Feeds

US gives in to EU demands over data

PNR and Swift finally put to bed - but still restless

3 Big data security analytics techniques

The US has capitulated to EU demands that its use of European data in counter-terrorism operations should be subject to foreign scrutiny.

The two sides finally compromised this week on their long-running disagreements over the US requisition of personal data about European citizens from passenger name records (PNR) held by airlines, and their financial transactions processed by Swift, a Belgian mediator of international financial transactions.

In both sets of negotiations the EU had insisted that it appoint people in Washington to oversee the US use of European data. It believed that US privacy laws would not protect European citizens' data from being abused. The US had maintained as a point of principle that European oversight would be a violation of its sovereignty, said EU sources. But both deals have given the EU the power to inspect US investigators.

"The optimistic view is that this is a victory for the EU," said Gus Hossein, a director of Privacy International. However, he and EU officials said the jury was out until the details of the oversight arrangements had been agreed. And the EU had won only limited oversight over the US use of PNR data.

The US had an undeniably strong position on PNR - it had a right to know who was entering its country. Yet the two required legal cover for the transfer to take place and the EU was insistent that, in the absence of firmer US privacy laws, it must have someone inspect the arrangements. Nevertheless, according to the draft agreement still waiting for ratification of member states, the oversight would only occur "periodically". One EU official said this would consist of just one half-term review and someone watching over the US implementation of the agreement. The EU is also sceptical about how binding the agreement would be on the US.

The EU won greater concessions over US use of data commandeered from Swift, even though it did not have a negotiating position and no power to hold the US to a formal agreement. Swift held records of EU financial transactions on US soil, thus the US had a right to access Swift's data. But US interests were sensitive to Swift - it could not afford to undermine the confidence of other firms who hold data on EU soil by failing to assure Swift's customers that the privacy of their financial transactions would not be violated. The question of industrial espionage had even been raised.

So the US took a unilateral position on Swift, but one that guarantees ongoing, independent EU oversight of all its subpoenas on the financial firm.

EU officials still had reservations about both deals. The Swift arrangement allows the US to share data requisitioned from Swift with third countries. The US has assured the EU that it will insist data is treated by third countries according to the principles of data protection. Yet there would be no binding arrangement over third countries that do not have data protection laws.

The European Data Protection Supervisor has expressed its reservations about the final details of the PNR arrangement. The US will retain data about European citizens for fifteen years. Even the EU's negotiating position of three and half years had been too long, it said. ®

3 Big data security analytics techniques

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.