Thanks!

You are now subscribed to our monthly blog digest. Happy reading!

Click anywhere to dismiss ...

Brexit Impact on Data Sovereignty - Safe Harbor, EU Model Clauses and the Data Protection Directive

On June 23rd, 2016 The United Kingdom (UK) voted in a historic referendum (tagged #Brexit on the internet). The results of the vote, if followed, mean the UK will leave the European Union (EU). In this article I’ll dive in and give my perspective on how this exit is going to impact the storage of personal data as the UK will now be “outside the EU”.

TLDR Synthesis

  • If your business stores EU citizen data in a UK based data center you may need to take action now in order to migrate before the UK is no longer part of the EU.
  • If you’re an EU citizen a number companies you work with will be sending data privacy policy updates to you if they store data in the UK depending on how they solve the problem.
  • Don’t panic and don’t ignore this. You have two years, at a minimum, to have new measures in place but two years in “data center migration time” is not as long as it seems.

Brexit EU Flag with Big Ben

First, what is “Safe Harbor”, “EU Model Clauses”, and the “Data Protection Directive”?

Safe Harbor describes a 15-year-old pact between Europe and the United States on data privacy. It was overturned by the European Court of Justice on October 24, 2015. It is in the process of being replaced with the EU-US Privacy Shield, although as of May 30, 2016 the European Data Protection Supervisor issued an opinion in which he stated, “the Privacy Shield, as it stands, is not robust enough to withstand future legal scrutiny before the Court”. The EU and UK have never had to negotiate a Safe Harbor style agreement and the UK is out of scope for the current Privacy Shield agreement. It is possible this could be used as a framework to accelerate an EU-UK agreement for the continued long term operations in the UK or as a bridge to offer operators the time to relocate without the risk of an accelerated timeline.

The EU Model Clauses are also known as “Model Contracts” or “Standard Contractual Clauses”. They are a subset of the Data Protection Directive that handles the transfer of personal data to non-EU countries. The contracts require adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals. Two sets of standard contractual clauses have been issued—one for transfers to “data controllers” and a second for transfers to “data processors”. Using the Model Clauses it is possible for UK based data center providers and EU based businesses using UK data centers to start signing contracts in order to satisfy the directive, provided the security and privacy controls in place satisfy the core requirements of the Data Protection Directive. This could serve as a potential long term solution or a fair way to provide a stop-gap while a migration strategy was executed. For some companies the cost of providing the proper controls and maintaining the appropriate contracts may outweigh the cost of a migration to an EU based facility.

Second, let’s explore the timelines for exit being proposed with regard to data center strategy:

  1. Immediate triggering of Article 50—this starts a two year deadline for complete exit. This is being proposed by Resigning Prime Minister David Cameron.
  2. “Certain amount of time to analyze things”—this is what German Chancellor Angela Merkel is recommending along with approaching things in an overall calm manner.

Working off of timeline #1 and living in the world of data centers means decisions need to be made now. If a turn-key data center was available in one of the EU member nations and you signed a contract today you’re looking at a minimum of 3/4ths of a year before you take possession and start putting gear inside. If you have to go through site selection and build a specific design to your specifications you needed to start a year ago—it is 2-3 years to finish and commission a custom facility.

Working off of timeline #2 it still makes sense to start today and at least put down a deposit to lock up a location or turn-key facility. As timelines become more clear competition for sites and experienced construction crews in the EU will drive prices up. Under timeline #2 many companies will be able to make the transition, provided “a certain amount of time” is a couple of years before triggering Article 50.

Third, how big of an issue is this?

According to Data Center Map the UK has 240 colocation data centers. A colocation data center is one where multiple tenants share the facility. This is only a small number of the total facilities in the UK. The full count includes all private facilities for large companies, such as Barclays who has at least one facility in Gloucestershire, or managed data centers operated by companies, such as Rackspace who has multiple facilities in the greater London area. In order to perform a migration most business cannot accept the downtime associated with a physical migration of equipment from one facility to another. This means an accelerated capital outlay as businesses need to buy new equipment, such as servers, networking gear, and storage devices—potentially well ahead of forecasted capital expenditure plans.

Another option will be to migrate to a cloud provider with facilities in the Germany or other locations that remain in the EU. Amazon Web Services has a Frankfurt facility that could see accelerated growth. Their Global Infrastructure map shows a new UK facility coming online. With Brexit happening we could see changes in plans here, at a minimum on the size, and potentially to cancel and select a new EU location. Microsoft Azure has a facility outside of Amsterdam in the Netherlands. They’ve also announced UK and German locations. As with Amazon, I suspect the UK build is being minimized or put on hold while Brexit timelines are sorted out and the German build is likely being accelerated. While the cloud is marketed as a “limitless supply” of computing and storage it is really just a pool of data centers larger than any individual customer would ever need. If a large number of companies using UK based facilities choose the cloud route to migrate even Amazon and Microsoft could run into capacity problems.

Lastly, in closing, what do I recommend you do?

I have a couple of recommendations. First, don’t panic. I don’t believe the European Commission Article 29 Working Party is going to act irrationally or make recommendations in a manner to punish the UK or those that operated businesses with UK based data storage. Engage with experts. The scope of the working group is the protection of individuals with regard to the processing of personal data and the free movement of such data, where the data contains information about EU citizens. Second, if you’ve learned a lot reading this article, go and engage an expert—if you knew everything I wrote comment and let me know your thoughts. Just as with data center designers and construction firms I recommend you engage someone now and put together a plan. The longer you wait the more scarce and expensive the expertise will become.

What should I do as a Jungle Disk customer?

If you’re a Jungle Disk customer using our EU facilities we operate out of Amazon Web Services in Ireland today. Our team is closely monitoring Brexit and what will become of Ireland and Scotland. As of today my view is England and Wales will exit the EU with Scotland separating and dissolving the UK so they can continue to be part of the EU as a new separate member nation. We’re ready to add a German data center choice if it appears that Ireland decides to join England and Wales to exit the EU.

Protect Your Business Data

We are passionate about helping our customers protect their data. We want you to use Jungle Disk to protect yours. Click on Sign Up to get started. It takes less than 5 minutes!

Sign Up