UK could lose datacentres without GDPR, tech lawyer warns
There could be a massive impact on cloud service providers if UK decides not to implement GDPR after Brexit, says lawyer
If the UK chooses not to implement some form of the General Data Protection Regulations (GDPR) following Brexit, it could lose its datacentres as companies move to compliant countries, a technology lawyer has cautioned.
Carolyn Bertin (pictured), consultant solicitor at Keystone Law, also said she believes cloud service providers will be affected by the uncertainty surrounding GDPR in the UK more than other tech companies. She claims this is due to the amount of personal data cloud service firms process compared with other businesses.
GDPR comes into force in May 2018 and will be directly applicable to all member states. This means that if the UK is still in the EU at the time, it will have to enforce GDPR. However, as soon as it leaves the EU the government can decide to have any data protection regulations it sees fit.
Bertin said that if the UK were not to take on GDPR or its main principles, companies could leave the UK in favour of countries with better data protection laws.
"A lot of companies have datacentres in Britain," she said. "If Britain decides to liberalise its national laws and not implement GDPR in one form or another, I think a lot of those companies will be forced to move their datacentres. They wouldn't be able to hold data from other European countries in the UK, simply because it wouldn't be viewed as having the same level of protection as the EU."
The main change from the previous regulations is that companies breaching GDPR can be fined up to €2m or four per cent of their worldwide annual turnover for the preceding financial year, whichever is higher.
The UK could negotiate a data transfer agreement between relevant organisations within the country and the European countries that want to transfer data for storage and processing in the UK, said Bertin.
"[Negotiating data transfers] complicates things for businesses, and for Britain as a whole. I would think that Britain would go down the route of aligning itself with the EU regulations. If not, I think [companies] would be forced to [move datacentres out of the UK], and the problem is that they might not have the luxury of waiting to see what happens," she explained.
"If Britain decides it is not going to adopt the principles of GDPR then it has to swiftly move on to make sure it has the model clause agreements approved that companies can put in place. But companies may decide it is too much trouble to put those model clause agreements in place and it may be easier to put a datacentre in a European country that is subject to GDPR."
Bertin said that cloud service companies would be most affected by this because they are storing personal data from all over the world.
"It has a huge impact [on cloud service providers]. It increases the level of uncertainty for those businesses as to whether they remain with their headquarters in Britain and their datacentres in Britain. Cloud services are the key place where data is stored. For other tech companies it will not have as big an impact because it is not about storing and processing personal data from all over the world."