US-Europe privacy deal: agreeing to ignore it?
But if the fudge averts a trade war...
Analysis The political and cultural differences between Europe and the USA are too great to make any effective protocol on data privacy realistic. This became clear this week when EU and US negotiators announced that after two years of talks, the US "safe harbour" principles gave sufficient protection over private data on European citizens held in US computers. There was a political imperative to produce a fudge; transatlantic Internet commerce has been picking up speed, and mostly moving in an easterly direction of course. The obstacle that initiated the talks in the first place was the European Data Protection Directive 95/46 "on the protection of individuals with regard to the processing of personal data and on the free movement of such data". This requires that data can only be sent outside the EU to countries that have in place adequate data protection. The directive came into force in October 1998, and gives the EU the power to block the flow of personal data to the USA - or more exactly, outside the EU. While "good-faith negotiations" were in progress, the EU agreed to a standstill in this provision, to stop any disruption of data flows across the Atlantic. The agreement now goes to the European Parliament and each member state (plus of course the US government) for approval, but that's rather a joke, since the EC is currently taking Denmark, France, Germany, Ireland, Luxembourg, the Netherlands to the European Court of Justice for not having enacted national data protection laws within the required time frame. In the UK, the 1998 Data Protection Act came into force on 1 March this year - but the web site is still under construction. There isn't even an agreement as to a deadline for US compliance - only an agreement to meet again in a year or so to chew over progress. To call the announcement yesterday an agreement is therefore absurd. Nevertheless, it is expected that after some cosmetic moves in the US - such as the Department of Commerce setting up an Internet database of industry self-regulators, and empowering the FTC and DoJ to take action against any organisation not complying with the law, the US will be determined to have adequate data protection around June this year. The biggest weakness is likely to be the lack of a US law to define what organisations are really obliged to do in the free-wheeling self-regulating environment. Excluded: financial services Excluded from the agreement are financial services, but there was some sophistry in the spin about this at the press conference yesterday: "Financial services are not excluded: they are simply not yet included," proclaimed David Aaron, the US under-secretary of state for international trade. John Mogg, director general of the EU internal market offered the excuse that because US legislation on financial privacy had not even been proposed yet (although it may happen in May), it would be like "painting a moving train". Well, it looked as though the train was still in the station. Financial services constitute one of the most important privacy areas, along with health information, and political/racial/religious/philosophical opinions. In principle, safe-harbour should make it possible to transfer personal data from one organisation to another only with the explicit agreement of the data subject, and to give the subject the right of access, review and correction of the data. Few believe that this will happen in practice, or that there will be any significant enforcement in the US. There's little chance of matching the essentially voluntary and self-regulating US system with the regulated but largely unenforced system in Europe. There's a distinct feeling that the EU saw the opportunity of using data protection law as a stick in trade negotiations, and a way of ensuring that most processing of personal data takes place in Europe by erecting a privacy barrier. Last month, EU Internal Market Commissioner Frits Bolkestein told Aaron: "We want a system that will make it easier for both EU authorities and the companies concerned to transfer personal data to the US and ensure that the data transferred enjoys adequate protection in the US." The bottom lines The FAQ deep inside the documentation of the talks gives the best summary of the implications of the agreement in various fields. Although it dates from last November, it gives the most practical overview of how the envisaged procedures are expected to work in practice. FAQ1 says it is not necessary for an organisation to provide a specific opt-in choice to data subjects where processing is "in the vital interests of the data subject" with five other possible cases for exceptions. FAQ2 allows journalistic exceptions, which is a weasel way of saying that the US was not going to do anything about its first amendment right of freedom of the press; personal information gathered for journalistic purposes is not subject to the safe harbour requirements. (So watch it.) FAQ3 perhaps has an upside: ISP and telecom carriers will have no secondary liability when acting as a conduit. FAQ4 balances this with a downside: it allows investment banks and auditors to do what they like with personal data if it is "necessary to meet statutory or public interest requirements [or would] prejudice the legitimate interests of the organisation". There's quite enough room for a coach and six horses to get through here. The US was curious as to whether headhunters would be granted an exception. FAQ5 gives an outline of the intended procedures for US organisations receiving European personal information, but it will of course be the practice rather than intentions that determine whether EU law is followed. FAQ6 discusses self-certification, which is probably as likely to succeed as self-criticism. FAQ7 tells us that US privacy compliance attestations and assertions can be verified through self assessment or outside compliance reviews. Auditing, random reviews, the use of decoys, and technology tools may be used. FAQ8 on the access to personal information makes it clear that the principle of proportionality or reasonableness has to be applied. Thirteen cases in which information access can be disclosed are listed. The fees chargeable for providing access are not specified, other than to say they must not be "excessive". FAQ9 gives carte blanche on human resources data if employees move from Europe to the US. FAQ10 sets out that data transferred from Europe to the US for processing will remain the responsibility of the European data controller. FAQ11 the FTC will review on a priority basis referrals from self-regulatory organisations like BBBOnline and TRUSTe. FAQ12 says that individuals can opt out of having their data used for direct marketing, but it will be interesting to see how effective this is in practice. FAQ13, on airline passenger reservations, may upset travelling vegetarians who do not always order a vegetarian meal when they fly, because their data can be passed to countries that do not accept the data protection principles, with the theoretical possibility that any vegetarian sometimes not having a vegetarian meal on Air Whateverland may find their secret exposed. It sounds silly, but that's the nature of most data protection law. FAQ14 deals with the transfer of pharmaceutical and medical product data, and its use in research. FAQ15 indicates a waiver for public-domain information that is not combined with private information. An extremely important issue that does not seem to have been addressed is the cost of legal fees for European organisations seeking redress in the US for breaches of the safe-harbour provisions. Of particular concern is the common practice of not requiring the loser of an action to pay the reasonable legal costs of the winner. On the other hand, a letter of complaint to the designated US authorities could well result in significant legal costs being paid by the subject of the complaint. There's every sign that there will be data protection breaches, especially for US marketing purposes, and little effective enforcement. The EU has to do something with the money that it extracts from EU taxpayers, but in this case, it looks like a considerable waste of money to bring about a system that is a political compromise, doomed from the start, and unlikely to achieve the stated objectives. ®
Sponsored: 2016 Cyberthreat defense report