One of the key strengths of cloud computing is its inherent resilience and ubiquity: get the architecture right, and you can be assured that your data resides in multiple locations, providing both data resilience and the ability to serve data to partners, customers and employees wherever they happen to be.
However, EU legislation demands that some types of data must remain in the same country as the physical documents or the individuals to whom the data pertains. Note, incidentally, that the EU is not alone in this: many other jurisdictions have passed similar laws, with varying degrees of stringency. But the question is the degree to which this situation will alter when (or if?) the UK leaves the EU.
These are very early days. Just a few months after the referendum, it is not yet at all certain what the UK’s exit from the EU will mean in terms of the applicability of EU legislation, as EU leaders have already stated that the earliest that negotiations about free movement, trade and the host of other issues raised by Brexit can start is after Article 50 of the Treaty on European Union has been triggered.
During that two-year negotiation period, EU laws will continue to apply, although it is already clear that the UK will effectively be frozen out of any discussions around the future developments of such legislation. Once the two-year departure period has passed, the UK prime minster has already stated that EU laws will be incorporated wholesale into the UK’s statute book, after which they can be amended or abolished as the UK government sees fit.
Low profile sovereignty
Assuming the split does occur, it may be that, over time, legislation governing data sovereignty will change, and what was a single regulatory system will become two. As a result, those companies who operate across the UK/EU border will need to manage their data under different sovereignty regimes.
However, the incorporation of EU regulations into UK law may prove to be key. It is clear that, among the many issues that encapsulated by the simple yes/no vote in the EU referendum, data sovereignty was conspicuous by its absence. This low political profile is likely to prove to be its saviour because, if the UK is to continue to enjoy the free flow of data across EU borders as it does now, it will need to retain those EU-originated data protection and privacy regulations.
It is difficult to predict what outcomes negotiations between the UK government and the EU will produce. However, it seems likely that the desire to ensure to maintain a regulatory landscape favourable to business will convince the UK government of the need not to erect artificial barriers, but rather to help ensure the smooth flow of data between the UK and its biggest single trading bloc.
Early signs are good: they suggest that this is also the view being taken by large cloud providers, and tools to manage geo-sensitive data are maturing, so the issue becomes less of a hurdle for both cloud providers and their customers.
So while the vote to leave the EU has generated many reams of newsprint – both real and virtual – there would appear at this early stage to be little to fear from the point of view of data sovereignty. Planning ahead, however, is undoubtedly prudent.