Do you know where the server which is delivering these pages to you is located?
Although we can – by inspecting the IP address and looking that up to see which country it was allocated to – check the location of a server to which we connect, none of the major services actually tells us. If you do take the time and trouble to check locations, there are some surprises.
First of all, services which have both .com and .co.uk domains usually serve both from the USA – this is true of Apple, and Google. There is nothing wrong or illegal with that, but the intention of national elements in domain names was to aid location. Furthermore, some services appear in unusual locations: spotify.com and spotify.co.uk both point to servers in Sweden, and twitter.com points to servers in Ireland, although twitter.co.uk locates to the USA, and apps such as Tweetbot use US Twitter servers.
According to EU and national data protection laws, requirements for compliance are determined according to whether a service operates from wholly outside the country or the EU. So Ashley Madison, which did not have any UK or EU office, operated outside the UK’s Data Protection Act (DPA) 1998, and the EU directive on data protection.
The ever-helpful (and I fear ever-optimistic) UK Information Commissioner’s website explains in detail how UK law works for transfers of protected data outside the UK, and these are also the case more generally across the EU. The basic law states quite clearly:
“Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.”
(The EEA being the European Economic Area, the countries listed on that ICO page, which includes the UK, Sweden, and Ireland.)
The list of non-EEA countries which have been agreed as providing suitable protection is surprisingly short, and does not actually include the USA. However, when data is handled in the USA under the ‘Safe Harbor’ scheme, it is deemed to be suitably protected as far as the EU is concerned.
Recall that of the three services whose privacy policies I examined, neither Google nor Spotify mentioned the ‘Safe Harbor’ scheme, nor whether they complied with it. Also recall that both Google and Spotify admitted that personal data would be processed in other unspecified countries, and that Spotify actually stated (in BLOCK CAPITALS!):
I can therefore only conclude that, according to what they tell us in their privacy policies, Google may well be in breach of UK and EU law, and Spotify admits to being in breach of it. I welcome evidence to the contrary.
The EU approach to the delivery of online services has now changed, and all those services which deliver paid-for intangible products now have to charge sales tax (VAT etc.) according to the EU state of delivery, and pay such tax to the individual states. Thus EU law now recognises that intangible services should be governed not by the location of the server(s), but by the point of delivery.
As consumers do not know which state any given service is being delivered from, and it is not easy to determine what protection is provided to their personal data, there is a very simple solution which follows from practice with sales tax: EU data protection legislation must now determine applicable law not by whether a service chooses to have an office in any given country, or which EU state it wishes to operate from, but according to the point at which the service is delivered.
And above all, services such as Google and Spotify must be brought to comply with EU law, and to explain to us properly how they so comply.