In the fifth part of my series on the benefits of Iceland as a strategic data center hub, I examine Iceland’s regulatory status, the strength of its data protection laws and why Brexit uncertainty is further boosting the country’s status as an alternative to London.
For modern financial services firms today, being fully compliant with global rules is a vital consideration when choosing a data center location. As a member of the European Economic Area (EEA), Iceland’s political, legal and economic systems are all tightly integrated with the EU’s - and its data protection and financial services regulations are also fully aligned. In fact, the importance of data security and a robust regulatory regime were further highlighted by Citihub Consulting’s recent report on Iceland’s suitability as a data center location for financial services firms. The key factors on which it based its recommendation included the country’s excellent access to the European Market, “excellent overall capability” in terms of its legal framework and its “world class” data privacy protections.
TOP OF THE TABLES
As a result, Citihub’s overall evaluation of the country’s regulatory status was ‘outstanding’. The report adds that the selection of Iceland is “fully complementary” with the regulatory and legal requirements of firms operating in the European Union and the United States. Artmotion’s Data Privacy Report (2015) also ranks Iceland as the 3rd best country for data protection and security, out of 170, based on independent data from the United Nations and World Economic Forum (WEF) . In comparison, the same benchmark rated the UK in 23rd place globally, while the US only ranked as the 38th best. The strength and relevance of its information and communication technology (ICT) laws were also rated highly by the WEF. Out of 139 countries, Iceland ranked 9th – compared to much larger rivals such as the US, for example, in 11th place .
ROBUST, REFRESHED AND REVISED
Furthermore Iceland, as an EEA member state, has implemented a national data protection framework that meets the requirements of both the existing EU Directive 95/46/EU (the Data Protection Directive), and the upcoming General Data Protection Regulation (GDPR) – due to come into force 25 May, 2018, which will introduce a number of new requirements around data accountability, controls, protection and obligations, both domestically and cross-border.
I think it is also important to note that over and above these requirements, the country has introduced an “Icelandic Modern Media Initiative” (IMMI). This set of thirteen separate pieces of media related legislation aims to specifically protect individuals by completely prohibiting disclosure requests by foreign governments or law enforcement organisations. In addition, the harmonised data protection laws of the EU/EEA mean that the personal data of EU citizens can be transferred to Iceland and secured/processed in the same way as it would be domestically. So firms wishing to transfer data to Iceland from the United States have no limitations in respect of cross border transfers, but they must still comply with the relevant state and federal laws that help to ensure privacy and security of personal data.
In contrast to Iceland’s outstanding regulatory status, we should as well consider the potential and unknown impact of Brexit on the UK’s data protection equivalence. If London failed to be deemed as ‘adequate’, the results would of course be catastrophic. But even after negotiations for the UK to exit the EU have been completed, equivalence would still not be guaranteed long term. In addition, political factors, sovereignty demands and calls to break away from ‘burdensome’ regulation may well negatively impact UK data protection and privacy laws.
Uncertainty about future equivalence is also likely to encourage UK based ‘data processors’ to relocate their processing operations inside the EU/EEA – and introduces uncertainty around the future of the EU-US Privacy Shield.
Yet firms concerned about the uncertainty that Brexit negotiations are creating would do well to compare this to Iceland’s standing on the global regulatory stage. Not only can it offer the certainties of EEA membership, but also a host of world class data privacy protections in its own right. Coupled with harmonised data protection laws and a growing reluctance from firms to trust their data to London, it is little wonder that Iceland is proving to be one of the safest places in the world to place your data.
Don’t miss my final blog in this series where I will be looking at Iceland’s unique 100% green power profile.