Privacy Risks Associated with International Transactions

Server locations are crucial when it comes to the legally-compliant transfer of data during the due diligence process

Frankfurt, August 1st, 2010 - In accordance with European data protection provisions, personal data from EC member states may not be transferred to non-compliant countries such as the USA. The Commissioner for Data Protection and Freedom of Information for the state of Berlin does not consider the Safe Harbor Principles to be an adequate solution to this legal dilemma. Instead, he recommends partnering with service providers that have server locations within the EU. Data Room Services, a data room provider, supports data exchange between different parties during the due diligence process and relies on server locations within the EU. Only in this way is it possible to fulfill the data protection requirements imposed by the EU which, if not followed, can result in regulatory action and fines.

As the the importance of data protection grows, companies must deal intensively with legal specifications concerning exchanging confidential information in the course of international transactions.

When transaction processes are executed, particularly in the course of due diligence, accounting data and personal data are often passed on to potential buyers located nationally and abroad. The transfer of data is generally achieved digitally using virtual data rooms. The data is saved on the local servers of the data room provider and is subject to strict specifications concerning compliance with nationally enacted data protection provisions.

If, for example, a company in Germany exchanges confidential data with third parties during the due diligence process via the virtual data room of a corresponding provider, the seller, as the responsible party, must ensure that the provider complies with the regulations of the German Federal Data Protection Act and other laws. For example, § 11 BDSG [Federal Data Protection Act] applies if the headquarters of the selling party, and the headquarters of the data room provider are in Germany or another member state of the European Union (EU). If, however, the virtual data room provider has its headquarters - including the server location - in a third country, the special data protection regulations are in force.

According to the Data Protection Directive 95/46/EC, no personal data from EC member states may be transferred to states which do not have a level of data protection that is comparable to that prescribed by EC law. Various criteria are considered when evaluating whether the level of data protection is adequate. To date, however, only a few countries such as Canada and Switzerland (among others) have been granted approved security status. The USA on the other hand does not have a comparable level of data protection as it does not pursue uniform data protection legislation and does not comply with the standard of the EC.

To prevent transatlantic data and related commerce from coming to a standstill, the Safe Harbor Principals were drawn up; a special data protection convention between the European Union and the USA, which purportedly makes it possible for a European company to legally transfer personal data to the USA. Nevertheless, this convention is the subject of criticism in discussions of legal policy as Safe Harbor is an entirely voluntary and self-regulating mechanism. In the view of the Commissioner for Data Protection and Freedom of Information, business persons should therefore ensure that personal data is not processed in a country such as the USA. As highly sensitive company data is exchanged in transactions, which often contain personal data that has not been redacted, selecting a provider capable of guaranteeing that the data remains on servers within the EU is absolutely vital.

This issue is particularly relevant because the selling party must guarantee compliance with legal stipulations as part of its responsibilities during the transaction.

For this and many other reasons, Data Room Services ensures compliance with all EU and EC data protection conventions by locating its dedicated server environment within member states.