Political experts predict a no-deal Brexit, which would mean that the UK exits the EU without any agreement on the future relationship between the EU and the UK. Coverage by media on this topic, like this recent article by Forbes, has caused stress for Cloud Service Providers (CSP) and users, who are now worrying about how their customers in the UK can access cloud services and data based in the EEA (European Economic Area).

What are cloud users worried about ?

As experts foresee a no-deal Brexit, the following questions are worth asking:

  • Does a no-deal Brexit mean that the GDPR (General Data Protection Regulation) will no longer apply to the UK ?
  • My CSP has a server in the EU. Will I still be able to access it here in the UK?
  • My CSP has a server in the UK. Will I still be able to access it here in the EU?
  • If the UK becomes a ‘third-country’, will the GDPR make it difficult for me to access my EU cloud data from the UK ?

What are cloud companies worried about ?

  • Do we need to get Binding Corporate Rules (BCR) approved by the data protection regulators to save our organization from these complications?
  • If our organization works towards obtaining BCR, how long will it take for the authorities to approve them and make the data in the EU accessible for our cloud users?
  • Are the Standard Contractual Clauses (SCCs) enough to make the data in our UK data center accessible for our cloud users in the EU?
  • Should UK customer data be located in the UK and EU customer data be located in the EU?

Why there’s no need to worry

The concerns of both these groups (CSPs and cloud users) are related to the transfer of data from, and into the UK. This transfer can happen through one of the following mechanisms:

  1. Adequacy
  2. Standard Contractual Clauses
  3. Binding Corporate Rules (BCR)

The following table summarizes how the transfer can happen through each of these mechanisms:

TRANSFER MECHANISM

DESCRIPTION OF MECHANISM

FROM UK TO EEA

FROM EEA TO UK

ADEQUACY

Under the GDPR, the European Commission declared some countries as adequate, i.e., they have data protection standards equivalent to GDPR standards in place. Transfer to these countries will not require any additional procedure.

The UK govt. has, in one of its official statements (here), announced that it will recognize all the EEA countries and institutions as providing an adequate level of protection. This means that transfers from UK to EEA will not be a problem.

The EU has not yet made any formal adequacy decision relating to the UK. Therefore, we can’t rely on this mechanism and will have to look at other mechanisms for transfer.

Standard Contractual Clauses (SCCs)

Standard contractual clauses are one of several mechanisms approved by the European Commission to ensure adequate safeguards for personal data transferred from the EU to countries which the European Commission has found not to offer adequate protection for personal data.

No need to useSCC since the EEA is recognized as adequate.

The UK government intends to retain the SCCs issued by the European Commission. This means that entities using SCCs as their basis for transfer can continue to do so and a no-deal Brexit will not affect them.

Binding Corporate Rules (BCR)

Binding Corporate Rules are personal data protection policies adhered to by group of

undertakings in order to provide appropriate safeguards for transferring personal data within the group, including outside of the EEA. These BCRs have to be approved by the European Data Protection Board (EDPB).

No need to useBCR since EEA is recognized as adequate.

Existing BCRs recognized by the ICO (Information Commissioner’s Office) will continue to be valid.

Both the EDPB and the UK government have confirmed the above information in their official statements.

  • The EDPB has affirmed that companies can use standard contractual clauses under the existing data protection law for transferring data between the EU and the UK. Here’s what their official statement says:

    EDPB’s announcement

 

  • The UK government has stated that the UK will retain the GDPR:

    UK government’s announcement

 

What should I do now as a cloud user ?

If your CSP has a data center in the UK and your data resides there, sign a Data Processing Addendum (DPA) with your CSP that has SCCs.

What should I do now as a CSP?

For transfers between your entities, have an intracompany agreement that incorporates SCCs. Otherwise, endeavor to get BCR approved by the European Commission.

 

The position of  the US

If you have data centers outside both the EU and UK, for example in the US, will you be affected by a “no-deal Brexit?

The answer is a clear “No”. The EU has declared the US to be adequate under the EU-U.S. Privacy Shield. Therefore, as laid out in the table above, the UK will transitionally recognize the US to be adequate and the US will recognize transfers from the UK to the US as adequate. The US Department of Commerce has announced on its official website that privacy shield participants must update their privacy shield commitment to include the UK. This means that transfers from the US to the UK will also be unaffected.

Zoho’s position

Let’s address four possible use cases:

  1. Users of www.zoho.com based in the EEA
  2. Users of www.zoho.eu based in the EEA
  3. Users of www.zoho.com based in the UK
  4. Users of www.zoho.eu based in the UK

Zoho does not store any data in the UK. Our www.zoho.com data centers are in the United States and our www.zoho.eu data centers are in the EU.

  • There is no impact of Brexit on use case 1 since the existing transfer mechanisms (Privacy Shield and SCCs) will continue to apply.
  •  There is also no impact to use case 2 since the data centers are in the EU.
  • To address use case 3, we will update our Privacy Sheild commitment to include the UK as required by the US Department of Commerce on the Privacy Shield website.
  • The ICO has stated that transfers to the EEA will not be restricted, so use case 4 will not be affected.

References

EDPB’s statement- https://edpb.europa.eu/sites/edpb/files/files/file1/edpb-2019-02-12-infonote-nodeal-brexit_en.pdf

UK Government’s statement-

https://www.gov.uk/government/publications/data-protection-law-eu-exit/amendments-to-uk-data-protection-law-in-the-event-the-uk-leaves-the-eu-without-a-deal-on-29-march-2019

Forbes’ Article on a no-deal Brexit

https://www.forbes.com/sites/annatobin/2019/02/15/no-deal-brexit-could-mean-u-k-citizens-cant-access-data-held-in-a-european-cloud/#6760b30c154e

Zoho data centers in EU

https://www.zoho.com/general/blog/zoho-data-centers-in-europe.html

More about a no-deal Brexit

https://www.bbc.com/news/uk-politics-47379308

Disclaimer: The information presented herein should not be taken as legal advice. We recommend that you seek legal advice on what you need to do to comply with the requirements of the GDPR.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  1. Mr Praca

    GDPR is bit of a well meaning mess, and Brexit is an even bigger pile of excrement. Let us see how people react when all the UK jobs go and unemployment creeps up. Worrying about GDPR will be the least of UK / EU problems.
    A lot of American websites are so lazy about dealing with GDPR, they have just blocked access to ALL EU visitors to their site.

  2. JamesAlcott

    nice post with references thanks for sharing