Hosting in the UK looks to be the safest option after the European Court of Justice reached a ruling over the ‘safe harbour’ scheme that could rock the world of web hosting and data protection. The ‘safe harbour’ scheme, which allows the transfer of personal information to companies in the US, has been ruled invalid.
That means even if a European company transmits personal information to the US to its own web hosting company, it’s technically in breach of strict European data protection laws unless it has asked for the express permission of the subject to transfer the data or included the possibility of data being transferred to the US with a set of specific phrases in the terms and conditions.
At the moment a vast amount of companies use US hosting. Indeed, some companies don’t even know that their hosting is sent to the US as they bought through a third-party provider. As of now, hosting your user data on a US server is fraught with danger and could attract a serious fine and legal complications.
Breaches of the Data Protection Act are taken extremely seriously and consumer confidence in your company would take a serious knock if you’re exposed as wilfully breaching the rules. This judgement has been coming for a while, too, as the EU has had the ‘safe harbour’ scheme in its sights for a long time, especially in the wake of the recent American whistleblowing scandal that relied on leaked information.
The Information Commissioner’s Office is almost certain to take immediate steps to enforce the ruling. If your hosting is currently on a US server then you should take immediate steps to move your hosting to the UK, within the regulations, as soon as possible.
Even if you think you’re safe, don’t leave it to chance. A cloud computing service that is used for back-up may use safe harbour to host data in the US. If you have a failsafe cloud back-up then take a close look at it, because it could be about to land you in trouble.
A quick fix for the problem would be to seek permission from every sign-up from this point on to transmit data to North America, but unless you’ve included that from the start then it does not include the user data you have already collected. You have two options, therefore: asking every single customer you already have, which is virtually impossible, or simply eliminating US hosting from your set-up. This is going to be the safest option for the vast majority of businesses.
It would be best practice to cover yourself with changes to your terms and conditions and a tick box for customers and contacts so that they can grant their approval to transmit their data to US servers. This is largely shutting the stable door after the horse has bolted, but it will still prevent further problems down the line.
As for your current hosting situation, it would pay to move all your hosting back to the UK as soon as possible if you want to avoid the regulator’s wrath. catalyst2 provides solely UK based hosting with a UK based support team.