There’s a high-profile story in the news at the moment, regarding personal data, the UK Police and Microsoft.
Information regarding crimes and investigations is known as enforcement data. The UK Police store enforcement data in Microsoft’s hyperscale cloud infrastructure. That’s not a problem per se, as long as the data doesn’t leave the UK’s shores. The problem is, the data may be replicated and processed anywhere across Microsoft’s cloud infrastructure, including data centres overseas.
There’s an old saying (old in IT terms, at least) that the cloud is “just someone else’s server”. And, unless it’s a private cloud of your own servers, that’s true. So the question you always need to ask is, where are your cloud providers’ data centres located?
UK businesses need to verify that either:
- The data centres are located in the EU/EEA, or
- The data centres are located somewhere that has an approved adequacy decision, or
- Suitable steps have been taken to provide “appropriate safeguards”.
Some organizations, such as the Police and other public sector organizations, have tighter restrictions placed on them. Section 3 of the DPA2018 stipulates that enforcement data must remain within the UK.
Microsoft uses a “follow the sun” model of support for its hyperscale platform. Let’s say you have a technical issue in the middle of the night. You’ll be connected to someone in a in a Microsoft support centre, in a different time zone, who is working during their day.
In order for them to investigate your issue, some or all of your data may be replicated to a data centre close to the support personnel. Obviously, that’ll be somewhere outside of the UK.
The Scottish Police Authority’s DPO says that their data processor addendum agreement with Microsoft contains assurances there will be no international data transfers without the controller’s consent–but Microsoft is taking the Police’s agreement to the data processing addendum as consent. Microsoft points to the distinction between data at rest and data being processed, and says that they only guaranteed data at rest would remain within the UK.
The story has caught the attention of some of our customers, prompting them to contact us with questions about using cloud services, and cross-border transfers. Here’s what you need to know.
You don’t need me to point out that you’re not the Police, and because you’re not processing enforcement data, the special strictures that apply to them don’t apply to you.
So, you can transfer personal data internationally – as long as you do it in compliance with the Data Protection Act (2018), which contains UK GDPR.
Check with your cloud or service provider and find out where their data centers are. If they’re located in the European Economic Area you’re good to go.
All the EU member states (Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, and Sweden) are in the EAA.
Furthermore, it’s OK to send personal data to the European Free Trade Association countries (Gibraltar, Iceland, Liechtenstein, Norway, and the Republic of Korea) and countries that have been awarded a positive adequacy decision on their national data protection frameworks (Andorra, Argentina, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay).
Canada, Japan, and the United States have had partial findings of adequacy. The one that will interest you the most is the United States, because most of the global cloud providers are based there. You can send data to the US as long as it is transferred under the UK Extension to the EU-US Data Privacy Framework.
Note that the EU-US Data Privacy Framework isn’t country-wide and it isn’t compulsory. It is up to individual US organizations to opt-in to the scheme. You can’t just assume every American company is part of the scheme and compliant with transfers from the UK. However, naturally, all the big players are, such as Microsoft, Google, Amazon AWS, and so on.
The major players also make sure they have data centres dotted around the globe so each major geographical region, including the UK and Europe, has its own data centre.
If you want to transfer personal data from the UK to anywhere else in the world, not listed above, you’ll need to determine whether it is safe to make the transfer, provided “appropriate safeguards” are in place, by conducting a Transfer Risk Assessment.
According to your circumstances (and who you’re sending the data to) you’ll need to use one of:
- A legally binding and enforceable instrument between public authorities or bodies. Despite the name, the sender doesn’t need to be a public authority, as long as the appropriate safeguards are present in the legal instrument to protect and control the transferred data.
- UK Binding corporate rules. These are used by entities such as multinational corporate groups, franchises, and other professional partnerships.
- Standard Data Protection Clauses. There must be a contract between the sender and receiver, incorporating standard data protection clauses recognised by UK data protection laws. It must contain clauses that impose obligations both on the sender and the receiver, and grant rights to the data subjects.
- An approved code of conduct. The code of conduct must be approved by the ICO.
In summary, and paraphrasing, if you’re transferring data to Europe, or to a country with an adequacy decision, you’re fine.
Transferring personal data to other countries is something you’ll probably need guidance on.
If you don’t have the resources in-house to navigate these complicated matters, remember , we’re here to help.