The Data Protection Directive (officially Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data is a European Union directive which regulates the processing of personal data within the European Union.
The Criteria for Safe Harbour privacy are incorporated into the Directive and subsequently companies operating in the European Union are not allowed to send personal data to countries outside the European Economic Area unless there is a guarantee that it will receive adequate levels of protection.
Various news reports from Manuel Barroso, President of the European Commission, have suggested that Scotland may find it difficult to join the EU. This may by corollary make it difficult for Scotland to immediately remain as part of the European Economic Area.
What does this mean for private data hosted in Scotland?
It is highly likely that hosting providers with physical infrastructure in Scotland will need to determine which customers are EU customers and migrate all of these users to an EU safe harbour before the independence referendum. If Directive 95/46/EC were enforced with strict liability then this preparatory migration (before the independence vote) would be the only sensible risk mitigation.
It would be impossible to move all data from Scottish physical hosting infrastructure before the 18th September 2014. Therefore organisations should consider what data they have hosted in Scotland and which data is most critical for migration following the seven principles of Safe Harbour law.
Guidance on this subject from the UK Information Commissioner’s Office has so far been missing.