How many times have you spoken to someone in a call centre who refused to give you information on the basis that the "Data Protection Act" prevents them?
Any potential customers in Germany who told you they can’t buy your IT or cloud service because their law prohibits data transfers outside Germany? Has anyone told you that a Brexit would allow the UK to make its own laws including regarding data? Or has a customer refused to buy your solution because you’re reselling public cloud, which means they will lose ownership of data?
I regularly encounter people who tell me the way it is and yet they have not actually read the law or the contract. I understand: not everyone wants to wade through the tedium to work out what is what. That is what you pay lawyers for.
Those who don’t want to pay a lawyer should read it themselves as all too often they seem to base their buying decisions on what someone else told them or what they think the law says, but without actually checking it themselves.
While they will likely save money on legal fees, they could just end up buying a service that doesn’t fit what they need and which costs them more than it should.
Of course it is right to be wary of data protection laws, especially as the fines will increase dramatically over the next couple of years. It is also sensible not to do business with providers who seek to steal your intellectual property rights.
All too often though, emotional knee-jerk reactionism is used as a substitute for proper advice. The UK Data Protection Act (you can read it here) does not prevent transfers outside of the UK. The whole point of the EU Data Protection Directive (read here), upon which the UK Act is based, was to harmonise laws across the whole of the European Union (actually, it also extends to the three additional countries in the European Economic Area).
Yes, it was not entirely successful and it needs to be updated, hence the new Regulation which is coming into force in 2018. But, without going into specifics, data transfers within this “Fortress Europe” are acceptable now and will be under the new law too.
Because this Directive also applies in Germany, it should not come as a surprise to learn that German law is very similar to UK law, albeit with some gold-plating. I interviewed a German lawyer on this very topic in 2014. He said there is particular resistance to impingements on privacy in Germany, most notably caused by citizens who were once watched over by the Stasi, the former East German state security service.
But the Bundesdatenschutzgesetz, the German data protection law, does not prevent transfers of data outside Germany. Further, neither UK nor German data protection laws prevent the transfer of personal data outside Europe. The European Commission retains a “Safe List” of countries or to give it its proper title, “Commission decisions on the adequacy of the protection of personal data in third countries”. Switzerland features on this list, of course, as do Argentina, Canada, Israel and New Zealand. Of course, you should have a robust written contract covering personal data transfers, but you can definitely transfer.
Safe Harbour is dead, welcome Privacy Shield
Everyone knows that the EU Court of Justice overruled Safe Harbour on the basis that, with all the NSA snooping going on, it was far from safe. However, the new Privacy Shield has been negotiated and, with some additional oversights from the US and a little less snooping, this will validate EU/US data transfers once more.
The Privacy Shield means the US will be back on the Safe List. You can even transfer data outside the Safe List by implementing appropriate safeguards, but let’s save that topic for another day.
A potential Brexit won’t change this position either. Even if the Leave campaign is successful and the UK finds itself outside the European Union, it is likely we will drop into the European Economic Area where the data laws still apply. Even if we seek to go it alone, we will still have many trading partners inside the EU and this will mean we will still have to comply with many EU laws, including data protection. In that case, the UK will be scrambling to get onto the Commission’s safe list.
Finally, public cloud, on the whole does not sneakily transfer ownership of your data just by using vendors' services. It’s true that some public cloud terms contain licences allowing the provider to use your data to provide you with services to access that data. It’s also true that some social media sites will include broader permissions to share and use the data that you posted online. But that is not the same as B2B public cloud claiming ownership of your corporate, confidential and personal data and using it for their own purposes.
So please, there is enough confusion already without adding more. Sometimes businesses interpret law or terms in a restrictive and self-serving way as internal policy and that’s fine. However, if you lose a sale because of it, challenge your customer to point you to the section of the law or the contract. ®