Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Article 8 of the EU Data Protection Directive
We've warned in the past about checking whether any data you transfer to non-European countries conforms to European legislation on data protection. Data Protection practices vary throughout the world and we have to make any data gathering conform to European legislation and check that any other countries that we deal with interactively will agree to conform to European practices. This has usually been done using the safe harbor principle where clients or suppliers in countries such as in the US have agreed to hold the data in a protected or safe mode that will conform to European legislation. You need to take care of this in any contractual agreement you enter into where data gathering will be part of the process.
However, in the last month things have been stirred up by Norway suddenly deciding that Google Apps, in terms of their data protection, may not be legal in Norway or by implication Europe as a result of the US Patriot Act. See: Use of Google Docs or Google Cloud Services is illegal in Norway, Shaun Ellerton (18th February 2012). Of course it won't just be Google who might present a problem as a result of the act.
The use of cloud services generally may also pit the principles of safe harbor against the Patriot Act. That allows law enforcement agencies access to personal data: but the US is not alone here. See Clouds and Law Enforcement Access, Andrew Cormack (9th March 2012). This blog gives useful insight into progress with the proposed EC Data Protection Regulation that was announced in January 2012 and will take a couple of years to be made law.
Of course Google are no strangers to privacy controversy at the moment and it appears that their privacy policies may themselves be in breach of the safe harbor principles, which arguably demonstrates just how difficult these things are. Hawktalk (5th March 2012) states 5 areas of concern over these issues, and interestingly uses the Leveson Inquiry's data protection example as a parallel case.
The present position of what practices the EC follow for data protection are summarised by James Lappin in his G-cloud update (18th February 2012), where he outlines safe harbour, model contract clauses and binding corporate rules as examples of the legislation in action.
Well, it seems that data protection is truly back on the agenda after a lull. We need to keep an eye on developments as none of us want to be found in breach since the consequences can be mega!