As The Economist pointed out in its recent special report, “Technology and geography”, the internet is not nearly as virtual as most imagined it to be back in the 1990s. The physical locations of assets and people still count big time. One area the report did not examine was the geographic restrictions imposed by data protection (DP) laws and the hot water these can get organizations into when it comes to data processing.
Top of mind for EU-based organizations is the EU Data Protection Directive (DPD) which states that “personal data may only be transferred to third countries if that country provides an adequate level of protection.” Basically, this means if the protection offered to data subjects in the non-EU country is less than that required by the EU DPD, then you are in breach.
Even for an organization based solely in an individual EU country, following the directive to the letter may not be enough; this is because it is a directive, not a regulation. A directive outlines EU rules that are required to be implemented as part of local EU-country laws, which then may be added to with further local restrictions.
In the UK, for instance, the ultimate source of DP law is the Information Commissioner’s Office (ICO), which is responsible for the UK Data Protection Act (DPA) in which the EU DPD is embedded (sorry for all the TLAs!). It is the ICO that sets the level for fines and can add rules to suit local purposes — for example, allowing DP principles to be overridden for reasons of national security or criminal investigation. Similar issues will be encountered in each EU member state.
Now back to the souped-up network. With high-speed networks it easy to transfer data anywhere, especially personal data which, despite its high value, is usually low in volume. Multi-national companies may have data centers around the world, but need to be aware of transferring data for processing from, say, Germany to somewhere in Asia, because the local DP laws may not be as stringent as those required by the EU.
Even though a given organization’s data controllers (those responsible for data protection) may be aware of their responsibilities, many employees will not be, so guidelines for data processing need to be crystal clear and, where possible, protective technology should be put in place to check the actions being taking with regard to the transfer, storage and processing of personal data, even within an organization.
The USA is one of the most problematic places for DP law due to its importance in the supply of cloud services. Transferring data to the USA brings it into the realm of the USA PATRIOT Act, which can force disclosure of personal data in direct conflict with the EU DPD. In theory, the so-called US-EU Safe Harbor principles, whereby US organizations sign up to EU data protection principles, should provide the protection required to process data in the US, but there are doubts. Some organizations claim to have adopted the principles, when in fact they have not, and in any case, the Patriot Act can still be used to trump the Safe Harbor, something the EU is looking to resolve with 2012 modifications to the EU DPD.
It is the use of cloud services, rather than the use of their own infrastructure, that is the most pressing problem for European data controllers. Open, high-speed networks make it easy to transfer data to locations of uncertain legal provenance run by third parties. The USA PATRIOT Act raises its head again — it governs not only organizations that process data in the US, but also organizations that are headquartered in the USA, which includes the likes of Microsoft, Amazon, and Google.
Some may think the answer lies in the use of encryption, but DP laws generally refer to the processing of data — while encryption can be used to protect data in transit and when stored, to be processed data needs to be decrypted. In any case, be careful even with storing encrypted data; in some places, such as Russia, it is illegal.
High-speed networks and cloud services certainly widen the choices for where data can be processed, but all organizations should be aware that they could feel the heavy hand of the law on their shoulder should they overlook real world geography when pursing virtual world convenience.