We are all hopefully familiar with the basic principle that under EU law, we must give permission for our data to be shared. However, this is not as cut and dried as it initially sounds, and the use of UK personal data by US companies is continuing to be an issue.
What is the problem with your data?
Let’s start by remembering that the internet is always only partially under the law of any particular nation. In theory, when you use the internet for something like social media, for example, it is UK law that applies to your data. There is a problem with this, though, because once online, the data moves between servers and is stored in multiple places. That is where the question of jurisdiction becomes trickier. If you are using an Internet Service Provider in the UK and they are storing your data in the UK (or any EU country for that matter), then EU or UK law applies, and usually, that means GDPR. In short, you should be in control of who sees and uses your data. Unfortunately, that is rarely the scenario when it comes to commonly used services such as social media, for example. You log on from the UK, but your information is then handled by US data processing, and that raises questions because things get a little murky.
Where GDPR may not apply to UK users
Despite all the problems surrounding the details, the principles of GDPR are very simple. The data handler (the person holding your data) is responsible for its use. That means, under EU and UK law, you must be informed of how and why it is being used. The problem is that this is, for the most part at least, tied to the head office of the company, which is listed as the data processor. The situation is then made more complex by the fact that the data silos that store your information are often outside the EU. The problem with data storage is that it is completely and instantaneously transferrable to any location. So, where you input it really isn’t relevant to where it ends up.
The practical upshot of all this is that although your data may well be protected by GDPR in theory, in practice, it can only be enforced if the country in breach of the law is subject to EU or UK law.
So surely there is international agreement on the handling of data?
Yes, but again, you would probably have to add ‘in theory’ to that answer. There are agreements in place, but US and UK law differs significantly in some key areas. Probably the most prominent of these, from the point of view of how your data is shared, surrounds national security. In the US, if there is deemed to be a security issue, access to and sharing of your information is, again in theory, much easier than it is in the EU or UK.
In July 2020, it was deemed that the EU-US privacy shield, which was previously considered to protect the transfer of data, was unsuitable, and it was invalidated. This is the second time the Court of Justice of the European Union has done this, having previously invalidated the so-called ‘safe harbour’ principles in 2014. In October this year, President Biden signed an executive order ratifying the new EU-US Data Privacy Framework. So, well, yes, in theory at least, your data can now only flow between US and UK sites with your permission and as long as you know what it is being used for.
So, is it all resolved?
Well, maybe as far as the law is concerned for the time being. However, there are still various questions that have not been addressed by this. The level at which your content could be seen as a security threat and the question of whether your information can be shared with partners could still be problematic.
One of the biggest questions is still one of enforcement. The complex nature of data storage and the difficulties of finding and proving your data is being mishandled make actually enforcing these laws difficult, to say the least. In fact, Twitter is currently being investigated by Ireland’s Data Protection Commission over a data breech affecting 400 million users. And there is also an ongoing investigation into the use of APIs and lack of consent. Headline fines for big corporations are one thing, but how much data is badly stored, misused, breached or sold to partners that doesn’t come to light?
To add a further ingredient to this already messy stew, GDPR is a European law, and therefore a post-Brexit UK no longer needs to abide by it. In fact, it was announced at the Conservative Party Conference over the summer that a new law would be implemented to replace GDPR. Some say the promise that this new law would be ‘business and consumer friendly’ carries the ominous potential for a reduction in what is considered appropriate levels of data privacy. Not only that, but a new law could throw the whole situation into turmoil as the US – UK agreements would once again need re-writing. Until we see what the new law is, it remains a guessing game as to what the impact will be.
In the end, data privacy and the security of your data is always going to be of concern. Watch this space; we are working hard to keep ahead of any potential problems and help you keep your documents and personal data safe.