[LRUG] Data protection, the EU and PAAS suppliers - arrgh!

thomas pomfret thomaspomfret at gmail.com
Tue Aug 14 03:29:00 PDT 2012


I've run into this a few times, and can confirm heroku are not safe harbour
registered. They claim to be working on it...although said the same over a
year ago and there's no time frame.

My feeling is if you are following guidelines to the letter, then they are
likely not an option.

Thomas

On 14 August 2012 11:21, Mark Weston <mark at markweston.me.uk> wrote:

> Hi there,
>
> Has anyone who's using or considered using PAAS providers like Heroku got
> any thoughts about data protection and concerns about transfer of data
> outside the EU?
>
> Our amateur reading of the guidelines from the ICO seem to be that if
> you're processing personal data outside the UK it can be
>
> 1) somewhere within the EU/EEA which has equivalent data protection rules.
> 2) in another jurisdiction judged by the EU Commission as having adequate
> data protection laws (i.e not the US)
> 3) in the US as long as the data processor has certified compliance with
> the US - EU 'Safe Harbor' frameworks.
> 4) in the US with a data processor with whom your contract includes
> standard terms drawn up by the EU to guarantee protections equivalent to EU
> data protection rules.
> 5) in the US if you can "make an assessment that the level of protection
> for data subjects’ rights is ‘adequate in all the circumstances of the
> case'" (on the base of the data processors' existing terms of service and
> policies, or of extra technical measures you take to protect the data, or
> maybe just by getting users' consent to the transfer).
>
> We had originally settled on Heroku for hosting our application - until
> the discussion turned to data protection.  I'm pretty sure (awaiting
> confirmation) that Heroku aren't Safe Harbor certified, and am sure that
> they won't agree to a modified contract/terms of service in order to win
> one small customer.  So that leaves us with option 5, and our business
> owners are understandably queasy about the idea of making a legal judgement
> (about the adequacy of Heroku's privacy and data management policies)
> ourselves and being liable if we turn out to have got it wrong.
>
> Any Heroku customers here?  How have you dealt with this?
>
> Mark
>
>
>
> _______________________________________________
> Chat mailing list
> Chat at lists.lrug.org
> http://lists.lrug.org/listinfo.cgi/chat-lrug.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lrug.org/pipermail/chat-lrug.org/attachments/20120814/9b1720cc/attachment-0003.html>


More information about the Chat mailing list