Skip to main content

Schrems II, Brexit and the legal limbo of data flows

(Image credit: Image source: Shutterstock/JMiks)

Every part of society is awash with data, both in how we do business and interact with the world around us. It’s the lifeblood in this digital age, with the public able to purchase almost anything from anywhere and businesses accessing greater marketplace than ever before. As a result of this, it means data can sit anywhere too, with citizens’ data sat across multiple countries and regions at a time. 

So, when events like Brexit happen that change the course of everyday society in Britain, businesses based here who store data from EU citizens should understand what this means from a compliance perspective.

This comes more into focus when you consider the fallout of Schrems II, the ruling from the European Court of Justice that said the Privacy Shield did not comply with its citizen’s privacy rights. In the first instance, it has created a serious issue for companies that transfer data from the EU into the US; effectively no longer protecting against liability over those that transfer data. But it could also have implications for the transfer of data between the UK and the EU. 

As part of the deal that saw the UK officially exit the European Union, for data protection purposes there was a transition period implemented for how data should be managed between the two of between four to six months. This is enabling the European Commission to complete its adequacy assessment of the UK’s data protection laws. For the time being, personal data can continue to be exported from the EU to the UK without implementing additional safeguards.

Once the transition period ends, there is no more free flow of data from the EU to the UK unless an agreement is struck. While the agreement is still in process, companies in the UK need to be prepared to instigate the necessary measures to comply with EU law regarding the transfer of citizen data. While the intricacies of the assessment will be fleshed out in time, UK companies holding EU citizen data must ensure it is protected and stored correctly to EU standards in order to comply long term. 

To ensure compliance, the first move any company should make is investing in encryption to protect the data at rest and in transit – and then making sure that both the encryption and decryption keys are stored separately from the cloud in a secured environment. Protecting the keys is crucial, and sovereignty over them must remain with the company. Not only that, but the control over the data must reside within the EEA itself, as the EU dictates. So, while companies will need to invest in digital technology to compete with European counterparts, encryption is a necessity to ensure British companies don’t fall foul of compliance and end up in court.

A trusted framework for future of cloud 

Aside from Brexit, the game-changing event in recent years has been the Coronavirus pandemic. As a result, we were all forced to re-imagine how we stay in touch and do business and move our offices to our homes. 

For the purposes of managing data, firms utilized cloud technology to enable millions of people to access systems and information easily. Industries like healthcare, for example, took advantage of cloud technology to manage sensitive patient data related to the pandemic e.g. track and trace. However, this shift in approach set about a new framework for the relationship between the cloud and the organization holding the data, looking at who can access the sensitive data, and from where.

This has always been a concern with the cloud being around for decades. However, the effects of that transition mean more companies sharing data in cloud environments. Even before the pandemic hit, the 2020 Thales Data Threat Report revealed that half (50 percent) of all data was now stored in cloud environments, and 47 percent of organizations experienced a breach or failed a compliance audit in the past year. With this number likely to have gone up dramatically since the pandemic started, this means a deluge of companies are encountering new data protection challenges while trying to get to grips with the wider environment and the challenges posed by working away from each other.

Regardless of where the data sits, whether it’s in the UK, the EU or beyond, there are recommended actions companies can take now to make a start on protecting data in their possession. With this guidance, organizations can build a trusted privacy framework using encryption. and following existing guidelines that provide some basic and fundamental protection for data flows. 

These include:    

  • Discover your data wherever it is and classify it. That way an organization knows what data it has so it can apply the appropriate security measures as outlined by GDPR. 
  • Protect sensitive data in motion and wherever it is stored using encryption. Encrypting network traffic and data in the cloud and data centers ensures that no one can read the data. 
  • Control access to the data by creating, storing and managing the encryption keys in the country of the origin of the data. That way, the company in question own the keys, not the cloud provider and no government can access the data.

Ultimately, the dynamic between businesses based in the UK and the rest of the world will have changed for good. With developments like Schrems and Brexit though, data protection will never be under more scrutiny. 

With that in mind, the ultimate goal that every business should keep in mind is if they produce and store data, they need to pass the compliance test. Start as you mean to go on, work off the basis that you should secure all data in your possession. The audits will ultimately reveal those that took immediate steps to protect data privacy. In the meantime, to help build a future we can all trust, the best steps a business can take is to act under the awareness of what the rules are where the data sits, particularly in this increasingly digital world and how best to implement them without the nudge from authorities.

Rob Elliss, Sales, Thales

Rob Elliss manages the sales of Identity and Data Protection solutions in EMEA. He has over 24 years’ experience and specializes in encryption-based solutions for finance, government, and enterprise.