The Data Protection Directive (officially Directive 95/46/EC) regulates the processing of personal data within the European Union and also provides the criteria for Safe Harbour privacy for companies operating within the European Union. The Safe Harbour regulations forbid sending of customer’s personal data to countries outside the European Economic Area unless there is a guarantee that it will receive adequate levels of protection. There are no Safe Harbour considerations for EU companies with services deployed to Scotland while Scotland is part of the UK and when Scotland has become independent of the UK and joined the EU as an independent country. However there may be a period of time between Scotland becoming independent and joining the EU (as an independent country) when Safe Harbour requirements really matter. At this time no EU company will have a Safe Harbour agreement with the newly independent Scotland. Therefore any company with Identity Stores (or business systems containing personal data) deployed in Scotland will be in breach of the Data Protection Directive.
The Data Protection Directive (officially Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data is a European Union directive which regulates the processing of personal data within the European Union.
The Criteria for Safe Harbour privacy are incorporated into the Directive and subsequently companies operating in the European Union are not allowed to send personal data to countries outside the European Economic Area unless there is a guarantee that it will receive adequate levels of protection.
Various news reports from Manuel Barroso, President of the European Commission, have suggested that Scotland may find it difficult to join the EU. This may by corollary make it difficult for Scotland to immediately remain as part of the European Economic Area.
What does this mean for private data hosted in Scotland?
It is highly likely that hosting providers with physical infrastructure in Scotland will need to determine which customers are EU customers and migrate all of these users to an EU safe harbour before the independence referendum. If Directive 95/46/EC were enforced with strict liability then this preparatory migration (before the independence vote) would be the only sensible risk mitigation.
It would be impossible to move all data from Scottish physical hosting infrastructure before the 18th September 2014. Therefore organisations should consider what data they have hosted in Scotland and which data is most critical for migration following the seven principles of Safe Harbour law.
Guidance on this subject from the UK Information Commissioner’s Office has so far been missing.