With a sigh, my colleague said, “…and of course, we have to consider possible implications of the Brexit.”
I was aware that Britain is preparing for a national vote to exit the European Union (the potential exit now widely referred to as the “Brexit”). But the data hosting and cross-border transfer implications hadn't previously occurred to me.
“Where does the polling stand?” I asked hopefully.
“About 50/50,” he replied.
I hadn't anticipated that our European hosting plan discussion would be quick and easy. But I had assumed that our London hosting facilities could serve as a centerpiece of our EU network. The Brexit was a clear reminder why international data hosting can be an enormous challenge.
It's anyone's guess what the outcome of the Brexit vote, scheduled for June 23rd, will be. Furthermore, even if Britain votes to exit the EU, it's possible that the ability to transfer data freely between Britain and other EU countries could remain unchanged. But like last year's invalidation of the EU-US Safe Harbor Agreement, the Brexit has the potential to create significant turmoil.
Cross-border transfers are a vexing problem for privacy and security professionals. What can be done to minimize the associated legal and regulatory challenges?
Many countries limit the transfer of individuals' personal information abroad. Fortunately for global enterprises, cross-border transfers are often still permissible, subject to certain conditions. In the EU, personal information can be transferred freely to other EU nations. Personal information can be transferred outside of the EU to countries that offer equivalent levels of data protection. There are several provisions that permit the transfer of personal information to “non-adequate” jurisdictions, such as binding corporate rules that protect personal information and have been approved by an appropriate European data protection authority.
Many non-EU countries, such as Singapore and Australia, restrict the transfer of personal information outside of national boundaries unless the transferring organization is subject to binding internal rules or contractual terms that guarantee the information will receive the same level of protection it is given domestically once it is transferred abroad.
Unfortunately, there's enough variation between different countries' rules that compliance is a challenge. Some nations, such as Russia, have moved to significantly curtail cross-border transfers. China is heading in the same direction.
What can international organizations do to avoid regulatory violations or undue burdens (such as attempting to establish and maintain local hosting in all client countries)?
First, by establishing strong, binding internal policies concerning the protection of personal information. If well crafted, these policies will satisfy many countries' cross-border transfer requirements.
Second, by selecting hosting partners that have a strong global presence and can provide dedicated in-country hosting when and where it's needed. Hosting contracts should provide the ability to direct hosting locations, and permit moving locations if necessary.
Finally, by monitoring trends and legal initiatives that could impact hosting and cross-border transfer options. Most changes will take months or even years to enact, leaving plenty of time to make changes or to avoid commitments that may need to be promptly altered.
The Brexit may or may not come to pass, but regardless of the outcome, it has served as a powerful reminder to be continuously vigilant about hosting options and the changing regulatory requirements for cross-border transfers.
Photo by Andrea Polivy