[LRUG] Data protection, the EU and PAAS suppliers - arrgh!

Paul Robinson paul at 32moves.com
Tue Aug 14 03:36:34 PDT 2012 

On 14 Aug 2012, at 11:21, Mark Weston <mark at markweston.me.uk> wrote:

> Has anyone who's using or considered using PAAS providers like Heroku got any thoughts about data protection and concerns about transfer of data outside the EU?


If the kit is owned by a US company, whether they are "Safe Harbor" or not, and whether the server is located in the EU or not, you must assume the company will comply with any US court request to seize it, or the data upon it. This can lead to subject data being leaked inadvertently.

This has happened on multiple occasions (RackSpace and IndyMedia was one notable case some years ago), and therefore there's a simple answer: If you want to show that you are serious about protecting user data, you should host that data on servers located in the EU on equipment operated by an EU-owned company, in a data centre owned with EU-based money and connected to an EU-owned upstream provider.

Anything else, and your data - including your customer database - can be seized in a heartbeat (including by your hosting provider, your US-based competitors, etc., etc.), irrespective of what your contract or legal understanding is, and you should tell your customers that they should consider any data they provide to you as being within jurisdiction of a US court and in essence is unprotected even if you have special contracts in place or the providers are "Safe Harbor" approved.

If you genuinely don't care about the data and just want to use Heroku (US-owned) on Amazon's US servers and network, etc. and just want to make sure you're staying legal, all you have to do is tell your customers in your TOS that their data is not protected by EU law. That's perfectly acceptable, legally.


> Any Heroku customers here?  How have you dealt with this?


Historically, I've either:

1. Told customers via the TOS not to expect EU levels of data protection because the kit was in the US and operated by US-owned companies. For services targetting non-EU audiences, that seemed fine. The ICO is happy with it providing it is explicitly stated in the TOS.

2. Avoided the US in its entirety which mean ruling out Heroku, Amazon and RackSpace. This was effective where I expected data subjects to be particularly concerned about the jurisdictions that could "control" access to their data

There is a big market for a top-to-bottom EU player in the IAAS/PAAS space. Some banks for example, would probably be very keen to see such a solution. I know I'd be interested.

Paul

More information about the Chat mailing list