I’ve written a new post over on my business website that looks at some of the issues that have been raised by TheJournal.ie in an article today. I won’t rehash the whole thing here – please follow the link to read the full post on the other site.
Suffice it to say, there is a big difference between compliance with EU legislation and taking business decisions based on patriotic motives or a desire to “buy Irish”.
The fact that various parties have their sites hosted in the UK is not a compliance issue per se – the UK is still in the EU and has equivalent legislation to us based on the same root Directive. Norway is a member of the EEA and as such has legislation that is derived from the same Directive as underpins our Data Protection laws (I may be the only person in the country who has actually READ the Norwegian Data Protection Act… it’s very similar in intent and execution to our own law).
A big issue is hosting personal data, including sensitive personal data outside the EU or EEA or other “Safe Country” without any apparent controls in place, such as using a Data Processor who is registered with Safe Harbor and ensuring you have a written contract in place.
It is extremely wrong for anyone to claim that hosts don’t have to comply with the Data Protection legislation. They do. As Data Processors, their obligations are not as extensive as those owed by Data Controllers, but the relationship between the Data Controller and the Data Processor is critical to the end-to -end governance of Data Protection obligations.