We are in an age where data privacy concerns, along with data theft, are making the headlines every day.
Understanding the laws around data collection, along with the unique differences between the various countries they are applicable in, is of the utmost importance to any organization that stores the data of individuals either locally or remotely.
As much as it is promoted as best practice to disperse an organization’s data over as geographically wide an area as possible (e.g for backups, scalability or disaster prevention) it is crucial that an organization is aware of the legal implications of doing so.
A data center consultant can help business stakeholders understand what their obligations are, therefore minimizing any risk of breaking a law.
Data residency laws in Europe are quite different from those that apply in the United States.
What are Data Residency Laws?
Before we dive further into the specifics of the EU and USA laws it should be pointed out exactly what constitutes data residency laws.
Data residency laws are those laws that apply to data held by an organization, within the region that the data is stored. If a business is operating out of the EU, yet their cloud provider is based in the US, they must ensure that they comply not only with EU data protection directives but also with those of the US.
Also you need to consider the laws around where the user resides as each country can have it’s own laws around what can and cannot be done with the data of it’s residents.
If you are an American online retailer, and have customers in Europe, how do you ensure that your European customers’ information always stays in Europe? How do you ensure their information isn’t on a hard disk in New Jersey? You need a data center presence in Europe.
Data Residency Laws in Europe
EU has very stringent data residency regulations. The EU, along with a number of other countries, are strengthening their laws to protect data in their countries from loopholes brought in by initiatives such as the Patriot Act.
Data Protection Directive 1995/46/EC
The EU’s Data Protection Directive has a number of principles relating to:
- The use of personal data
- Transfer of data
- Safekeeping of data
Unfortunately many organizations appear to be unaware of the directive. A recent study by Skyhigh highlighted the fact that as many as 74% of EU organizations could be breaking the EU Data Protection Directive leaving themselves at risk of incurring large fines.
e-Privacy Directive 2002/58/EC
Sitting on top of the Data Protection Directive is the e-Privacy Directive which focuses on the protection of personal data in regards to telecommunications.
This directive covers things like the collection of cookies, and location data.
Data Residency Laws in the USA
The US does not actually have a single federal data protection law. They do have a number of federal data privacy and security laws that must be taken into account along with state laws and regulations.
Three of the main federal acts relating to data security and privacy laws include:
Health Insurance Portability and Accountability Act (HIPAA)
Compliance with HIPAA is compulsory for health care providers in the USA. It covers a wide spectrum of best practices around personal health information.
Fair and Accurate Credit Transaction Act (FACTA)
This act is instrumental in the prevention of identity theft. One example of how this law has helped with data protection is it prevents businesses from printing any more than 5 digits from a credit card number.
Children’s Online Privacy Protection Act (COPPA)
COPPA helps with the protection of data collected from children under the age of 13. It covers what kind of information can be gathered from children and when verifiable parental consent needs to be obtained.
Main differences between storing data in the EU and US
To summarize, the US does not have a single federal law around data residency.
EU has an all encompassing law that dictates data may only be stored under strict conditions for certain legitimate purposes. US law does more to specifically protect health information, and children.
Data laws, and compliance with those laws, continues to gain increased attention globally.
To ensure that your organization stays on the right side of the law engage a data center consultant fully versed in data residency law requirements.
By Staff Writer