Our guest blog post today is by Danny Dagan (@E_D_Dagan), a Senior Web Strategist at a leading WordPress agency 10up. Danny graduated from Birkbeck Law School, University of London, and has written a dissertation about the new EU data protection regime. As part of his role at 10up, he works with clients on large-scale, mission-critical digital projects, often having to consider how organisations can protect the personal details of their customers in a compliant way.
WP Engine takes data protection seriously, both in our compliance efforts and the ways in which we secure all user data through encryption and other best practices in security. To that end, we’ve recently established a governance, risk, and compliance team within our security organization to address compliance-related activities. Given the responsibility to secure the data of EU citizens and residents, we asked Danny to share his perspective on four data protection questions we hear frequently from customers.
Q: Your company hosts personal data of EU citizens and residents in your country. Do you have to store these in the country of those citizens and residents (for example, does data of Dutch citizens need to be stored in the Netherlands only)?
A: You do not have to store personal data of your users in their own country. As long as this data is stored with the EEA (that is, any European Union Country + Iceland, Liechtenstein and Norway), then you are compliant. The law on the protection of personal data in the EU has been harmonised for many years, and will become even more so when the new EU data protection regime comes into force in May 2018. The idea is that because the law is the same for all EU countries, it allows the free movement of personal data between these countries, protected by the same rules.
Q: Can you store the data of EU citizens and residents outside the EU?
A: You can, but this is a complex area that requires you to do a little bit of homework because it depends on the country and the hosting company you work with. The underlying principle is that the data you store should be hosted and processed to a standard that, in the very least, conforms with EU legal requirements. There are several methods of achieving this, the most common of which are:
a. By hosting customer details in one of the countries that the EU deems has ‘adequate’ protections for personal data. The list is fairly short, and currently includes: Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay.
b. By using standard contractual terms approved by the EU that effectively mandate the hosting company you work with complies with EU data protection rules.
c. In the USA – you need to ensure your hosting company is signed up to the Privacy Shield framework (the new system that replaced ‘Safe Harbour’). Note that there are currently some legal challenges to the Privacy Shield, but at the time of writing it is still your best method to ensure you can host customer data in the US.
Overall, your best bet is actually to host your customer data in the EU. If you have mixed US and EU customer-base and would like to host your data in the US, check with your hosting provider that they have registered with the Privacy Shield programme.
WP Engine says: WP Engine is registered under Privacy Shield and has data centre locations across Northern America, Europe and Asia. It also has a Governance, Risk and Compliance team who are able to provide guidance on specific client requests.
Q: I hear there is a new data protection law in the EU. How will it affect my company?
A: The new EU Data Protection Regulation will come into effect across the EU on 25 May 2018. It will tighten standards and responsibilities of companies in how they treat the personal data of individuals. Some noteworthy aspects of the new law:
- It will allow the imposition of fines of up to EUR 20 million or 4% of annual worldwide revenue for breaches.
- You will have to inform your data protection authority within 72 hours of a data breach, and your customers if the breach is serious.
- Requirements will be tightened about the collection of personal data, and consent for such collection must be specific, informed and unambiguous (and pre-ticked boxes or inactivity will not constitute consent).
The best way for a company to prepare for the new law is by auditing the way it collects and handles personal data, and putting in place a compliance plan. If you are a smaller company, make sure you have read up on the new law and taken steps to comply. Larger organisations will likely wish to run a compliance project, hiring a specialist resource to help.
For a more detailed explanation of key aspects of the new law and how to approach it, see my presentation here (given in Holland, but relevant to any EU country).
Q: Will this new law also apply in the UK, considering Brexit?
A: It is almost certain that the new law, or a similar set of rules will apply in the UK post-Brexit. This is because the new law will come into effect in May 2018 while the UK is still part of the European Union. The UK government has signalled that it will keep existing EU law upon Brexit, and only then start repealing legislation.
The UK will also want to ensure British companies are able to store the personal data of EU nationals, so it is unlikely to water down standards. This view was reinforced by the UK’s Data Protection Commissioner who said: “The fact is, no matter what the future legal relationship between the UK and Europe, personal information will need to flow.”
Please note that this blog post is made available by WP Engine for educational purposes only as well as to give you general information and a general understanding of the law but not to provide you with specific legal advice. By using this blog, you understand that the opinions expressed by Danny Dagan are his alone. This blog should not be used as a substitute for competent legal advice from a licensed professional attorney in your state or country, and WP Engine is not responsible for the accuracy of any of the information supplied by Danny Dagan.