Companies Open Data Centers Abroad to Comply with Cybersecurity Rules
Get Legal Help Today
Secured with SHA-256 Encryption
UPDATED: Aug 21, 2017
It’s all about you. We want to help you make the right legal decisions.
We strive to help you make confident insurance and legal decisions. Finding trusted and reliable insurance quotes and legal advice should be easy. This doesn’t influence our content. Our opinions are our own.
Editorial Guidelines: We are a free online resource for anyone interested in learning more about legal topics and insurance. Our goal is to be an objective, third-party resource for everything legal and insurance related. We update our site regularly, and all content is reviewed by experts.
Apple recently announced plans to open its first data center in China, in order to comply with a new Chinese data security law.
As the New York Times reported, the Chinese law requires that companies that process the data of Chinese consumers store that data in China.
The Times reports that many other U.S. companies, including Amazon, Facebook, and Microsoft, are also spending billions of dollars to build data centers in places like France, Germany, and the Netherlands.
These data centers meet practical purposes and legal requirements.
Users can access and process data faster when they’re physically closer to the servers on which it’s stored and processed.
Also, the EU (along with China and other countries) is exerting more and more control over how local citizens’ data is handled, in order to protect their privacy.
Unfortunately, some of the new laws are unclear. They’re also in flux, which makes things even more challenging.
As I reported in this blog post, a 27-year-old who had been studying law for a semester in the U.S. launched a class action in Vienna on behalf of 25,000 Facebook members, claiming that Facebook had violated their privacy rights.
The young Austrian lawyer, Max Schrems, filed a complaint about Facebook’s Irish subsidiary in 2013, trying to prohibit Facebook from transferring user data from Ireland to the U.S.
The complaint was based on the EU data privacy law, which didn’t allow data transfers to non-EU countries unless the company making the transfer could guaranty “adequate protection” for the data.
Schrems was concerned about data privacy in the wake of the U.S. PRISM surveillance program — a program run by the National Security Agency (NSA) to collect and analyze data from at least nine major U.S. internet companies in order to search for evidence of criminal and terrorist activities.
The case lead to an EU decision that the then-existing “Safe Harbor” framework for data transfers between the EU and the U.S. was invalid.
A new EU-U.S. “Privacy Shield” program was adopted in July of 2016.
This new arrangement imposes stronger obligations on U.S. companies to protect the personal data of consumers in the EU.
The U.S. Department of Commerce and Federal Trade Commission (FTC) enforce the new rules.
U.S. companies have to register to be on the Privacy Shield list and self-certify that they meet its requirements for data protection. They have to renew this registration every year.
Information on how a U.S. company can join the Privacy Shield program is here. Certification costs only $50 per year, but there is a fair amount of paperwork involved.
The Department of Commerce monitors privacy policies to confirm that companies are in compliance.
The EU also provides model clauses that may be used in contracts in which data is to be transferred from the EU to non-EU countries (including the U.S.).
As more U.S. companies deal with customers all over the world, they need to be aware of — and comply with — international rules for data privacy.