Data Protection law and US-hosted forums

Information CommissionerAt work, we’ve been talking about an issue which is I suppose the converse of an issue I’ve touched on before in the context of freedom of expression vs national sovereignty. This time, we’ve been looking at the legal (and ethical) position of a UK based organisation that wants to host an online forum. How does it change if the servers that host the forum are physically in the USA (as they often are)?

There’s a lot to learn… but this is the situation as far as I can tell. Data Protection requirements do follow people across borders, at least as far as the EU is concerned. In the UK, the main principle is answered in the Information Commissioner’s FAQ, in particular:

Q: What protects my personal information when it is being passed to overseas companies and call centres?

The Data Protection Act prohibits the transfer of personal information from the UK to other countries unless those countries can ensure the same level of protection. Organisations can also set up contracts with overseas organisations receiving personal information. This ensures that a higher standard of protection is in place than there might have been in the receiving country.

Organisations in the UK which have personal information processed on their behalf overseas are responsible for the security of your information. The UK organisation is required to make sure the company overseas complies fully with the UK Data Protection Act. (My emphasis)

It may be that there is an exemption from registration for not-for-profits, depending how you interpret Q8+Q9 in section 6 of the guidelines [PDF].

But in general, the definition of personal data is very broad, and would include the opinions expressed by participants in the forum, if they can be linked back to an individual.

This seems to be the driver behind Facebook’s compliance with the Safe Harbor agreement:

EU Safe Harbor Participation
We participate in the EU Safe Harbor Privacy Framework as set forth by the United States Department of Commerce. As part of our participation in the safe harbor, we have agreed to TRUSTe dispute resolution for disputes relating to our compliance with the Safe Harbor Privacy Framework. If you have any complaints regarding our compliance with the Safe Harbor you should first contact us at If contacting us does not resolve your complaint, you may raise your complaint with TRUSTe at

And the bother Google is getting into with its policy towards collecting data on individuals. Back in May 2007, the Article 29 Working Party, which advises the Justice Directorate of the EC, asked Google to bring its business practices into line with European data protection law so that it gives due respect to people’s privacy [Register story here ]

…and many follow-up stories of Google trying to find wriggle room. The Register’s story on current status is here.

I have sent a generic query to the Information Commissioner to see if there’s an official line.


About Peter Cruickshank

Lecturer in the School of Computing and a member of the Centre for Social Informatics at Edinburgh Napier University, Scotland. Interested in information systems, learning, politics, society, security and where they intersect. My attempts at rounding out my character include food, cinema, running, history and, together with my lovely wife, bringing up a cat and a couple of kids.
This entry was posted in Daily Links, Europe, news, Privacy, thoughts, UK, USA. Bookmark the permalink.

One Response to Data Protection law and US-hosted forums

  1. Pingback: My Ghillie » Data Protection law and US-hosted forums

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s