Whose jurisdiction covers us?

We host a Web site for a UK firm in the US and membership data is stored on the US server. What are the implications of the Data...

We host a Web site for a UK firm in the US and membership data is stored on the US server. What are the implications of the Data Protection Act as the server is provided to UK subscribers but their personal details are held on a server connected to the Internet in the US? Do we come under the jurisdiction of UK law or that of the US or both?

Carry a privacy statement

Kay Chapman


Legislation is in place to deal with such issues. The Data Protection Act came into force in the UK in March 2000 and was designed to protect individuals with regard to the processing of personal data. For UK companies trading on the Internet, the effect of the Data Protection Act is that Web sites need to carry a privacy statement. Also, the Web-based company should allow the Web site user the opportunity to consent to their personal information being used for the purposes of direct marketing, if information is collected for this purpose. The US does not have sophisticated data protection legislation in place to protect the rights of individuals who access Web sites and/or enter into agreements with Web-based companies.

The European Commission has come to an agreement with the US government covering data storage in the US on behalf of a company within the European Economic Area (EEA). The US host can process personal data on behalf of the EEA company if the US host signs up to "Safe Harbour". The Safe Harbour Privacy Principles adopted by the US host provide adequate protection for EU citizens' personal information.

If the US host does not sign up to Safe Harbour it has to agree to provide sufficient safeguards for the EEA company's personal data. The commission has published preliminary draft model clauses to be included in contracts, which will be deemed to provide adequate safeguards for the purposes of an international transfer of personal data.

It is important that you remember the Data Protection Act carries criminal offences for certain breaches, which may involve prosecution of individuals or a business. In addition to the restrictions on the use of personal data for direct marketing, if your business involves evaluation of individuals for credit worthiness you will no longer be able to search against the individuals without their consent.

Also, you will no longer be able to make a decision which could be deemed to "significantly effect" an individual (ie, reject the application), based solely on the automatic processing of data, if the individual has objected to the taking of automated decisions. The individual should be given the opportunity to make representations or to request that the decision be reviewed or reconsidered.

For further information contact Kay Chapman or Andrew Harvey on 0121-232 1690

Read more on IT risk management