We host a Web site for a UK firm in the US and membership data is
stored on the US server. What are the implications of the Data
Protection Act as the server is provided to UK subscribers but
their personal details are held on a server connected to the
Internet in the US? Do we come under the jurisdiction of UK law or
that of the US or both?
Carry a privacy statement
Kay Chapman
Eversheds
Legislation is in place to deal with such issues. The Data
Protection Act came into force in the UK in March 2000 and was
designed to protect individuals with regard to the processing of
personal data. For UK companies trading on the Internet, the effect
of the Data Protection Act is that Web sites need to carry a
privacy statement. Also, the Web-based company should allow the Web
site user the opportunity to consent to their personal information
being used for the purposes of direct marketing, if information is
collected for this purpose. The US does not have sophisticated data
protection legislation in place to protect the rights of
individuals who access Web sites and/or enter into agreements with
Web-based companies.
The European Commission has come to an agreement with the US
government covering data storage in the US on behalf of a company
within the European Economic Area (EEA). The US host can process
personal data on behalf of the EEA company if the US host signs up
to "Safe Harbour". The Safe Harbour Privacy Principles adopted by
the US host provide adequate protection for EU citizens' personal
information.
If the US host does not sign up to Safe Harbour it has to agree
to provide sufficient safeguards for the EEA company's personal
data. The commission has published preliminary draft model clauses
to be included in contracts, which will be deemed to provide
adequate safeguards for the purposes of an international transfer
of personal data.
It is important that you remember the Data Protection Act
carries criminal offences for certain breaches, which may involve
prosecution of individuals or a business. In addition to the
restrictions on the use of personal data for direct marketing, if
your business involves evaluation of individuals for credit
worthiness you will no longer be able to search against the
individuals without their consent.
Also, you will no longer be able to make a decision which could
be deemed to "significantly effect" an individual (ie, reject the
application), based solely on the automatic processing of data, if
the individual has objected to the taking of automated decisions.
The individual should be given the opportunity to make
representations or to request that the decision be reviewed or
reconsidered.
For further information contact Kay Chapman or Andrew Harvey
on 0121-232 1690