After a couple of years when the question of data location had dropped a little down the priority list, two things have pushed it back up again. First, the Schrems II decision of the European Court, which cancelled the US-EU Privacy Shield and added some – but it’s not yet clear how onerous – new duties to those relying on Standard Contractual Clauses (SCCs). And second, the 31st December deadline when the UK will leave the post-Brexit transition arrangements.
For organisations in the UK, those lead to uncertainties in two directions:
- Transfers of personal data from Europe to the UK might have to take place under anything from an adequacy decision to a US-like third country status;
- Transfers from the UK to the US can no longer be done under the Privacy Shield, and the Information Commissioner has yet to provide guidance on what kinds of data may still be transferred, to what organisations, under SCCs, with or without additional technical and US legal protection.
Furthermore, whatever the law or regulators say may be pre-empted by partners or individuals who are reluctant to have their data transferred to what they perceive to be less safe locations.
With so much uncertainty, it’s impossible to pick a single location and be sure it will be the “best” choice. But it may help to look at the things that, for each choice, could cause us to have to invoke “Plan B”:
- UK hosting: if data includes personal data about Europeans, could become problematic if UK and EU laws diverge significantly, since EU individuals, partners and regulators will expect their data to be held according to what might be non-local standards. As many large US companies have found, that can be an uncomfortable situation. If there is no adequacy decision, or if such a decision were to be successfully challenged in court, then transfers of personal data from EU organisations will need to be covered by Standard Contractual Clauses, and it’s not clear whether exporting organisations will be willing (or importing organisations able) to implement the additional checks required by Schrems II; it’s also worth checking how reliable a single-country cloud service is, as these are more likely to be subject to single points of failure, congestion, etc.
- EU/EEA hosting: could be disrupted if the hosting state’s regulator decided to consider the “fetching” of data to the UK as an export, but there has been no sign of this happening in the 25 years since it (arguably) became a theoretical legal possibility under the 1995 DP Directive; no Schrems II issue and, unless the UK Government changes its view that the EU will continue to provide equivalent protection to the UK, unlikely to be any Brexit one either;
- US hosting under SCCs: likely to be disrupted, for an unknown amount of high-risk data, when the ICO publishes guidance on Schrems II checks. Some transfers may be acceptable under an appropriate combination of technical controls (such as encrypted transfer) and type of receiving organisation (which will affect the protection available under US law): others may be judged too high risk to continue. Acceptability to individuals may not be the same as acceptability to regulators.
- US hosting under Privacy Shield: already illegal. Move to one of the above.