In February last year, three Google executives were handed suspended six month prison sentences by an Italian court for violating the privacy of a boy with Down’s Syndrome by allowing the website to broadcast video of him being bullied in a school in Turin. Although the video had been uploaded in Italy back in 2006, it had been processed by servers in the US and Ireland. No content had been hosted in Italy, but Google’s Italian office was enough to give the Italian courts jurisdiction.
For companies wanting to store data in the cloud there is a minefield of data protection laws to negotiate, so it is essential to know which country your data is physically stored in. “Most organisations don’t even know what data they have,” says Tony Lock, programme director at IT services consultancy Freeform Dynamics. “They are unsure where all the data is and once they’ve found it they are unsure how to protect it.”
The European Union’s Data Privacy Directive is crucial for UK firms. Created to facilitate the free movement of sensitive private information within Europe, it also makes it hard for data to be moved outside the region. Implemented across Europe but with local variations, the requirement for UK firms is to take “appropriate technical and organisational measures” to protect data. Italy goes further and sets out what those measures should be and Denmark requires internet transmission of such data to be encrypted.
But which laws apply, for example, to a British company storing data about UK customers via a contract with a US cloud provider whose servers are located in Poland? At the moment – all three. Within the EU, a company can be prosecuted if it has an established presence in the form of an office and staff, equipment it owns or operates or if it just makes use of a data centre or equipment in a European country.