This story appeared in the December 2004 issue of Web Host Industry Review magazine. Click here to subscribe for free.
December 6, 2004 -- (WEB HOST INDUSTRY REVIEW) -- Web hosts in the UK and Europe certainly have their own oversight equivalents to US data handling, retention and privacy regulations' such as Graham Leach Bliley, HIPAA and Communications Assistance for Law Enforcement Act.
In addition, hosts across the Atlantic looking to serve potentially lucrative North American customers must also comply with this side of the pond's rules and requirements. However, just as the US tends to accept an opt-out privacy stance and Europe forces a more cumbersome opt-in policy on customer and personal information disclosure, European rules on data retention may also outdo US equivalents. UK industry observer and Steptoe & Johnson attorney Maurice Shenk says US ISPs and Web hosts are required by CALEA or similar measures to store and track personal information that might be useful to law enforcement, but Europe may require a lot more for a lot longer.
"In the US, you must have the capability to store and track information, but you don't have to save all of the data you process," says Shenk. "In Europe, companies will have to save two to three years' worth of information, potentially. That would be incredibly expensive with storage and so forth."
Experts like Shenk do not paint a completely bleak picture for Web hosts who want to play by the rules and avoid run-ins with regulators or law enforcement. Governments, even in Europe and the UK, tend to leave "carve-outs" that allow many companies to find exemption. But history has shown that European regulations tend to sweep rather than separate. And as Shenk tells it, data retention is a "huge" emerging issue.
In the US, corporate scandals, corrupt balance sheets and identity anxiety have brought a slew of regulatory efforts, including Sarbanes-Oxley, which covers accounting but touches all parts of the IT organization; Graham Leach Bliley, which governs privacy of financial information; and HIPAA, which concerns health information.
In Europe, regulations such as the Data Protection Act of 1998 ? an EU directive that has translated to data collection and disclosure laws for the nations of Europe ? and more recently the Privacy in Electronic Communications Directive of 2000, largely implemented last year, tend to span the industries served by Web hosts and others.
"The control of personal information in Europe is not handled on a sector by sector basis, it's handled across all sectors," says Shenk. "It affects any processing of personal information in any sector."
When these regulations emerged, and UK Web hosts had years to prepare for them, there seemed to be little urgency to comply. As official deadlines approached three years ago, the lack of compliance and priority on such matters remained.
Today, however, it appears as though Web hosts have finally done the work of meeting standards on how they handle, process and store customer information, regardless of whether they are serving the financial services business or the healthcare industry. European Web hosts and other service providers may be held to a relatively high "gold standard" of notifying customers and consumers how data is gathered and processed, but it is something that service providers across Europe have learned to accept and face, even if it means shelving other priorities or plans.
"I think people in Europe have gotten used to putting together privacy policies and letting people know what they do with information," says Shenk.
Still, now that they have taken the steps to meet the often complex and confusing mandates of a few years ago, one of the biggest potential issues for UK and other European hosts is compliance with Uncle Sam's regulations, which apply if data is being taken from or transferred to the US.
Web hosts across the waters have also been called upon to assist with US-based and globally collaborative law enforcement efforts against spam, child pornography and the like. The recent reported seizure of servers at UK-based Indymedia, supposedly by order of US officials, highlighted the reach of regulation and compliance. The Indymedia controversy, which resulted in a number of denials and finger-pointing among US and European authorities, turned out to be a case of US-based Rackspace complying with court orders, but the matter underlined the complexity and confusion of compliance to regional directives in the truly global marketplace.
