The recent Ashley Madison data breach is spilling new light on the chaotic nature of international data location and protection rules. It not only suggests that you should be very concerned about who hosts your sensitive data but that data center operators should be seeking clarification on the law, or they may pay dearly for their ignorance.

Legal firm Pinsent Masons looked at the data protection laws in the aftermath of the Ashley Madison breach and found a number of anomalies in international legislation.

European Union law

There are doubts, for example, about whether the incident would be classed as a breach of the data security requirements under EU data protection laws. There are also doubts that the data protection authorities in the EU would have the jurisdiction to take action against Ashley Madison if they wanted to. This has raised fears over the legal position of data center providers who host similar types of sensitive information. 

According to Pinsent Masons, by signing up to the Ashley Madison website, users agree that their relationship with Ashley Madison is governed by Cypriot law and that Ashley Madison is based in Cyprus. The terms of use also specify that only the Cypriot courts have jurisdiction to hear cases brought against the company. This alone should have given users of the site cause for alarm.

Investigations in Canada and Australia

The EU’s Data Protection Directive states that personal data processors must adhere to local national data protection laws. As far as the EU is concerned, if a data center owner operates across multiple territories it has to abide by the stricture of each individual country. So Ashley Madison’s Cypriot jurisdiction was questionable from the start.

Both the Canadian and Australian governments have launched investigations into the Ashley Madison affair because of the global nature of the breach, since they want to find out what they could do in the event of Ashley Madison having committed an error.

Ashley Madison does have people based in the UK. However it is less clear whether it has any facilities in the country which could be covered by the Data Protection Directive. It is also not clear that Ashley Madison can be said, for the purposes of the Directive, to be making use of equipment in the UK to process personal data. This could be as simple as using cookies or Javascript banners to collect user information. 

Pinsent Masons points out that until recently, it has been the accepted norm that consumers who do not incur financial loss from a breach of data protection laws by businesses are not entitled to compensation. A ruling this year by the UK Court of Appeal altered that, meaning that people who experience distress, but no financial harm, as a result of a data breach can raise a compensation claim. That judgment is, however, currently under appeal.

If each UK user of Ashley Madison was to claim for $900 in compensation over the breach, the company could incur costs of up to $1 billion.

That liability would merely account for compensation for UK customers. It has been reported that users of Ashley Madison are being invited to join class action lawsuits against Avid Life Media, their owner, in the US.