The law is cloudy on the data center’s responsibility for personal data and where it is held
The recent Ashley Madison data breach is spilling new light on the chaotic nature of international data location and protection rules. It not only suggests that you should be very concerned about who hosts your sensitive data but that data center operators should be seeking clarification on the law, or they may pay dearly for their ignorance.
Legal firm Pinsent Masons looked at the data protection laws in the aftermath of the Ashley Madison breach and found a number of anomalies in international legislation.
European Union law
There are doubts, for example, about whether the incident would be classed as a breach of the data security requirements under EU data protection laws. There are also doubts that the data protection authorities in the EU would have the jurisdiction to take action against Ashley Madison if they wanted to. This has raised fears over the legal position of data center providers who host similar types of sensitive information.
Investigations in Canada and Australia
The EU’s Data Protection Directive states that personal data processors must adhere to local national data protection laws. As far as the EU is concerned, if a data center owner operates across multiple territories it has to abide by the stricture of each individual country. So Ashley Madison’s Cypriot jurisdiction was questionable from the start.
Both the Canadian and Australian governments have launched investigations into the Ashley Madison affair because of the global nature of the breach, since they want to find out what they could do in the event of Ashley Madison having committed an error.
Pinsent Masons points out that until recently, it has been the accepted norm that consumers who do not incur financial loss from a breach of data protection laws by businesses are not entitled to compensation. A ruling this year by the UK Court of Appeal altered that, meaning that people who experience distress, but no financial harm, as a result of a data breach can raise a compensation claim. That judgment is, however, currently under appeal.
If each UK user of Ashley Madison was to claim for $900 in compensation over the breach, the company could incur costs of up to $1 billion.
That liability would merely account for compensation for UK customers. It has been reported that users of Ashley Madison are being invited to join class action lawsuits against Avid Life Media, their owner, in the US.