The differences between Brits and our cousins and close allies in the US are often remarked on. We may share a language and elements of culture (such as our adversarial judicial systems), but we apply them in very different ways. Brits have long bemoaned the American application of the ‘English’ language, and they have also complained about their application of US law particularly with regard to privacy. In fact, in Britain – as in the rest of Europe – privacy is a basic human right. America has no such legal equivalent.
These fundamental differences have been thrown into sharp relief with the adoption of the General Data Protection Regulation (GDPR) in Europe. GDPR includes provisions such as “privacy by design” and “the right to be forgotten”. This regulation will become law in the UK in 2018. The differences were demonstrated yet again on 1st December, when changes to Rule 41 of the Federal Rules of Criminal Procedure came into effect. The changes authorise judges in the United States to issue warrants to remotely access data located anywhere in the world.
Such powers are not only seen as draconian on this side of the Atlantic though. Opponents of these powers such as Senator Ron Wyden commented that: “This was an alarming proposition before the election. Today, Congress needs to think long and hard about whether to hand this power to James Comey and the administration of someone who openly said he wants the power to hack his political opponents the same way Russia does.”
After last ditch attempts by Wyden and other to block these measures failed, he went on to say: “Law-abiding Americans are going to ask ‘what were you guys thinking? when the FBI starts hacking victims of a botnet hack. Or when a mass hack goes awry and breaks their device, or an entire hospital system and puts lives at risk.”
Edward Snowden added: “Without a debate or any new law, the rights of every American — and basic privacy of people around the world — have been narrowed.”
Rule 41 may not have received as much publicity on this side of the Atlantic, but it is one of many laws and regulations emanating from a country that has such a very different attitude to privacy from us.
Much has been made of the Privacy Shield framework for transatlantic exchanges of personal data between the EU and US, and also of Microsoft’s successful challenge this summer to the US Department of Justice (DoJ) in regard to US federal government access to emails held in Dublin. However, the DoJ has filed a petition to re-open the case and it is expected to go all the way to the US Supreme Court. Privacy Shield, which is under review by data protection authorities across the EU, does not give any legal guarantee that EU citizen data will not be subject to mass surveillance, nor does it abnegate US firms from their regulatory responsibilities or from the application of such laws.
Data sovereignty, and data residency are terms that are generally used interchangeably. However, the Rule 41 amendments, and many other US laws, force us to make a distinction. All US company, and their subsidiaries, are ultimately subject to US law. Therefore, while they can offer their UK clients data residency, they will never be able to offer data sovereignty – as in protection in the UK from the foreign jurisdictions that the cloud provider may be subject to.
UK companies that have no US subsidiaries, are not subject to US law, and can therefore offer their UK clients data sovereignty. For example, UKCloud, which pays taxes and is registered in the UK, holds all of its data in the UK and is subject only to UK and EU law. This protects its customer data – which belongs exclusively to public sector organisations from foreign jurisdication. It goes without saying that much of the data is personal data relating to UK citizens, is therefore subject to data protection regulation.
Understandably the US firms are seeking to downplay the importance of data sovereignty – they would, wouldn’t they? However, nobody can yet tell how Rule 41 will be applied (even the DoJ says its applicability to the Fourth Amendment would be tested on a case by case basis) or what further powers will be granted by the new US administration. What we do know is that if you are the custodian of client information then you need to be fully aware of your regulatory and legal responsibilities towards the rights and expectations of UK citizens, and have a thorough understanding of how the regulation also applies to practices such as encryption, data pseudonomisation, anonomisation and fragmentation.
In medicine there is the principle of informed consent, and the same applies to data governance. You may not object to your shopping records being held by a US cloud firm and therefore potentially being accessed by non-UK legal and law enforcement authorities. However, when it comes to your health, financial, legal or prison records, you may well be more concerned. And if you hold such data for your clients then at the very least you need to be aware of the data sovereignty issues before you choose to use a cloud provider that is based in the US – even if it now has a footprint in the UK.