The European Commission has issued a clarification over which non-EU countries businesses are allowed to store their data in without breaking data protection law.
Most importantly, the commission confirmed that it is legal to store customer data in the US as long as a Safe Harbour Agreement is in place to ensure that the EU’s conditions for data protection are met.
That clarification will help to allay the fears of European organisations concerned about the legal ramifications of using software-as-a-service (SaaS) offerings from organisations based in the US.
The US’s Patriot Act grants federal officials the right to inspect any data stored on US soil if it relates to a national security investigation. There is a concern, therefore, that for EU businesses to store customer data in the US would be to contradict the EU’s Data Protection Directive, enacted as law by the UK’s Data Protection Act, that prohibits organisations from passing on that data without the customer’s consent.
While the contention between the Patriot Act and the Data Protection Directive has yet to be examined in court, this week’s clarification indicates that the EC does not wish data protection law to get in the way of the exchange of electronic services between the EU and the US.
The number of countries that EU businesses can also legally store data in is surprisingly small: the US (with Safe Harbour), Switzerland, Canada, Argentina, Jersey, Guernsey and the Isle of Man.