US-Europe privacy deal: agreeing to ignore it?

But if the fudge averts a trade war...

  • alert
  • submit to reddit

Mobile application security vulnerability report

Analysis The political and cultural differences between Europe and the USA are too great to make any effective protocol on data privacy realistic. This became clear this week when EU and US negotiators announced that after two years of talks, the US "safe harbour" principles gave sufficient protection over private data on European citizens held in US computers. There was a political imperative to produce a fudge; transatlantic Internet commerce has been picking up speed, and mostly moving in an easterly direction of course. The obstacle that initiated the talks in the first place was the European Data Protection Directive 95/46 "on the protection of individuals with regard to the processing of personal data and on the free movement of such data". This requires that data can only be sent outside the EU to countries that have in place adequate data protection. The directive came into force in October 1998, and gives the EU the power to block the flow of personal data to the USA - or more exactly, outside the EU. While "good-faith negotiations" were in progress, the EU agreed to a standstill in this provision, to stop any disruption of data flows across the Atlantic. The agreement now goes to the European Parliament and each member state (plus of course the US government) for approval, but that's rather a joke, since the EC is currently taking Denmark, France, Germany, Ireland, Luxembourg, the Netherlands to the European Court of Justice for not having enacted national data protection laws within the required time frame. In the UK, the 1998 Data Protection Act came into force on 1 March this year - but the web site is still under construction. There isn't even an agreement as to a deadline for US compliance - only an agreement to meet again in a year or so to chew over progress. To call the announcement yesterday an agreement is therefore absurd. Nevertheless, it is expected that after some cosmetic moves in the US - such as the Department of Commerce setting up an Internet database of industry self-regulators, and empowering the FTC and DoJ to take action against any organisation not complying with the law, the US will be determined to have adequate data protection around June this year. The biggest weakness is likely to be the lack of a US law to define what organisations are really obliged to do in the free-wheeling self-regulating environment. Excluded: financial services Excluded from the agreement are financial services, but there was some sophistry in the spin about this at the press conference yesterday: "Financial services are not excluded: they are simply not yet included," proclaimed David Aaron, the US under-secretary of state for international trade. John Mogg, director general of the EU internal market offered the excuse that because US legislation on financial privacy had not even been proposed yet (although it may happen in May), it would be like "painting a moving train". Well, it looked as though the train was still in the station. Financial services constitute one of the most important privacy areas, along with health information, and political/racial/religious/philosophical opinions. In principle, safe-harbour should make it possible to transfer personal data from one organisation to another only with the explicit agreement of the data subject, and to give the subject the right of access, review and correction of the data. Few believe that this will happen in practice, or that there will be any significant enforcement in the US. There's little chance of matching the essentially voluntary and self-regulating US system with the regulated but largely unenforced system in Europe. There's a distinct feeling that the EU saw the opportunity of using data protection law as a stick in trade negotiations, and a way of ensuring that most processing of personal data takes place in Europe by erecting a privacy barrier. Last month, EU Internal Market Commissioner Frits Bolkestein told Aaron: "We want a system that will make it easier for both EU authorities and the companies concerned to transfer personal data to the US and ensure that the data transferred enjoys adequate protection in the US." The bottom lines The FAQ deep inside the documentation of the talks gives the best summary of the implications of the agreement in various fields. Although it dates from last November, it gives the most practical overview of how the envisaged procedures are expected to work in practice. FAQ1 says it is not necessary for an organisation to provide a specific opt-in choice to data subjects where processing is "in the vital interests of the data subject" with five other possible cases for exceptions. FAQ2 allows journalistic exceptions, which is a weasel way of saying that the US was not going to do anything about its first amendment right of freedom of the press; personal information gathered for journalistic purposes is not subject to the safe harbour requirements. (So watch it.) FAQ3 perhaps has an upside: ISP and telecom carriers will have no secondary liability when acting as a conduit. FAQ4 balances this with a downside: it allows investment banks and auditors to do what they like with personal data if it is "necessary to meet statutory or public interest requirements [or would] prejudice the legitimate interests of the organisation". There's quite enough room for a coach and six horses to get through here. The US was curious as to whether headhunters would be granted an exception. FAQ5 gives an outline of the intended procedures for US organisations receiving European personal information, but it will of course be the practice rather than intentions that determine whether EU law is followed. FAQ6 discusses self-certification, which is probably as likely to succeed as self-criticism. FAQ7 tells us that US privacy compliance attestations and assertions can be verified through self assessment or outside compliance reviews. Auditing, random reviews, the use of decoys, and technology tools may be used. FAQ8 on the access to personal information makes it clear that the principle of proportionality or reasonableness has to be applied. Thirteen cases in which information access can be disclosed are listed. The fees chargeable for providing access are not specified, other than to say they must not be "excessive". FAQ9 gives carte blanche on human resources data if employees move from Europe to the US. FAQ10 sets out that data transferred from Europe to the US for processing will remain the responsibility of the European data controller. FAQ11 the FTC will review on a priority basis referrals from self-regulatory organisations like BBBOnline and TRUSTe. FAQ12 says that individuals can opt out of having their data used for direct marketing, but it will be interesting to see how effective this is in practice. FAQ13, on airline passenger reservations, may upset travelling vegetarians who do not always order a vegetarian meal when they fly, because their data can be passed to countries that do not accept the data protection principles, with the theoretical possibility that any vegetarian sometimes not having a vegetarian meal on Air Whateverland may find their secret exposed. It sounds silly, but that's the nature of most data protection law. FAQ14 deals with the transfer of pharmaceutical and medical product data, and its use in research. FAQ15 indicates a waiver for public-domain information that is not combined with private information. An extremely important issue that does not seem to have been addressed is the cost of legal fees for European organisations seeking redress in the US for breaches of the safe-harbour provisions. Of particular concern is the common practice of not requiring the loser of an action to pay the reasonable legal costs of the winner. On the other hand, a letter of complaint to the designated US authorities could well result in significant legal costs being paid by the subject of the complaint. There's every sign that there will be data protection breaches, especially for US marketing purposes, and little effective enforcement. The EU has to do something with the money that it extracts from EU taxpayers, but in this case, it looks like a considerable waste of money to bring about a system that is a political compromise, doomed from the start, and unlikely to achieve the stated objectives. ®

The Power of One Brief: Top reasons to choose HP BladeSystem

More from The Register

next story
Stick a 4K in them: Super high-res TVs are DONE
4,000 pixels is niche now... Don't say we didn't warn you
BBC goes offline in MASSIVE COCKUP: Stephen Fry partly muzzled
Auntie tight-lipped as major outage rolls on
iPad? More like iFAD: We reveal why Apple fell into IBM's arms
But never fear fanbois, you're still lapping up iPhones, Macs
Philip K Dick 'Nazi alternate reality' story to be made into TV series
Amazon Studios, Ridley Scott firm to produce The Man in the High Castle
Amazon Reveals One Weird Trick: A Loss On Almost $20bn In Sales
Investors really hate it: Share price plunge as growth SLOWS in key AWS division
Bose says today is F*** With Dre Day: Beats sued in patent battle
Music gear giant seeks some of that sweet, sweet Apple pie
There's NOTHING on TV in Europe – American video DOMINATES
Even France's mega subsidies don't stop US content onslaught
You! Pirate! Stop pirating, or we shall admonish you politely. Repeatedly, if necessary
And we shall go about telling people you smell. No, not really
Too many IT conferences to cover? MICROSOFT to the RESCUE!
Yet more word of cuts emerges from Redmond
prev story


Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.