Despite all the bluster over the European referendum the vote is unlikely to have much impact on data protection in British businesses.
Firstly because if there is a vote for exit it will take at least two years to work out the details. Secondly it is likely than any company trading with Europe, or with anyone else with an existing agreement with the EU, will still need to follow EU data rules.
Which would be fine, except it is not entirely clear what those rules are.
Almost every company using cloud services is reliant on Safe Harbour to allow the transfer of data to US-based services. In essence the EU says personal data should not go to a country which does not have similar protection laws, without a special agreement.
But Safe Harbour was replaced by ‘Privacy Shield’ late last year when the courts decided Safe Harbour was not safe enough.
Privacy Shield was designed to allow businesses to send data to the US and assume it is covered by laws which are equivalent to European data protection regulations.
But the independent European watchdog has questioned whether the existing arrangement will stand up to future legal challenges. It seems a safe bet that there will be more court cases before easy data exchange is possible.
There are ways around this – several cloud providers now offer services which guarantee to store your data in a chosen legal jurisdiction. Country regulators have been fairly relaxed about companies doing their best to follow rules which keep changing.
But data controllers are about to have a completely new set of headaches.
Proposals from the European Commission will require the providers of online services to allow users to freely move their data between platforms.
Think of it like the new rules which mean you can easily and quickly move ‘your’ mobile number to another provider.
But extend this to all data and services, which may of course run on totally different platforms, and you can see the problem.
Moving a customer database from one provider to another is a non-trivial business. But changing rules will make this both a right for you as a cloud customer, but also a right for anyone whose data you are storing whether an individual or another business.
Liz Fitzsimons, partner in Eversheds Privacy and Information Law Team, said that while there may be benefits for both businesses and consumers to easily port data to a different provider actually doing it might not be so simple.
Fitzsimons said : “Free flow of data between online platforms that were never designed commercially or technically to facilitate such exchanges is an ambitious goal…But the changes will take a great deal of costly, technical work behind the scenes to achieve, and especially to prevent cyber criminals from benefitting from the open access and data portability requirements.”
Cloud providers will need to think about how to provide interfaces to allow this sort of portability without giving away commercially sensitive information about their own systems. Although there are common standards and APIs shared by providers this will still be a serious technical challenge for many cloud providers. Creating a system which allows such ease of access but still keeps everything secure will be even more difficult.
There is also an obvious security headache around creating common systems to allow easier access and portability of data. These systems will have to prove to regulators that they are complaint with both European data protection laws but also data portability regulations. Juggling these two contradictory issues will be a whole new headache for data controllers.