EU-US privacy deal rotten, observers say

From...

March 16, 2000
Web posted at: 8:16 a.m. EST (1316 GMT)

by Rebecca Sykes and Elizabeth de Bony

(IDG) -- European and U.S. negotiators have finalized an agreement on data privacy that puts to rest a simmering trans-Atlantic dispute over data protection, but U.S. observers say the accord underscores that Europeans have far more privacy protection than Americans.

After more than two years of talks, negotiators announced at a press conference in Brussels on Tuesday that the U.S.'s largely self-regulatory system based on so-called safe harbor principles represents "adequate protection" as defined and required by the rules of the European Union on the transfer of personal data outside the EU.

"The U.S. safe harbor principle meets the test of adequacy as required by the (privacy) Directive," said John Mogg, director general of the European Commission's Internal Market Directorate.

	MESSAGE BOARD
Managing the net

Under safe harbor principles a U.S. company can, for example, only transfer or sell personal data to another company with the explicit agreement of the subject of the data. The safe harbor principles also allow EU citizens reasonable access to their personal data to review and possibly correct it and require adequate enforcement to ensure proper compliance.

Companies wishing to adhere to the principles will sign up with the U.S. Department of Commerce and be placed on a database available to the public over the Internet.

But the EU's agreement that the safe harbor principles afford adequate protection is largely meaningless, several observers said, because the first time there is a challenge to the safe harbor principles, the case goes to the national court of citizen making the charge, and individual EU nations typically have strict privacy laws.

MORE COMPUTING INTELLIGENCE

IDG.net home page

Make your PC work harder with these tips

Download free PC software fast

TechInformer: The Thinking Internaut's Guide to the Tech Industry

IDG.net's products pages

Reviews & in-depth info at IDG.net

E-BusinessWorld

IDG.net's Windows software page

Questions about computers? Let IDG.net's editors help you

Subscribe to IDG.net's free daily newsletters

Search IDG.net in 12 languages

News Radio

Fusion audio primers

Computerworld Minute

For example, a citizen of the U.K. who objects to how his or her data was treated in the U.S. takes the case to a U.K. court and follows U.K. law on this issue, according to Simon Davies, director of Privacy International, a London-based watchdog group. "And that is so in each country, which is why this whole negotiation has been a farce," Davies said.

A U.S.-based observer agreed. "It's an exercise in futility, because Europeans still have their rights under their national laws," said Evan Hendricks, editor and publisher of Privacy Times, a Washington, DC-based newsletter.

Those national laws are much more strict than the safe harbor principles, which are "thoroughly inadequate in every respect," Privacy International's Davies said.

But however deficient Europeans find the safe harbor principles, they are more protection than Americans have currently, U.S. observers said. The final version of the safe harbor principles have not yet been announced, but they do not apply to Americans, which highlights a real paradox, they said.

Unless they have been changed, the safe harbor principles apply to the export of data on Europeans to the U.S. and not to Americans' data held by American companies, said Barry Steinhardt, associate director of the American Civil Liberties Union (ACLU) in New York.

"It seems plain that Europeans who deal with American companies are going to have greater protection than Americans," Steinhardt said.

The safe harbor principles also mandate that the U.S. Federal Trade Commission (FTC) expedite complaints by EU citizens about how their data was handled in the U.S., processing them faster than complaints from U.S. citizens, several observers said. The ensuing system, whereby a U.S. government agency gives preference to complaints from noncitizens, is peculiar, they said.

"One of the linchpins of this whole agreement is now the FTC is going to become an aggressive pit bull for the privacy rights of Europeans," said Hendricks of Privacy Times.

The agreement reached Tuesday, which must be approved by the 15 member states of the European Union and the Strasbourg-based European Parliament, does not include financial services -- an apparently major gap in the agreement.

"Financial services are not excluded; they are simply not yet included," David Aaron, U.S. under secretary of commerce for international trade explained. This means that financial service companies can still voluntarily agree to sign up to safe harbor principles. However, in view of the ongoing modernization of the U.S. banking sector, the EU might require or accept separate provisions for the sector in the future, once the reform is finalized.

"We agreed that including the financial services now would be like painting a moving train," Mogg said. Aaron pointed out that implementing regulations for the U.S.'s Financial Modernization Act are not expected before May, when U.S. President Bill Clinton has also announced plans to propose specific legislation guaranteeing privacy in the financial services sector.

At issue is an EU directive that took effect in October 1998 to ensure the free flow of data across the 15 member states by establishing a high standard of data privacy. This directive also required that data could be sent outside the EU only to those countries which had an adequate level of protection. Failure to fulfill this requirement could theoretically lead to the EU blocking data flows.

Negotiations with the U.S. have been plagued by EU concerns that the largely voluntary systems of data privacy in the U.S. could not meet the legislative requirements of the EU Directive. Today's accord means that the EU has agreed with the U.S. claim that safe harbor principles will achieve high levels of protection.

But most observers charged the U.S. and the EU with playing politics, including Privacy International's Davies.

"This is to do with stabilizing trust in trade and investment and has nothing to do with privacy protection," Davies said.

Privacy Times' Hendricks charged U.S. and EU officials with ignoring the will of the people, who have a legitimate interest in protecting their privacy.

"You've heard of B-to-B? This is G-to-G. Government to government, ... even though the subject is people's personal data," Hendricks said.

Nonetheless, several observers, including Hendricks, expressed confidence that strong U.S. privacy protections would eventually be established. As consumers discover more and more error-ridden credit reports and an increase in personal information showing up in unwanted places, they will push for reform, just as they did with the Fair Credit Reporting Act, which restricts the sharing of consumer data with third parties, according to Hendricks.

"Ultimately, it's a human rights issue in the information age," Hendricks said.

DoubleClick privacy czar to be an 'inside watchdog'
March 13, 2000
Internet crime report irks privacy groups
March 13, 2000
Top 10 Internet-privacy tools
February 29, 2000
New privacy rules could affect IT vendors
February 28, 2000
The coming privacy divide
February 24, 2000

EU and US reach data privacy accord
(IDG.net)
EU goes slow on consumer privacy
(The Industry Standard)
EU, U.S. edge towards data privacy accord
(IDG.net)
U.S., EU to meet on data privacy
(IDG.net)
EU and U.S. extend data privacy negotiations
(IDG.net)
Congressmen propose privacy commission
(The Industry Standard)
Dot-coms wary of privacy bills
(Computerworld)

European Union
Privacy International
Privacy Times
American Civil Liberties Union (ACLU)

Note: Pages will open in a new browser window

External sites are not endorsed by CNN Interactive.