TheJournal.ie has an interesting story today about where the various Irish Political Parties have their websites hosted. It’s an interesting story, but I must profess the view that the article confuses the issues of complying with Data Protection legislation and being patriotic and “buying Irish”.

The Data Protection Acts do not require that organisations processing personal data “buy Irish”. They do provide clear guidance and duties to ensure that where personal data that is moving across borders is doing so in a safe and secure manner.

The article on TheJournal.ie makes much of the fact that the Green Party’s website is hosted in the UK by the UK subsidiary of a a Norwegian company. The implication being that this is a bad thing. It’s not, so long as the Green Party have taken the other steps necessary to ensure compliance with the relevant legislation.

Likewise, much is made of the fact that the Labour Party website is hosted in the UK. Again, this is not an issue, assuming that the Labour Party has ticked the rest of the boxes necessary for proactive Data Protection compliance.

The Country Issue

The simple fact is that there is no impediment to the transfer of personal data within the 27 Member States of the European Union, because we all have equivalent legislation that is based on the same foundation Directive, 95/46/EC.

So… given that the UK has their Data Protection Act 1998, which is governed by the Information Commissioner’s Office (which has issued this guidance to politicians), personal data can be transferred there without worry. In fact, given the recent raising of penalties for breaches of the Data Protection rules in the UK to stgĀ£500,000, there is a big incentive for organisations to be in compliance with the law.

With regard to the UK subsidiary of a Norwegian company providing hosting services in the UK… that is a complex tangle which might look fishy but is actually perfectly legitimate for two simple reasons.

  1. The actual legal entity which is providing the hosting services appears to be a company incorporated in the United Kingdom, therefore the activities of that company will be governed by UK Data Protection Act 1998, which enacts 95/46/EC in the UK.
  2. Even if the hosting was being performed in Norway, this would actually be perfectly legal as Norway is one of the 3 non EU members of the European Economic Area. Membership of this “club” requires that Norway have enacted legislation that meets the requirements of Directive 95/46/EC.
The Journal points out that both Fianna Fail and Fine Gael have their websites hosted in the US by US political campaign platform providers, Blue State Digital andElectionmall.com. The US is not a member of the EU or the European Economic Area. For most purposes, Personal data can be transferred to the US only where the Data Processor is registered with the EU/US Safe Harbor scheme, or where there is a contract in place that uses the EC approved “Model Contracts“.
Neither Blue State Digital or ElectionMall are have a current listing on the Safe Harbor list. One can only assume that the two main political parties have managed to secure agreements with their service providers that incorporate (without modification) the Model Contract clauses.

The Fairness and Transparency Question

Of course, just because the transfer of personal data to hosts in the UK or elsewhere in the EU and the EEA is legal doesn’t mean it is transparent. The “Privacy Statement”,which is a legal requirement for websites which are processing personal data, would address this because it gives an opportunity for the Data Controller (the “owner” of the site) to communicate where data is being processed and why and what controls and governance are in place. The guideline is to include a level of information necessary to make the obtaining and processing of the personal data fair.

Conclusion

Personal data doesn’t need to be processed in the country that the Data Subject, the Data Controller, or the Data Processor are based in. The legislation was drafted to facilitate the safe and transparent processing of data, including the transfer of data across borders. However, organisations who act in ignorance of the legislative controls and seek to dismiss their obligations (as Fine Gael have attempted to do in their comments to TheJournal.ie) risk serious damage to their brand image.
However, even where the Parties have done things right there remains a question for them of whether they have done the right thing. That, however, is not a Data Protection Compliance issue.