So-called ‘data localisation’ is being included in public sector contracts, meaning businesses taking on work for the government have to guarantee information will be kept within the UK, trade association techUK has warned. This goes against national policy and is seen by many as a barrier to trade. It has led the association to call on the government to solidify its position on data localisation post-Brexit.
Speaking to Tech Monitor, techUK said member companies have raised concerns that onshoring of data is increasingly being included as a stipulation in public sector contracts. This goes against the UK government’s commitment to the free flow of data, which has been confirmed to the European Union and other international partners several times since Brexit.
Responding to the government’s consultation, entitled Data: A new direction, which is expected to inform the post-Brexit UK’s stance on data rules and its plans to amend the EU’s general data protection regulations (GDPR), techUK has outlined six data principles it hopes to see adopted. One of these, “taking a firm line against data localisation at home and abroad” warns those creating the new data protection regime to “push back against [the trend of data localisation]” and to be an effective advocate for increasing international digital trade cooperation.
What is the UK government’s policy on the free flow of data?
A government spokesperson told Tech Monitor that there is currently no requirement for the onshoring of data in government contracts and that it is the responsibility of every department to make a risk-based assessment of its use of cloud providers, which can often transfer data to other countries for storage or processing. “When considering a commercial provider, departments should take into account the cloud security principles developed by the National Cyber Security Centre,” they said.
Data localisation can often be a barrier to trade, and the UK has agreed provisions in many of its Free Trade Agreements that prevent signatories from imposing unjustified data localisation measures. In April 2021, the UK government also committed to the “G7 Roadmap for Cooperation on Data Free Flow with Trust” and reaffirmed its position on “unjustified data localisation” during a roundtable in September 2021 at the Leeds Digital Festival. Last year, the EU granted the UK “data adequacy”, meaning information can flow between Britain and European countries.
However, there are some “limited and justifiable” circumstances in which data localisation might be appropriate, the government spokesperson told Tech Monitor. This includes protecting national security or achieving a legitimate public policy objective.
Why is data localisation bad for business?
According to techUK, the use of data is projected to have added at least £241bn in value to the UK economy between 2015 and 2020. But members of the association, which include tech companies based in the UK and from abroad, have said that “confusing and unclear rules” have held them back from investing in the UK further.
Neil Ross, associate director for policy, techUK said: “Developing a clearer, more trusted and innovation-enabling data governance system is one of the most obvious opportunities of Brexit.” He continues that the UK must find the right balance between upholding the rights of citizens and supporting global data flows.
Ross says there are “repeated issues” for some of techUK’s members when working with public sector and government agencies around contracts, particularly when it comes to the inclusion of data localisation clauses. He believes there is a disconnect between the Department of Digital, Culture, Media and Sport (DCMS) and the departments that draw up contracts.
“There’s a requirement to keep data in the UK, which, while not technically illegal, is against government policy,” Ross explains. “This, therefore, creates a lot of confusion in the market.”
techUK says UK headquartered member companies, as well as large international businesses with a presence in the UK, have raised the issue. The association has put its concerns to DCMS.
How will data localisation affect SMEs?
Insisting that data must be stored locally when dealing with the public sector appears to contradict wider government messaging around unjustified data localisation, says Rob Anderson, principal analyst, public sector, GlobalData.
However, he does say that there has been a “tug of war” between the DCMS and government officials over data strategy for many years, so he isn’t surprised by the disconnect.
Anderson says restricting where data can be held by companies can impact how attractive a contract is to businesses. “The big companies like Microsoft, Amazon Web Services and Google have data centres [in the UK] anyway, but some of the others might not,” he explains. “And even for the ones that do, [data localisation] could impact their margins if they have to do things here rather than utilise their worldwide assets.”
This could impact the Government’s promise to open up government and public sector contracts to SMEs. In its Digital, Data and Technology (DDaT) Playbook, which launched in March, the Cabinet Office pledged to “level the playing field” for SMEs.
“SMEs and voluntary, community and social enterprises (VCSEs) make a considerable contribution to the DDaT industry and often lead the way on innovation,” the report said. “Government remains fully committed to supporting start-ups, SMEs and VCSEs through government procurement to support a healthy, diverse and competitive market and levelling-up.”
SMEs have already been hit by the Covid-19 pandemic and have seen their collective turnover decline. Enterprise Research says that over four in ten (43%) of small businesses saw turnover fall between February 2020 and February 2021. Having the restraints of data localisation could limit their options when it comes to bidding for public sector contracts.