[LRUG] Data protection, the EU and PAAS suppliers - arrgh!

[Mark Weston]

Hi there,

Has anyone who's using or considered using PAAS providers like Heroku got
any thoughts about data protection and concerns about transfer of data
outside the EU?

Our amateur reading of the guidelines from the ICO seem to be that if
you're processing personal data outside the UK it can be

1) somewhere within the EU/EEA which has equivalent data protection rules.
2) in another jurisdiction judged by the EU Commission as having adequate
data protection laws (i.e not the US)
3) in the US as long as the data processor has certified compliance with
the US - EU 'Safe Harbor' frameworks.
4) in the US with a data processor with whom your contract includes
standard terms drawn up by the EU to guarantee protections equivalent to EU
data protection rules.
5) in the US if you can "make an assessment that the level of protection
for data subjects’ rights is ‘adequate in all the circumstances of the
case'" (on the base of the data processors' existing terms of service and
policies, or of extra technical measures you take to protect the data, or
maybe just by getting users' consent to the transfer).

We had originally settled on Heroku for hosting our application - until the
discussion turned to data protection.  I'm pretty sure (awaiting
confirmation) that Heroku aren't Safe Harbor certified, and am sure that
they won't agree to a modified contract/terms of service in order to win
one small customer.  So that leaves us with option 5, and our business
owners are understandably queasy about the idea of making a legal judgement
(about the adequacy of Heroku's privacy and data management policies)
ourselves and being liable if we turn out to have got it wrong.

Any Heroku customers here?  How have you dealt with this?

Mark
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lrug.org/pipermail/chat-lrug.org/attachments/20120814/c6daf783/attachment-0003.html>