I hadn’t heard the “ but European regulations require you to store data in Europe” excuse for a while, but it was trotted out in an email exchange I was having when I asked a question I ask often “ Why isn’t it available in Europe yet? “
Well it’s not actually that clear cut so I thought I’d take the opportunity to demystify this whole where can I store my data issue.
Disclaimer :This is my own personal take on the whole situation you do need to undertake due diligence if you have any doubts about whether your data contains data that could be considered personal or sensitive and obviously understand what personal/ sensitive data actually means from the originating country.
There are a number of regulations in various countries that cover where you can store specific types of data such as Personal data. In the UK for example the Data Protection act 1998 says that
“Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data”
In this case Personal data means data which relates to a living individual who can be identified –
- from those data, or
- from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,
and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.
tries to explain what this actually means and what you can and cannot do It indicates You may transfer personal data to countries within the European Economic Area on the same basis as you may transfer it within the UK. However, you may only send it to a country or territory outside the European Economic Area if that country or territory ensures an adequate level of protection for the rights and freedoms of individuals in relation to processing personal data. So it’s not black and white and if you encrypt the data, partition it appropriately or anonymise it so it no longer fits the definition of personal data when at rest then you can store it where ever you like. Many people though just fall back to the safe stance of not storing Personal data outside of the EEA as that is what they believe the act states.
I admit that the regulations in the UK are a lot easier to understand for me being from the UK but I have struggled with German requirements before in my time , so I’m not saying this is easy just that you need to put in a bit of effort.
My advice for end users is find out what you are trying to protect, work out how you can store that data and read what the regulations actually say yourself. You may be missing out on using the right solution.
My advice to suppliers is we Europeans want to try stuff out first too. But if you aren’t geared up to provide services for those cases that need the data to be stored at rest on European soil say so but release anyway as you have a market here too and the earlier you get in the better ( We appreciate it too) .