At work, we’ve been talking about an issue which is I suppose the converse of an issue I’ve touched on before in the context of freedom of expression vs national sovereignty. This time, we’ve been looking at the legal (and ethical) position of a UK based organisation that wants to host an online forum. How does it change if the servers that host the forum are physically in the USA (as they often are)?
There’s a lot to learn… but this is the situation as far as I can tell. Data Protection requirements do follow people across borders, at least as far as the EU is concerned. In the UK, the main principle is answered in the Information Commissioner’s FAQ, in particular:
Q: What protects my personal information when it is being passed to overseas companies and call centres?
The Data Protection Act prohibits the transfer of personal information from the UK to other countries unless those countries can ensure the same level of protection. Organisations can also set up contracts with overseas organisations receiving personal information. This ensures that a higher standard of protection is in place than there might have been in the receiving country.
Organisations in the UK which have personal information processed on their behalf overseas are responsible for the security of your information. The UK organisation is required to make sure the company overseas complies fully with the UK Data Protection Act. (My emphasis)
It may be that there is an exemption from registration for not-for-profits, depending how you interpret Q8+Q9 in section 6 of the guidelines [PDF].
But in general, the definition of personal data is very broad, and would include the opinions expressed by participants in the forum, if they can be linked back to an individual.
This seems to be the driver behind Facebook’s compliance with the Safe Harbor agreement:
EU Safe Harbor Participation
We participate in the EU Safe Harbor Privacy Framework as set forth by the United States Department of Commerce. As part of our participation in the safe harbor, we have agreed to TRUSTe dispute resolution for disputes relating to our compliance with the Safe Harbor Privacy Framework. If you have any complaints regarding our compliance with the Safe Harbor you should first contact us at firstname.lastname@example.org. If contacting us does not resolve your complaint, you may raise your complaint with TRUSTe at http://www.truste.org/users/users_watchdog_intro.html.
And the bother Google is getting into with its policy towards collecting data on individuals. Back in May 2007, the Article 29 Working Party, which advises the Justice Directorate of the EC, asked Google to bring its business practices into line with European data protection law so that it gives due respect to people’s privacy [Register story here ]
…and many follow-up stories of Google trying to find wriggle room. The Register’s story on current status is here.
I have sent a generic query to the Information Commissioner to see if there’s an official line.