off any time soon despite the ECJ judgement, and enormous volumes of UK and EU-US data transfers will continue either unlawfully or through SCCs. The main advice – for the moment at least – has to be that you need to make your technology partner has a UK-based server and infrastructure, so none of your data leaves the UK unless it’s absolutely necessary. ServiceNow would not be setting up two UK data centres to service their clients unless there were sound business and political reasons to do so.
Join Our Webinar
Interesting times (as the currently over used saying goes), and all this is being cloaked in the media at the moment by the noise from COVID-19, Johnson’s government and Brexit.
If you’d like to hear more about this evolving topic and how it could impact your business, join our webinar on Tuesday 25th August 2020. Here’s the link: