WARNING! Plugins running on 3rd Party websites outside the UK.

This is just a point of iformation for those who, like me, intend to provide services for their users which rely on plugins that transmit, process and/or store personal data on cloud/computers outside the EU.

Background:
I am building a website that will provide a Forum, but found, to my dismay, that several plugins offer Fora (and other service/s) that are hosted OUTSIDE THE EU (Talki, Bublaa, etc.).
I believe that in the UK/EU this means that a website owner using these could be liable because the United Kingdom’s Data Protection Act 1998 (based on the EU’s Data Protection Directive 95/46/EC) prohibits the transmission, storage and/or processing of personal and sensitive data outside the EU’s territories (see 83., below).
I believe there may be a point of law involved in the provision of WordPress Plugins that redirect the User to, or transmit, process and store their details on a third Party website OUTSIDE the EU, where their Country’s Data Protection legislation and EU protections do not apply. There is a (small) chance that WordPress could be liable. The owner of a website offering such services in the UK certainly would be!

For more information on the Data Protaction Act 1998 visit the Information Commissioner’s Office website: https://www.ico.gov.uk/for_organisations/data_protection/the_guide.aspx

Below is the text of the guidance provided by the Information Commissioner’s Office in the UK, that covers this topic in detail.

https://www.ico.org.uk/~/media/documents/library/Data_Protection/Practical_application/cloud_computing_guidance_for_organisations.ashx

Guidance on the use of cloud computing (pp.18 – 20)
ICO 1820121002 – Version: 1.1
Using cloud services from outside the UK

82. The computing resources managed by a cloud provider may be located outside the UK. A large cloud provider may have a number of data centres, each of which could be located in a different country. This distributed architecture can
improve reliability of the cloud service but also means that it
can be difficult to know where data is being processed.

83. *** The DPA requires that personal data “shall not be transferred
to any country or territory outside the European Economic Area
(EEA) unless that country or territory ensures an adequate level
of protection for the rights and freedoms of data subjects in
relation to the processing of personal data.” ***

84. Cloud customers should ask a potential cloud provider for a list of countries where data is likely to be processed and for information relating to the safeguards in place there. The cloud provider should be able to explain when data will be transferred to these locations.

85. In the case of layered cloud services, information relating to
the location of each sub-processor involved in the processing of
the data should also be available from the cloud provider, with
details of the security arrangements in place.

86. The ICO has already prepared detailed guidance on how to
determine the adequacy of protection in relation to international
transfers of data.

_______________________________________________________________________
Example
An IaaS cloud provider informs a potential cloud customer that it
operates six data centres globally: two in the EEA; two in North
America; and two in Asia.
It also has a support centre which is located in the USA.
The cloud provider can guarantee that all personal data will be
stored in the geographical area that the potential cloud customer
specifies. The potential customer specifies that their data must
only be stored within the EEA.
However, during a support call personal data may be transferred
to the USA. The cloud provider must make the potential customer aware that its guarantee to store data only within the EEA does not include transfers of data to the USA for support services. This will allow the potential customer to make an informed decision about whether it wishes to use this particular cloud provider.
_______________________________________________________________________

_______________________________________________________________________
Example
An IaaS cloud provider operates six data centres: two in the
EEA; two in No rth America; and two in Asia.
The technical implementation of the cloud service means that data may be distributed across a ny one of the six data centres.
The cloud provider is able to provide appropriate assurances that
no single data centre is likely to contain a complete and intelligible copy of the cloud customer’s data.
The data will remain within the cloud provider’s own network of data centres. Security will be assured through a regular independent assessment.
_______________________________________________________________________

87. Cloud customers should remember that a foreign law enforcement agency may have the power to require cloud providers to give them access to personal data or disrupt the availability of the personal data to cloud customers and users.

88. If a cloud provider is required to comply with a request for
information from a foreign law enforcement agency, and did comply, the ICO would be likely to take the view that, provided the cloud customer had taken appropriate steps to ensure that the use of the cloud services would ensure an appropriate level of protection for the rights of data subjects whose personal data would be processed in the cloud, regulatory action against the cloud customer (in respect of the disclosure of personal data to the foreign law enforcement agency) would not be appropriate as the cloud provider, rather than the cloud customer, had made the disclosure.

89. Regulatory action against the cloud provider, in its role as data controller when disclosing data to the enforcement agency, would also be unlikely provided the disclosure was made by the cloud provider in accordance with a legal requirement to comply with the disclosure request by the agency.