Protect your personal data: Don’t host it in the US

Here’s a couple of related stories culled straight from the SANS newsletter. The SWIFT banking network has had to move its servers out of USA jurisdiction in order to protect its data from the US government; the second story explains the reason for the EU’s concern.

Story 1: SWIFT to Move EU Transaction Processing Out of US

Story 2: Verizon Letter Describes Breadth and Depth of Information Sought by Federal Authorities

I can’t think of a clearer illustration of the differences in approaches to privacy and security that have been taken on each side of the Atlantic (with apologies to Canada).

Story 1: SWIFT to Move EU Transaction Processing Out of US

(October 4, 10 & 15, 2007)

International payment processing organization SWIFT plans to restructure its systems architecture so that it will no longer process European banking transactions in the US. By 2009, the organization will have a data processing center in Switzerland and a command center in Hong Kong.

In addition to improving the system’s capability and reliability, SWIFT also aims to take some data out of the hands of the US. Belgium-based SWIFT has met with harsh criticism for allowing US intelligence agencies access to European citizens’ transaction data. SWIFT said that because it processed the data in the US, it had to comply with the agencies’ requests for access. Data protection authorities in Europe have determined that in doing so, SWIFT violated data protection laws. EU-US transactions will continue to be processed in the US.

[Editor’s Note (Honan): By moving the data processing centre to Switzerland, SWIFT will not be subject to the EU Data Protection Act as
Switzerland is not part of the EU. However, SWIFT will be obligated to abide by Swiss data protection and privacy regulations. This is a very good example of how international companies can fall foul of local laws and regulations and highlights why it is important to have local legal expertise available in each of the jurisdictions you operate in.]

Although it is not a member of the EEA, Switzerland’s data protection laws have been rules compatible with the EU’s – according to Privacy International.

Story 2: Verizon Letter Describes Breadth and Depth of Information Sought by Federal Authorities

(October 17, 2007)

In a letter to several members of the US House Energy and Commerce Committee, Verizon Communications described the extent to which it has complied with federal authorities’ requests for customer telephone records, even in the absence of court orders. The letter also told how the FBI, using administrative subpoenas, also known as National Security letters, sought “two-generation” information – records of all people called by an individual and all the people those people called as well. Verizon does not retain such data.

Between January 2005 and September 2007, Verizon gave federal authorities data “on an emergency basis” in 720 instances. During the same period, Verizon provided government agents with information supported by subpoenas or court orders 94,000
times. Lawmakers are considering a bill that would grant telecommunication carriers immunity from being sued by individuals whose
information is disclosed without court orders. The telecoms maintain it should not fall to them to determine whether or not the government is using National Security letters in an appropriate fashion.

[Editor’s Note (Pescatore): We’ve seen Belgium-based SWIFT act to stop using US-based data centers because of concerns of transaction information being disclosed at government request. Every company outsourcing (not just off-shoring, but certainly including off-shoring) data centers or call centers needs to determine if the outsourcer will allow government access to their data. Soon countries that can provide higher assurance for data privacy in hosted data centers will be able to charge higher rates and lessen the advantage of countries with lower
labor costs.]


About Peter Cruickshank

Lecturer in the School of Computing and a member of the Centre for Social Informatics at Edinburgh Napier University, Scotland. Interested in information systems, learning, politics, society, security and where they intersect. My attempts at rounding out my character include food, cinema, running, history and, together with my lovely wife, bringing up a cat and a couple of kids.
This entry was posted in Europe, news, Privacy, Security, USA. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s