Comments on: Fighting FUD: cloud players try to make sense of European data laws http://gigaom.com/2012/09/26/fighting-fud-cloud-players-try-to-make-sense-of-european-data-protection-laws/ Wed, 22 May 2013 07:25:51 +0000 hourly 1 http://wordpress.com/ By: David Mytton http://gigaom.com/2012/09/26/fighting-fud-cloud-players-try-to-make-sense-of-european-data-protection-laws/#comment-1021070 Thu, 27 Sep 2012 09:55:55 +0000 http://gigaom.com/?p=566545#comment-1021070 To understand this, you need to understand how EU operates with the 2 primary types of “law”. Regulations are directly binding to member states but directives are “guidelines” which are then implemented by each member state. The directive sets out the basic minimum requirements but member states are responsible for implementing them. There are other types and nuances to these 2 but that’s not relevant here.

The relevant directive is Directive 95/46/EC, specifically articles 25 and 26 – http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:EN:NOT – this essentially states that data cannot be transferred to third party states which do not have an equivalent level of protection (article 25) unless the subject gives permission (article 26). In the UK, implemented by the Data Protection Act 1998, all you need to do in your T&C is include a term where the user gives permission to transfer their data outside of the EEA. There are many other situations where you can transfer data even without consent (although consent is the easiest way), and there is detailed guidance at http://www.ico.gov.uk/for_organisations/data_protection/the_guide/principle_8.aspx

The problem comes with other countries. The directive states that consent is an option for transferring data outside the EEA but how that actually works will depend on the country. I don’t know how German law operates but for UK companies I don’t think this is an issue.

]]>