As we continue to follow the developments and decisions around Brexit in the U.K., we want to address questions about the flow of personal data between the U.K. and EEA that some U.K.-based users of StorageCraft Cloud Products, including StorageCraft Cloud Services (SCS) and StorageCraft Cloud Backup, may have. Generally, StorageCraft believes that concern about such transfers is largely unwarranted. This is because the data centers used by StorageCraft in delivering these services are located in the EEA. As a result, personal data flows from U.K. data “controllers”—namely, our Cloud Customers—to an EEA-based data “processor”—namely, StorageCraft. There is no question that personal data flowing from the U.K. to the EEA will be able to continue post Brexit.
The U.K. government has explained that, for data headed from the U.K. to the remainder of the EEA, it will be business as usual in the post-Brexit world. This will be true regardless of whether Brexit happens on a “deal” or “no-deal” basis. If a “deal” is reached, a lengthy transition period will occur in which the U.K. will be treated as an EU member state. Data flows would therefore continue as normal. If no deal is reached, the U.K. government has already decided that changes to the personal-data transfer regime will be minimised. Specifically, the General Data Protection Regulation (GDPR) will be saved and converted into U.K. national law. The Data Protection Act 2018 will also be retained.
Indeed, the U.K. Information Commissioner’s Office (ICO) has vocally assuaged concerns about data flows following the U.K. departure from the EU. The ICO has noted the government’s statements that “on the U.K.’s exit from the EU, transfers of data from the U.K. to the EEA will be permitted” and such transfers will continue without any additional measures, even in a “no-deal” situation. Jonathan Bamford, the ICO’s Director of Domestic Policy, views the government’s position in this regard as “absolutely clear.”
While largely irrelevant to the use of StorageCraft Cloud Products, unfortunately, the treatment of data flowing from the EEA to the U.K. is less clear. This is because once the U.K. leaves the EU, the European Data Protection Board (EDPB) must decide whether the U.K.’s data-protection guarantees are sufficient that transfers to the U.K. can proceed as they did pre-Brexit. If a deal occurs, the above-noted transition period would take effect, GDPR would continue to apply between the U.K. and the EEA, and the parties would seek to conclude the EDPB adequacy process during the transition period. This means that once the transition period ends, an adequacy decision may issue and data would be able to continue to flow freely from the EEA to the U.K. If a no-deal Brexit occurs, however, there will be a regulatory gap—perhaps a substantial one—between the U.K.’s departure from the EU and an adequacy determination by the EDPB.
Because of this, some U.K.-based customers have expressed concern that, in the event of a no-deal Brexit, once personal data is transferred from the U.K. to the EEA, the GDPR may technically prevent that data from being returned to the U.K. In this scenario, the law of the U.K. would be perfectly fine with a controller transferring personal data from the U.K. to the EEA for processing, the EEA would be perfectly fine accepting that data for processing, but the EEA could theoretically prohibit the processor from sending the data back from whence it came! This technical regulatory gap exists because the GDPR lacks provisions addressing data transfers from processors back to controllers. This gap may exist because logically, a processor—in this case, StorageCraft—is just an agent of the controller—in this case, our customer. So talking about a processor, which is the agent of the controller, “transferring” the controller’s own data to the controller, is a bit like saying the controller is transferring its data to itself. Thus, the processor (StorageCraft) arguably isn’t “transferring” the data at all. If all of this makes your head spin, you are not alone! Regulators are aware of this statutory hole and will hopefully plug it in the near future.
In the meantime, StorageCraft’s view is that the backup data we hold in our data centers belongs solely to our customers. If you are a U.K.-based customer and need to virtualize or restore, or you simply want your data back, we intend to ensure that happens. While we cannot guarantee an EEA regulator will not raise a concern, the experts we have consulted believe the possibility of that happening are virtually unthinkable, particularly given the origins of this technical regulatory gap in the GDPR.
THIS DOCUMENT IS PREPARED BY STORAGECRAFT TECHNOLOGY AND IS AN EXPRESSION OF THE COMPANY’S OPINIONS ON THE MATTERS DISCUSSED. IT DOES NOT CONSTITUTE LEGAL ADVICE. PLEASE SEEK YOUR OWN LEGAL COUNSEL CONCERNING THE ISSUES RAISED HEREIN.
© 2019 StorageCraft Technology. All rights reserved.