Well we’ve decided to exit the EU and the train full of unpredictable cargo of political and commercial implications of Brexit has left the station. Inevitably the implications for the tech industry and particularly the cloud is starting to surface as a hotly debated topic.
Caroline Donnelly, Datacentre Editor for Computer Weekly News wrote recently about these implications and highlighted TechUK’s fears that Brexit could see the UK lose its power to influence cloud regulations. She reported: “The knock on effect would make it harder for the IT industry to have its say on what must be done to support the future growth of the cloud industry in the UK and across Europe.”
But maybe the dangers go even deeper. Many commentators are voicing their concern that Europe will make an example of the UK’s exit, and if these views become reality, then the movement and storage of systems and data inside or outside the EU may come into focus. This could have implications for the wider cloud industry in general and to the UK Cloud market in particular. We already know what these agreements can look like and throw up in terms of data sovereignty challenges through the passing of the Patriot Act in the US. This saw may companies re-evaluate where there data was and who had the legal right to demand access to it. For many the Patriot Act was a bridge too far and took the steps to mitigate a US demand for access to their data.
Now it’s not that I have had a lot of free time on my hands to indulge myself in EU regulations lately but a look at Articles 15, 29 and 30 of the EU Directive on data protection which I expect even the die-hard info sec consultants, CSO’s or CIO’s probably haven’t absorbed cover to cover certainly makes for interesting reading post Brexit.
(http://ec.europa.eu/justice/data-protection/article-29/index_en.htm) starts to expose the issues the UK might have outside the EU and highlights the potential problems we might face in fast tracking negotiation to collaborate with the EU while the inevitable horse trading and compromises agreement on cross border trade and access to markets emerge. To illustrate this here is just one small indication of the barriers that could be instantly thrown up which would dramatically affect how we move data between data centres and clouds in different EU countries taken from the published EU agenda on security finalised in 2015(http://ec.europa.eu/dgs/home-affairs/e-library/documents/basic-documents/docs/eu_agenda_on_security_en.pdf). It states “the European Union is negotiating with the United States government an international framework agreement (“Data Protection Umbrella Agreement”) in order to ensure a high level of protection of personal data transferred between the EU and the US.” So essentially as an external country to the EU the UK could be forced into a negotiation with restrictive practices in place until such “EU-UK umbrella” agreement is in place.
The EU’s information commissioner is unequivocal about the requirements: “Should the UK wants to trade with the Single Market on equal terms we would have to prove ‘adequacy’ – in other words UK data protection standards would have to be equivalent to the EU’s General Data Protection Regulation framework starting in 2018.”
The questions being dodged here are; Should the UK agree to mirror the EU framework thus making it more likely for a free movement of data to occur? And if the EU-US umbrella agreement on data protection is agreed, will this pave the way for the Patriot Act be able to slip into UK data protection legislation by the back door?
So what implications might Brexit have for the large and small user right now? We know that Article 50 (the formal exit request from the UK) has yet to be triggered but when it comes it has been widely telegraphed by many EU leaders that the “drawbridge will be pulled up” with no informal side negotiations taking place over access to the European market.
Those of us that have clouds provisioned by the big cloud providers are probably aware that these are predominantly near continent (Amsterdam or Ireland based), and therefore will be external to the UK post the article 50 trigger. Some of these cloud providers have already built UK datacentres to allay fears of data sovereignty outside the UK. This will allow them to promote the access to UK resident data, however most only have one footprint in the UK so backup data is probably going to have to go outside the UK and into a European DC which may trigger the already surfaced data protection implications. For example, would the EU set up some mechanism to inspect data to ensure EU protected data is not being transmitted? An extreme view I agree – but how far will they take this?
Clearly this topic is fast moving and full of speculation, but sitting back is not an option; the commercial implications for clients and suppliers shouldn’t be ignored as any cross border trade including tax implications could see the imposition of import and export tariffs that will increasing costs in the sector. Two years seems a long time but it will come round fast , so taking stock of where your data is and importantly where it is backed up to should be at the top of CXO’s agendas and reviewing the corporate policy on the use and distribution of data still meets the companies criteria and policies post Brexit.