The European Directive on Data Protection received a keynote address at this year’s HostingCon. Recently I’ve received a number of inquiries about how companies can qualify to receive data subject to the directive under the U.S. Department of Commerce’s “Safe Harbor” program. My view is that qualifying under the Safe Harbor program is essential for any hosting company setting their sights beyond a strictly North American client base. Even more crucial is compliance with the Directive if you are providing cloud services. It is also worth stating that ANY company with personnel in both the U.S. and Europe is likely REQUIRED to qualify for Safe Harbor Status.
As it relates to the Safe Harbor, the Directive is designed to protect individuals with respect to the “processing” of personal information. The key issue to understand your obligations is to master the definition of “personal information.” The Department of Commerce offers this method of defining “personal information:”
Personal information is defined as information relating to an identified or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.
The Directive applies to all data you process. The term “process” is very broad. So simply copying personal information and putting it in a file is within the scope of the Directive. The Directive covers processing of data whether that processing is done on-line, off line and regardless of whether the processing is manual or by hand.
The central issue to remember is that the Directive requires you to provide notice to individuals about how you will use, process and transfer their personally identifiable data, and give them the opportunity to view and correct it. This often requires a shift in a U.S. company’s view that they own all the data they collect. Further, you may only use the data for the purpose for which you it is collected, unless you specifically inform the individual. This means you can’t collect sign up data and then sell it to your “trusted partners” for them to market their goods and services to the customer.
When you process data covered by the Directive you must:
- Appoint a “data controller” responsible for your data processing;
- The data controller must register with the Department of Commerce;
- You must notify the Department of Commerce before processing any data;
- You must provide customers with notice:
- About how you will process the data;
- The purpose of processing;
- Who you will collect data from;
- How you will transfer it to third parties; and
- How you will secure it.
Understanding that qualifying for the Safe Harbor requires you to shift how you treat personally identifiable information will allow you to approach the qualification process more efficiently, and provide additional information that will be required as the Department of Commerce reviews your policies and procedures.
