Directors of firms that outsource IT services could be left to face the music if their ASP breaches data protection rules deriving from the European Commission's data directive, Aspic warned.
A report for Aspic raised concerns over the different data protection requirements among EU countries under the 1995 directive. This could make compliance with the laws difficult for companies.
Aspic called on the EC to review its data protection laws to keep pace with cross-border e-business.
"If a company operates across Europe it has different obligations in different countries," said Jeff Maynard, European chairman of Aspic. "If you have a router or a server in Luxembourg you are required to have processes audited annually by the local data protection commissioner. In theory, if anyone does not comply the directors of the client company could go to jail."
UK data protection officials confirmed that companies with European branches may have to comply with different requirements under the data protection directive. But they stressed that the location of equipment was not an overriding factor and was unlikely to require a UK company using an ASP to comply with foreign laws.