US gives in to EU demands over data
PNR and Swift finally put to bed - but still restless
The US has capitulated to EU demands that its use of European data in counter-terrorism operations should be subject to foreign scrutiny.
The two sides finally compromised this week on their long-running disagreements over the US requisition of personal data about European citizens from passenger name records (PNR) held by airlines, and their financial transactions processed by Swift, a Belgian mediator of international financial transactions.
In both sets of negotiations the EU had insisted that it appoint people in Washington to oversee the US use of European data. It believed that US privacy laws would not protect European citizens' data from being abused. The US had maintained as a point of principle that European oversight would be a violation of its sovereignty, said EU sources. But both deals have given the EU the power to inspect US investigators.
"The optimistic view is that this is a victory for the EU," said Gus Hossein, a director of Privacy International. However, he and EU officials said the jury was out until the details of the oversight arrangements had been agreed. And the EU had won only limited oversight over the US use of PNR data.
The US had an undeniably strong position on PNR - it had a right to know who was entering its country. Yet the two required legal cover for the transfer to take place and the EU was insistent that, in the absence of firmer US privacy laws, it must have someone inspect the arrangements. Nevertheless, according to the draft agreement still waiting for ratification of member states, the oversight would only occur "periodically". One EU official said this would consist of just one half-term review and someone watching over the US implementation of the agreement. The EU is also sceptical about how binding the agreement would be on the US.
The EU won greater concessions over US use of data commandeered from Swift, even though it did not have a negotiating position and no power to hold the US to a formal agreement. Swift held records of EU financial transactions on US soil, thus the US had a right to access Swift's data. But US interests were sensitive to Swift - it could not afford to undermine the confidence of other firms who hold data on EU soil by failing to assure Swift's customers that the privacy of their financial transactions would not be violated. The question of industrial espionage had even been raised.
So the US took a unilateral position on Swift, but one that guarantees ongoing, independent EU oversight of all its subpoenas on the financial firm.
EU officials still had reservations about both deals. The Swift arrangement allows the US to share data requisitioned from Swift with third countries. The US has assured the EU that it will insist data is treated by third countries according to the principles of data protection. Yet there would be no binding arrangement over third countries that do not have data protection laws.
The European Data Protection Supervisor has expressed its reservations about the final details of the PNR arrangement. The US will retain data about European citizens for fifteen years. Even the EU's negotiating position of three and half years had been too long, it said. ®
How about telling me?
Perhaps the EU needs to impose a legal requirement that any time an EU institution hands personal data over to the US, it should also inform the subject of the data of what has been transferred. Stick in some weasel words that allow the US to apply to an EU court for a two-year delay on informing the subject on a case by case basis for the few times they might have a genuine need for it.
What a waste of time
As I read it these agreements don't amount to diddly squat.
OK, so in some token way there is EU oversight of what the US does with the data it's demanding - but what happens when the US just ignores it ? It's already got the data, it's not breaking any of it's own (non existant) data protection laws, so it can just tell the EU overseer just where to go !
The very fact that there's been all the hoo-har and these negotiations shows that there is a problem with the way the US handles personal data, and I don't see that changing one bit under this ineffectual agreement.
Thats total bollocks, arrest Lázaro Campos
That's spelt bollocks without the *.
Any person the US wanted watching, it should send the list to EU to monitor. If they're terrorists then we don't want them on the planes, if they're not, the US has no business putting them on a list.
SWIFT broke laws every side of the Atlantic, they broke laws in the US too. You want them to comply? Arrest Lázaro Campos, it's really that simple, you'd be amazed how much compliance you get when you arrest him. He lives in Belgium, his roots are in Spain, it's no problem, you issue a warrant, you pop down the road, with a bunch of police, you march him into the station, and bingo, suddenly SWIFT has a memory recall and remembers it as to comply with European law.
And guess what, every corp, that thinks they're bigger than the countries they operate in, will suddenly remember that they have to comply with the little province called Europe, remember that tiny little province with 350 million of the wealthiest consumers in the world? That one? Ahhh, now you remember!