Storing European User Data on USA Servers? Better read this…

Exec summary:  If you are storing European visitor data on servers based in the USA (most busy WordPress sites are), you are exporting “personally identifiable information”, or PII, of users in Europe to the United States. European law does not allow exporting of user PII unless companies can demonstrate they will protect European user’s privacy and data. About 15 years ago the USA and Europe came up with the US-EU Safe Harbor agreement which has allowed US companies to store European data legally. The agreement was invalidated by the European courts last week.

That means that if you store the PII of European members on your WordPress site on servers based in the United States, you may be open to lawsuits from Europe, although the impact of the decision is unclear at this point.

We recommend that you find out if your hosting provider or cloud host provider is aware of this change in European law governing data stored in the USA and what they’re doing about it. Your hosting provider may (like Amazon) already have agreements with member states in the EU that cover this change in European law.

If your hosting provider can’t provide clear guidance, monitor news about this issue over the coming weeks as it becomes clear what impact the European court decision will have. The rest of this article has more detail on what “safe harbor” is, why the change occurred, how larger companies are dealing with this issue and the options for smaller businesses at this time.

Full article:

Europe is considered to have stricter privacy laws than the United States. Companies operating in Europe are not allowed to send user’s personally identifiable information (PII) outside Europe unless that data is adequately protected. Once that data is outside Europe, it can’t be shared with another company or organization, unless that organization has also demonstrated that they will adequately protect the data.

In the late 1990’s, the European Commission worked with the United States Department of Commerce to develop international safe harbor privacy principles that would allow US based companies to transfer customer data to the USA and store it, as long as they provided adequate protection for that data.

Their work resulted in what is known as the “US-EU Safe Harbor” program. The US Department of Commerce has been providing a streamlined process that allows companies to self-certify that they are in compliance with the program. Once certified, companies fall under the protection of the Safe Harbor agreement. You can find out more about this program on export.gov.

Last Tuesday the European Court of Justice held the US-EU Safe Harbor program as invalid. The effects of this are still being interpreted, so there is no need to panic if you are running a website and storing European customer data in the USA. We’re going to discuss why US-EU Safe Harbor was ruled as invalid and what this could mean going forward for site owners and publishers who store European member or customer data.

How Did Safe Harbor Get Invalidated?

Former NSA contractor Edward Snowden’s leaks have revealed that the US National Security Agency was spying on data held by American companies that belonged to EU citizens. An Austrian student, Max Schrems, filed a complaint against Facebook to the Irish Data Protection Authority. Schrems claimed that Facebook was not sufficiently protecting user data because, as Snowden leaks have shown, the NSA performs surveillance on technology companies.

His complaint was thrown out by the Irish Data Protection Authority. He appealed to an Irish court and the complaint was sent to the European Court of Justice (ECJ).

Last Tuesday, October 6th 2015, the ECJ came back and ruled that the US EU Safe Harbor Agreement is invalid because the US Government can access the data of European citizens and is not subject to the same safe-harbor standards as the companies storing that data.

This is an important verdict because the ECJ is making a clear statement that American companies can’t be trusted with user data because that data can (and has) been accessed by the National Security Agency and other intelligence organizations. Those organizations are not held to the US-EU Safe Harbor standards when they gain access to European customer data, and therefore the entire Safe Harbor agreement is invalid. The ECJ has effectively dropped a legislative bomb on international data privacy.

What Does This Mean?

The legal and information security community are still coming to terms with this decision. If you research the issue online you will find very little clear guidance as to where this leaves companies who are transferring customer data to US based servers. In theory it may seem that transferring EU customer data to US servers now breaks EU privacy law and makes US companies subject to lawsuits from EU plaintiffs. If that were true, the number of companies who are potential lawsuit targets is large.

To get around this tectonic shift in privacy law, larger companies like Amazon are using “model clauses” which are individual agreements with EU member countries that give those countries assurances that the company is operating within legal limits with regard to data privacy. These are complex and expensive for businesses to implement and are not practical for smaller businesses.

The Amazon case is interesting, because one effect of Amazon having a ‘model clauses’ agreement is that if you are an Amazon Web Services customer and are using their services to store your customer data, you may be safe from this breakdown in safe-harbor. Here’s the quote from Amazon:

“With our EU-approved [Data Protection Agreement] and Model Clauses, AWS customers can continue to run their global operations using AWS in full compliance with EU law,” an AWS spokesperson said in an emailed statement. “The AWS DPA is available to all AWS customers who are processing personal data, whether they are established in Europe or a global company operating in the European Economic Area.”

The question remains, if you are hosting a WordPress website and storing European customer data in the USA, what should you do about this?

As you can see from Amazon’s statement above, if you are using a hosting company that has their own EU approved Data Protection Agreement with EU member states, then you may very well be protected already. We suggest you contact your hosting provider or cloud provider and ask them if they’re aware of this change and what they’re doing about it. You might also check their blog.

If your hosting provider doesn’t provide clear guidance, there are unfortunately few options available besides taking a wait-and-see approach. If you visit the US Department of Commerce Safe Harbor website, they have a statement on the home page that says:

On October 6, 2015, the European Court of Justice issued a judgment declaring as “invalid” the European Commission’s Decision 2000/520/EC of 26 July 2000 “on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce.”

In the current rapidly changing environment, the Department of Commerce will continue to administer the Safe Harbor program, including processing submissions for self-certification to the Safe Harbor Framework.  If you have questions, please contact the European Commission, the appropriate European national data protection authority, or legal counsel.

This in effect says “We aren’t sure how this is going to play out. We’re doing business as usual. Talk to your lawyer. We are talking to ours.”

So at this point if you are storing European customer data on US based servers, we would recommend that you continue to monitor this situation as it evolves. Over the next few weeks some guidance will likely emerge from the Commerce Department and we will hopefully be back to business as usual – where companies doing business in the EU can register for US-EU Safe Harbor and safely store customer data in the USA.

As always, we welcome your comments below!

Addendum: Does the Wordfence security plugin for WordPress store any PII on US based servers? 

Wordfence is based in Seattle, Washington as are our servers. As you probably already know, we provide the most popular security plugin for WordPress. Wordfence does not transfer user personally identifiable information (PII) from the sites we protect to our servers in the USA or elsewhere.

The Wordfence security plugin performs most of it’s functions and data storage on the WordPress server we are protecting. It communicates with our servers based in the USA to get data like the latest URL’s from the Google Safe Browsing list, to verify source code integrity and to check if a domain is a known source of spam or infections.

As part of it’s functions, Wordfence will occasionally transfer aggregated data to our servers for analysis when detecting spam, malware or attacks. This data can not be used to de-anonymize a site visitor or member.

References:

Did you enjoy this post? Share it!

Comments

36 Comments
  • EU privacy law it's far more strict than US law in terms of security for personal data.
    Would be preferred to store US user data into EU servers.
    We have moved our infrastructure in EU since the beginning knowing that parivacy means a lot for our user and all our user data are stored in EU, this is a win win situation.
    For us as news provider because EU law is much more advanced in this matter and for our user because EU law in terms of privacy is very unbalanced in favor of the users right.
    We really would like our datacenter provider (eurhosting.net) because thanks to the advice provided they saved us a lot trouble and some rough time to shift the infrastructure to EU.

  • Thanks for this. Typically for the EU it comes up with laws, drops it and leaves everything in the unknown. Not only regarding complicated laws like safe harbor EU is showing its undecisiveness (is that an actual word?). ;-)

    • the problem is less, that safe harbour was done and now is droped. The problem is, that for the US multilateral contracts do not count very much. So for example the patriot act overrules privacy considerations of safe harbour.
      In the POV of european users, safe harbour ist just a "fake" because it can in any specific case be droped by us gov.
      While US Gov does not respect contracts, which are quite good for their economy (they sell lots oof hostin via MS/Amazon), EU should not drop its privacy statements.

  • So does this mean if I have been provided the name and email from someone in Europe via a capture page on my Wordpress site, which is hosted in the US, that I am subject to whatever potential sanctions this ECJ ruling may initiate?

    • Hi Terry,

      I'm not a lawyer, but technically yes, that is my understanding of this situation. However this affects a huge number of organizations and individual site owners, so it's unlikely the ECJ will come after you any time soon. Also, as I mention in my reply to Beth, this may just be a negotiating tactic.

      Having said all that, US companies storing European data have been required to comply with US-EU Safe Harbor for more than a decade and have been. The whole agreement was just binned by the ECJ and this is a very important change. It's important that all site owners, individuals or companies keep an eye on this as it progresses.

      Mark.

    • Not necessarily. It depends if you did this as a company that has operations in the EU. So, for instance, Google, Amazon or Boeing, might have a problem, while The Washington Post has not. The criterium is not whether you have trade with citizens in the EU, but are operational in Europe, in the sense you have, or subsidiaries, have offices in the EU.
      Although services you offer, or goods you sell to European citizens, have to abide by EU Law, that doesn't mean your US offices need to comply with EU Law.

      The reverse is also true. So a European company can sell US Safe storage to US based entities, yet as long as they don't actively operate in the US, the US Laws regarding access to personal data by the authorities.

  • This discussion seems to apply only to "companies." Does the ruling have any impact on non-commercial bloggers with WordPress installations that store, for example, the email addresses of followers or commenters?

    • Hi Beth,

      I'm speculating, but I'd say that companies and large organizations are the likely targets of any legal action from the EU on this. So while it does technically impact individual site owners, it's (in my opinion) unlikely they'll be the first targets. I'd also add that based on the news we're seeing this morning (see The Register article I linked to in the post) this appears to almost be a negotiating tactic by the EU to force the US to the table regarding data privacy and surveillance.

      Mark.

  • This new law is probably not possible to follow for many website owners. I am inside the EU and this new law is just too much ... my server is in the US.

    • hi.
      i see no probleme here.
      what keeps you from switching to european hosters?

    • Anne, it's advisable from a site user and SEO point of view, to try to use hosting located in the country that your site is aimed at.

      If your site visitors are in the EU, the load speed of the site could be affected by using US hosting and Google takes load speed into account in its ranking algorithm, even if it doesn't care about location in terms of its algorithm.

      I would always advise sites targeting UK audiences to use UK web hosting. Not only is this better for the site user, but it will also comply with EU rules on data privacy.

      It's something to bear in mind when starting a website!

  • Sorry, but the guy that filed the complaint is a complete idiot seeking media attention. Safer data in Europe is absolute nonsense. How naive to think that data isn't swapped anyway between the EU and the USA. All this is, is nothing but giving all of us more headaches. Unnecessarily.

    • so you know this guy Max Schrems?
      so you've followed all the steps he made?
      so you know how hard it is to get to the highest european court?
      as an one man army?
      the guy is around 26 years old and law student. FYI.

      the judgment wasn't only about data safety but also about the possibility to sue US companies in europe if they defy EU privacy law.
      that hasn't been possible yet.

      privacy is a big thing here in europe.
      privacy rights are fundamental rights in europe, stated in the "constitution" (emrk)
      your headache is other people's fundamental right.
      so who's right?

      • @souri - I just don't believe that German firms (I am a US citizen that resides in Germany) or any other European firm takes these privacy issues as serious or not as serious as US firms do.

        @Anon - I forget what shared hosting is these days, but I'll be sure to ask the big guys when I get a chance.

        • so you've never heared about cease-and-desist orders?

          it's like a sport in germany!

          if you forget something in your inprint, you get a cease-and-desist order.
          if you don't inform your users about their privacy rights, you get an cease-and-desist-order.

          if companies don't take privacy laws as serious as they should, they have to pay. that's happening right now.

          privacy is a big thing.
          for example:
          if you're residing in Germany then you probably know that the data retention law was wiped away from the CJEU.
          why? because the data retention law breaks the fundamental right to privacy.

    • It's okay Richard, let the big boys handle the real problems while you decide between HostGator and Gandi shared hosting.

  • Meanwhile, back in Gloucestershire the folks at GCHQ are ferretting about in the EU doing their own thing . . . Business as usual.

  • Does this ruling affect people using a CDN (content delivery network)?!

    If I build a WordPress website on UK hosting, but then run it on Cloudflare for example, is any PII passed around via the CDN?

  • I just run a personal website. I do have a few commenters from England. I don't do any business of any kind from the site.

    Should I be worried?

  • Interesting, sounds like a simple solution. In your privacy statement you post that anyone from the EU takes full responsibility for providing any personal information on the blog, will be prosecuted to the fullest extend of the European law, be liable for any costs involved in legal fees, returned products, charge backs and any other financial or legal damage. If you do not like this restriction do not buy our products or do not post information or contact your authorities and work to screw their head back on correctly. PS. I think the US laws are just as stupid. If you do not want people to have your information, do not post.

    • it's not that easy:

      The second big issue with consent for services that have effectively become a utility for many users is the requirement that consent must be “freely given”. If a user has the options to only safe his fundamental right to privacy if he loses all his contacts, pictures, personal messages, postings, emails and so on, he will not make a “free” decision to waive his fundamental rights, but make this decision under severe pressure. So a user does not freely ship his data to the NSA, but only does so to not be “cut off” from one of the most common communication tools of the younger generation.

      http://www.europe-v-facebook.org/EN/Complaints/PRISM/Response/response.html

  • Hi there, just to make sure aftereading the addendum. Do I run into a potential problem when using the wordfence plugin on a wordpress blog that is hosted in Europe? Do I need to add something into my "impressum" to inform my blog visitors that I am using wordfence? Do I need to actively ask for their permission to accept that I am using wordfence?

    • @Thorsten No you don't need to do any of that. Sorry, I thought the Addendum was clear enough. We don't store PII, so at least as far as Wordfence goes, you don't need to worry about this issue. However, your own website probably does store your register user's PII and that is what we're discussing in the article.

  • Hello,

    As a web hosting company in Canada how does that apply?

    I don't see any reference to Canada in this debate, could any US hosted sites simply move North of the border (East if in Alaska) ?

    Thanks,
    Rob Turner

  • If a user requests information from a server hosted in the US, who is transferring the request including the information contained in the request to the US? The user who asks the server in the U.S. for any information, or the server which kindly answers the request?

  • On the subject but a different sub-topic, I've implemented the EU Cookie java script. Apparently US-Google-Adsense Website owners can expect to get customers from the EU surfing your pages. Google wants folks to provide a Cookie Java script that will pop-up quoting something to the effect that this site uses cookies, if this is okay with you click OK along with a Learn More button that goes to a "Privacy" policy that explains cookies as directed by the

    EU Cookie or has a dedicated "Cookie" page along with all the other legal pages we have on our site.

    Anyone interested and learning more here's some of the URLs. (may have to copy-paste)
    European Cookie Consent Kit:
    http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm#section_4

    Google Blogger Help: https://support.google.com/blogger/answer/6253244?hl=en&ref_topic=3339243&vid=1-635782101649628041-2112878383

    This is my favorite way of doing it, there are other ways:

    https://www.youtube.com/watch?v=5ZAo19LWlu0

  • I would be interested to see how this affects Australian hosting since this week it passed through senate for the 2 Year data retention bill. Meaning that all hosting in Australia, the data is now searchable with companies that can do so.

  • Wel let me jump into this matter.
    I am Dutch and I am a member of several Dutch forums, but I live in California.
    I have my own website and emails that are hosted with Hostgator.com
    My weblog is international oriented, but is not a commercial one. I just do research in the field of genealogy and I found family members living all over the world.
    These members are helping to find others.
    Do you think I care what the rest of the world think?

  • Hi,

    European privacy laws are indeed very strict. First it was just about telling your European visitors about use of cookies and now this whole "data" thing. In my opinion, it will be very difficult to follow this law as no matter whether your site is small or big, you will some how end up storing data from European countries. It will mainly affect the big sites but axe can also fall on your gardening blog if just a single grandma from Europe leave a comment on your article ( You'll get her name and email address which is a private data).

    Don't you think this is the kind of matter which should get resolved by the "Countries"? Why should we webmasters pull our hairs for this ?

    Regards,
    Bharat

  • Just want to add that it will be better to wait some time and see what shape these new changes will take. I'm not sure whether or not my hosting provider (hostgator) have any agreement based on these changes but if they don't have then as a temporary solution I'll just disable the comments for European visitors as comments are the only way through which I can get personal data from them. Now only thing I've to do is to find a way to disable comments based on geographic regions but I think it has a drawback ( what if someone is using proxy or sites that allow you to use IP address of other countries)? Another alternate which is coming to my mind is use commenting system like disqus etc. In that case personal data stored ( at the time of comment submission) will be on the disqus server and not my hosting provider's server.

    Sorry, if I don't make sense and for the broken English but these are all the thoughts coming to my mind.

    Thanks,
    Bharat

  • Why do you want to obey these illegal laws. The EU and the US do not have jurisdiction over the internet and if a person voluntarily gives their information to anyone that is not government business ever. If you obey these illegal laws you are granting power to these governments over your information and how you use it. I for one will not acknowledge this illegal government takeover of my information. This is nothing short of communism.

  • There's a difference between "it’s" and "its". How hard can it be?!

  • This is also kind of a trade barrier for data storage services, and the whole thing might be in a way connected to the TTIP negotiations.
    Maybe it is better to wait and see how that works out. But surely there is a difference between acquiring data, the location where the data are acquired, and transferring data out of the EU which have been acquired inside the EU
    So it might be a different story if you host a server on the US, or outside the EU, or if you move a server which used to be hosted in the EU to an outside location including data of blog members etc.
    The same goes for mailing lists etc. And I believe this is not only about privacy. EU governments want for example to keep accounting data within their jurisdiction, so that they can access them in case of a tax investigation etc. It is just convenient for them to day privacy, but in fact it is their own access to the data as well.
    Germany cry foul if someone collects metadata from phone calls, but they take pictures from each and every car moving on their highway in the guise of enforcing toll payments for trucks.,

  • What this has clearly demonstrated is that there is a distinct lack of clarity to any and all of this. Far too many unanswered questions in the thread with a lot more to come I'm sure.

    This is something that Governments need to agree globally but in such a way that they don't compromise our personal data. There is a difference between collecting data for the purposes of doing business with people who you know and harvesting data for whatever purpose you decide, no matter whether yo have the agreement of the individual or not.

  • Oh dear, I hate these laws made by people that probably don't understand the dynamic of a globalized world... or in fact they understand it very well and prosecute the possibility to earn some extra cash in taxes and fees...

    Example 1: If I run an ecommerce website hosted in a datacenter in South America, and aimed to people all around the world... When a german customer signs up and leave his name and email, those data are stored in South America, BUT THE CONNECTION, the path followed by submarine cables, forcefully PASS THRU THE USA territory (Nuev Mexico, Houston, Florida, you name it), making it feasible to be spied by a man in the middle. Does the new regulation affect us in some way?

    Scenario 2: In the same website hosted in South America, if our ecommerce gateway is PayPal, BrainTree, Stripe, or whatever gateway with servers in the US, if a EU customer signs up with any of those US gateways, are we liable in some way?

    And what if we have 100% SSLed our website and connections are fully ciphered, even emails using SSL... are we still liable?

    For instance, if we host our ecommerce website in the US (and we are happy due to the low costs), should we block purchases from EU customers? (that is also regulated by an EU law, labeling such an action as discrimination), or shall we then create an EU division of our store, to be able to sell to EU people? (hosted in Irlanda, with minimal taxes, hehe). I think the last one is, ultimately, what the EU is trying to... "encourage".

    Maybe I'm wrong, maybe I'm such an idiot. You tell me...

  • Mentioned this article in a Digital Ocean question on this issue and their servers. Have not had an answer yet to how they are dealing with with.