Data must be kept in the UK, it’s the law!

ID-10096562Take part in this quick quiz to see which of these statements is true.

1. “The 8th principle under the UK Data Protection Act says that data must be kept in the UK, therefore it is unlawful for me to use cloud services as my data might be transferred outside the UK.”

Not true. People have said this to me from time to time including just the other day at a cloud conference. The 8th principle allows transfers of data provided there is an adequate level of protection. You can transfer data anywhere inside the EEA (essentially the EU plus 3 good friends), to a country on the EU Commission’s list of safe countries including Safe Harbor or beyond if you add data protection clauses to the contract.

2. “I have to set up my EMEA operation from a German data centre otherwise I won’t get any German customers as they tell me their law prohibits data transfers outside Germany.”

Not true. A confused US provider recently asked me to verify whether what his German distributor had told him was true. As far as I’ve been able to ascertain (I’m no expert on German law), the Bundesdatenschutzgesetz does not say this any more than the UK Data Protection Act. It allows for the free flow of data within the EEA, just as the EU Directive requires.

3. “The EU Commission will abandon Safe Harbor so it is not possible to use US cloud.”

Not true. The EU Commission was so incensed at the scope of NSA spying that it threatened to abandon Safe Harbor. But that was more about getting the US to pay attention and has resulted in a commitment to improve Safe Harbor by this summer (see para 14).

4. “The EU Data Protection Regulation is designed to promote EU cloud and to block US cloud.”

Not true. While there is an EU initiative to promote a European cloud, this is separate to the Regulation which is intended to allow free flow of data in the cloud and across the globe provided EU data protection standards are maintained wherever it involves personal data of EU citizens. That’s if the regulation will ever be passed…

So, how did you do? Maybe you thought the whole thing was an April Fool’s joke? Many people misunderstand data protection but hopefully you spotted the untruths. For more info about keeping your data secure in the cloud, contact me.

Image courtesy of sheelamohan “Global Computer Network” /”


  1. Good commentary as always Frank. There is nothing wrong in using a cloud service with data outside the EU as long as the customer has done their diligence to ensure they are adequately protected by that vendor as it remains the customers responsibility to comply with UK and EU Data laws as the data controller. It is the customers prerogative to have their own opinion on their palatability to storing customer data overseas/in the USA and as to which sovereignty the data is held under. However they should do diligence to ensure they have a service contract that covers these definitions, responsibilities and where and how data is held. We have seen customers recently signing with USA cheap cloud firms seeing the fact there is no contract as an advantage and not as the huge legal disadvantage and risk it poses to them on the data they are holding with a provider with no contractual protection!


What's your view? Leave a comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.