This is the first half of a two-part blog series about data management in uncertain times
When looking at the intersection of government and data management, the data governance discipline tends to focus on the regulations that apply directly to it, such as the EU’s General Data Protection Regulation (GDPR). However, there are other ways in which the actions of governments – sometimes unintentionally – impact data management. Given the increased unpredictability of government actions at the moment – a phenomenon commented on in some length in the general media – it’s important for organizations to be able to respond with agility to changes in laws, regulations, trade deals, and other types of agreements that impact data flows.
Preparing for Brexit
Brexit is a very good, timely example of the impact that government actions can have on data. At the moment, the United Kingdom is set to leave the European Union on March 29. In the event of no deal being agreed by the time of the exit date (also known as a “No Deal Brexit”), the UK has said it will continue to enforce its national implementation of the EU’s General Data Protection Regulation (GDPR). It has also said publicly that data flows from the UK to the EU can continue to happen in the same way as they do at the moment after a “No Deal” Brexit.
However, the same does not hold true for data flows in the other direction – from the EU to the UK. Although the UK regime will remain the same to what it is today after a “No Deal” Brexit, the EU has declined to give the UK “adequacy” status under those circumstances. Adequacy status would allow data to flow freely from the EU to the UK – such status was recently given to Japan.
If that adequacy status isn’t achieved, the UK will become a “third country” when it comes to data transfers from the EU to the UK. That means all data transfers from the EU to the UK will have to abide by the “third country” provisions under GDPR. Organizations that transfer data from the EU to the UK need to prepare today for the possibility of this third-country status becoming a reality in the event of a “No Deal” Brexit.
The US and Privacy Shield
Another example of data flows being caught up in politics is the relationship between the US and the EU in this area, which recently came to a head in the reauthorization of the EU-US Privacy Shield. The Shield is the framework that regulates transatlantic exchanges of personal data, and although it has been reauthorized for another year, this was with reservations on the part of the EU.
The US does not have data privacy legislation or regulation at the national level that protects an individual’s data rights. Recently, the state of California enacted the California Consumer Privacy Act (CCPA), and other states are expected to follow this, but federal legislation of this type seems unlikely in the current political climate.
The EU has long had concerns about the lack of data privacy rules in the US. It is also worried about the Clarifying Lawful Overseas Use of Data Act or CLOUD Act (H.R. 4943), which was passed by the US Congress in 2018. This law obligates US service providers to comply with US orders to disclose data, regardless of its storage location. The EU also continues to have issues with the reauthorization of the Foreign Intelligence Surveillance Act (FISA), which allows access to communications of foreigners outside the US. Both laws directly conflict with the EU’s GDPR.
The continued concerns that the EU has about the way data privacy is handled in the US could result in delays to (or even the failure of) the renewal of the Privacy Shield next year. If this agreement is not renewed, this would have a serious impact on the flow of data between the EU and the US. Again, this is something that organizations need to be prepared for.
Tune in tomorrow for part two of this series, which will feature three steps you can take to create agility and resilience when managing data in uncertain times.