EU safe harbor restrictions - who should comply?
February 7, 2006 3:08 PM Subscribe
I represent a UK company reselling US server space to EU companies. Which parties have to adhere to safe harbor?
It seems to me that from our point of view, the server company needs to be certified, but from the point of view of our customers we're the ones dealing with their data. We use Ev1servers to host, and they give us full control of their rack servers; surely that means we're the ones with responsibility for our clients' data?
I don't want to be wrong here, but I have a sinking suspicion I am. I'd really appreciate any hints.
It seems to me that from our point of view, the server company needs to be certified, but from the point of view of our customers we're the ones dealing with their data. We use Ev1servers to host, and they give us full control of their rack servers; surely that means we're the ones with responsibility for our clients' data?
I don't want to be wrong here, but I have a sinking suspicion I am. I'd really appreciate any hints.
Response by poster: Wow. Thank you for that :) Puts my mind at ease a bit. So if we're reselling US web server space / services to a group in the EU, because we're also in the EU all the data controllers are under its applicable laws and we're fine.
posted by bwerdmuller at 6:19 AM on February 8, 2006
posted by bwerdmuller at 6:19 AM on February 8, 2006
This thread is closed to new comments.
Primarily, in this document ('Website Frequently Asked Questions', PDF) from the UK's Information Commissioner's Office, see question 13:
IF WE USE ANOTHER COMPANY TO HOST OUR WEBSITE WHO IS RESPONSIBLE FOR
DATA PROTECTION?
Responsibility for compliance with the Data Protection Act 1998 rests with the data
controller, that is the person who determines the purposes for which and the manner in
which the personal data are or are to be processed. This is likely to be the website operator
rather than the host. A data controller does not have to own the equipment on which the
processing actually takes place.
In other words, if you're just hosting the stuff, it's not your responsibility.
Secondly, even if the above isn't true, I would interpret 'international transfer' to mean transfer from one business in country A to another business in country B. I don't think it covers mere physical movement of data to another country, as long as that data is still under your control.
The real question is, who will be using the data, and where are they based? If it's just a UK company storing personal data on one of your servers (which happens to be in the US), and then subsequently accessing that data themselves, then there is no real transfer going on, and there's nothing to worry about.
If, however, they are storing personal data on your servers, and then letting another party access the data (either another business, or visitors to a public website), then data transfer is occurring. But again, it's not about where your servers are based -- it's about what organisation(s) are being given access to the data, and in what country they are based.
For instance, if your client was transferring data to a US company via your servers, then your client would be responsibly for making sure that the US company adheres to the Safe Harbor agreement. But if they were transferring the data via your servers to a company in, say, France, then the US Safe Harbor agreement wouldn't enter into it. The data is only being transmitted through the US, not being transferred to it.
See this document ('Transborder Dataflows', PDF), again from the ICO. In section 4.1, it says:
Transfer does not mean
the same as mere transit. As such, the fact that the electronic transfer of
personal data may be routed through a third country on its way from the UK
to another EEA country does not bring such transfer within the ambit of the
Eighth Principle unless some substantive processing operation was being
conducted upon the personal data in the third country in question.
And this document ('International Transfers of Personal Data', PDF), once again from the ICO, contains the following example:
An employee travels abroad with a lap-top containing personal data
connected with his/her employment. His/her employer in the UK remains
the data controller. Provided the data remain in the possession of the
employee and the employer has an effective procedure which addresses
security and other risks posed by the use of lap-tops including the additional
risks posed by international travel, a conclusion that there is adequate
protection is likely to be reasonable.
In this example, it doesn't matter what country the employee is travelling to, because the data is still under the control of the UK company. All that's necessary is that you take the normal security precautions with personal data that you would take in the UK anyway.
In any case, the very first point I made seems to be the most important one, and overrides everything else: none of this is your responsibility unless you are the data controller; that is, the person who makes the decisions about how the data is going to be used.
posted by chrismear at 4:11 PM on February 7, 2006