Using Swiftpage, Mailchimp, Constant Contact, iContact or one of the many other US based Email Marketing engines is hugely attractive to small business; not merely because of the low cost and huge power of these tools, but also because the US Can-Spam law has forced these systems to operate only with the highest level of integrity. The product of conformance with strict legislation and high standards has meant that these systems have achieved a ‘white listed’ status that often results in improved deliverability; In these circumstances internet mail hosts ‘trust’ the sending server as part of a legitimate business communication mechanism rather than a source of grungy unwanted spam.
However, if the Data Protection Act requires that “Personal data shall not be transferred to a country or territory outside the EEA (European Economic Area) unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data”, are we breaking the law when adopting these systems?
Initially (and for good reason), we are duty bound to consider whether the ESP is maintaining the data in a secure environment on our behalf (especially where Contact data is maintained within a server environment outside the EEA). Users might consider the levels of encryption provided by the leading ESPs to be meet the requirements of the Data Protection Act*. Together with their track record of diligence and data protection, driven partly by legislation but largely by market forces, the ESPs present themselves as a very ‘safe haven’ for sensitive Contact data. Even though many ESPs are US based, a number of them claim to “retain a law firm in the UK to consult on EU privacy issues”
The 8th Principle of the Data Protection Act however, refers not to the standards maintained by the ESP, but to the level of protection (of the rights and freedoms of data subjects) provided by the Country/Territory to which the data is transferred.
Problem: The United States of America has no comprehensive data protection legislation.
Workaround: The US Department of Commerce developed a “safe harbour” system in consultation with the European Commission. This offers a method by which US organisations can meet the requirements of EU directives on Data Protection (including the UK Data Protection Act). Organisations who sign up to the scheme are certified as offering ‘adequate’ protection (and this has been approved by the EU Commission), thus enabling transactions between those organisations and European organisations to proceed smoothly and within the law. It’s probably worth checking therefore, whether your US based ESP has subscribed to “safe harbor”.
In the case of many ESPs, this is most certainly the case. Swiftpage (for example) states that “In accordance with our commitment to protect personal privacy, we adhere to the principles of the Safe Harbor Framework as developed by the U.S. Department of Commerce in consultation with the European Commission”.
Notwithstanding the above, also important to consider is whether the use of a US based ESP actually constitutes a ‘transfer of data outside the EEA’.
What is a transfer?
According to the Information Commissioner, a transfer involves sending personal data to someone in another country. A transfer is not the same as the transit of information though a country. This principle of the Data Protection Act (regarding data transfer outside the EEA) will only apply if the information moves to a country, rather than simply passing through it on route to its destination.
Example:
Personal data is transferred from country “A” to country “B” via a server in country “C”, which does not access or manipulate the information while it is in country “C”. In these circumstances the transfer is only to country “B”.
In conclusion therefore, I’d suggest that – although it appears to be debatable whether a transfer of data has actually occurred – when using the services of a US based ESP, one should establish that the ESP has subscribed fully to the ‘safe harbor’ scheme. I’d want to feel comfortable that my chosen ESP is switched-on to the European and UK legal position, and able to clearly demonstrate a commitment to subscriber protection and the provision of a total quality service. In these circumstances, not only is legal exposure minimised but equitable levels of corporate social responsibility may be maintained.
* An example of ESP security: MailChimp delivers about 1.75 billion emails per month for more than 890,000 users. Data Centres manage physical security 24/7 with biometric scanners. User account passwords are encrypted. Mailchimp’s own staff can’t even view them. If you lose your password, it can’t be retrieved – it must be reset. All login pages (from the website and mobile website) pass data via SSL and have ‘Brute Force protection’. The company perfoms regular security penetration tests, using different vendors (for a “2nd opinion”).The tests involve high level server penetration tests, in-depth testing for vulnerabilities inside the application, and social engineering drills. All new employees on teams that have access to customer data (such as tech support and engineers) undergo criminal history and credit background checks prior to employment.
Would be worthwhile looking at how this would apply to the new Sage ACT! 2012 Connect?
I must see how it would apply here in Australia…
Hello, It was me that posed the question. I asked from the perspective of my previous experience as a local government web manager and data protection officer.
I’m aware that local government has a somewhat ‘over protective’ view of these things. The reason being that local government is regarded as having deep pockets and therefore is a likely target for the Information Commissioner to have a swipe at – to make the case law you mentioned (the lack of) yesterday.
I had a number of organisations change their attitude on hosting council services when I brought this up with them with lots of scurrying around and new hosting arrangements made.
It’s complex ( as your article makes clear) and not really black and white; typical of so much that the ICO deals with. But if you want to be really squeaky clean then I suppose you have to comply and not host outside of the EEA – to check whether or not your hosting/supplier is signed up to safe harbour agreement.
I realise that an attack on the average small business “Fred in a shed’ type of size from the ICO is less likely. The ICO is not well staffed and to make case law against “Fred in Shed” would seem overbearing.
As to the niceties of discussing if the data was passing through or was moved: You provide e-mail adresses to sit on a machine in the USA. I don’t see that as ‘passing through’.
It seems like so many things in life you make a choice and take a risk or don’t.
Peter Barton
peterdbarton@gmail.com
Former Head of Web and Information Governance
Lincolnshire County Council
UK
Thanks Peter – a useful perspective. Will