EU Privacy Directive
Deadline for EU Data Privacy Law Prompts Worry Among Businesses By JENNIFER L. SCHENKER and JULIE WOLF Special to THE WALL STREET JOURNAL The mounds of data that zap electronically across borders may face some travel restrictions as a European Union law takes effect this week. Three years of talks between the EU and the U.S. have failed to find a compromise on how to protect the privacy of data, and that has businesses and consumer groups worried. The issue arose in 1995, when Citibank Deutschland AG came under attack for a co-branded credit-card program with Deutsche Bahn AG. The program, Germany's data police decided, invaded the privacy of citizens because the sign-up questionnaire was too nosy and the data was processed in the U.S. The bank made headlines by offering to allow Germany's data police to come to the U.S. to inspect its data-processing arrangements. Citibank solved its problems in Germany, but the European Commission reasoned national data regulators couldn't possibly travel to the U.S. to verify the compliance of all of the companies in Europe that send personal data abroad for processing. Instead, the commission passed a law that gave national data regulators wide powers to control what type of data can be processed abroad and let them halt exports of personal data to countries that don't have adequate protection, such as the U.S. EU member states were given three years to institute necessary changes. Intensified Negotiations Businesses panicked at the prospect of having data flows cut off, databases erased and huge fines levied. Negotiations intensified between Europe and the U.S., which planned to ensure data protection mainly through industry self-regulation. Three years later, just days before the deadline, a solution has yet to be found, and Citibank and other multinationals doing business in Europe are back in the headlines again, the targets of privacy advocates who want to inspect transborder data flows. At issue is how U.S. companies operating in Europe can send data back to the U.S. without running afoul of strict new EU legislation on data protection. The issue won't be settled before the legislation goes into effect Oct. 25 although U.S. and EU officials say they are hopeful enough progress has been made to ensure that companies won't see their data flows interrupted on Oct. 26. "The message to business should be don't panic," advised Francis Aldhouse, deputy data-protection registrar at the U.K.'s office of data protection. "Nothing great and dramatic" is going to happen this week when the directive goes into force, he said. Threat of Legal Action But uncertainty abounds, and big companies in Europe are worried they could face legal action from a variety of quarters, including Privacy International, a Washington, D.C.-based watchdog group that plans to increase its activities in Europe. "This is not a deal that can be cut between the White House and Brussels," said Simon Davies, Privacy International's director. "The data-protection directive establishes new constitutional rights in Europe and gives us a mandate to move forward." Between now and Jan. 15, Privacy International will meet with 25 multinational corporations and government agencies it has identified. The group wants to examine data flows through available public records to determine whether these companies are in compliance with the new laws. At the moment all personal data gathered from European clients that is processed outside the EU is suspect. Hong Kong, Quebec and New Zealand are the exceptions because they have received the commission's stamp of approval for providing adequate protection. Only three EU countries are expected to meet the commission's Oct. 25 deadline for implementing the data-protection directive -- Italy, Greece and Finland. "Business can not live with such uncertainty," said Mark Loliver, legal adviser to the European Federation of Direct Marketing. Possible Solutions Solutions on the table include: 1. Setting up safe harbors, a compromise that would allow U.S. companies operating in Europe to ship data back to the U.S. even though the U.S. itself won't get the European Commission's stamp of approval for adequate protection. The U.S. Commerce Department would issue principles on data privacy, and companies agreeing to abide by these would be allowed to transfer data from Europe to the U.S. 2. Drawing up model contracts between companies operating in Europe and those that process data overseas. The foreign companies would have to commit to meeting Europe's data privacy standards. 3. Implementing new software solutions that are designed to allow companies that handle personal information about consumers to meet privacy requirements. Both the U.S. and EU have shifted considerably from their original positions. The commission is no longer insisting that the U.S. adopt national data-protection legislation. And the U.S. now concedes that consumers should be able to complain to an independent group about a company's behavior. The commission will have to get the support of member states for any compromise at two meetings this month, the first of which will be held Monday. Model Contract Meanwhile the International Chamber of Commerce, British Federation of Business and a number of other organizations are jointly working on a model contract that could be drawn up between a company operating in Europe and the company which processes data for it abroad, said Colin Fricker, director of legal affairs at the U.K.'s Direct Marketing Association and a member of the model contract working party of the Confederation of British Industry. Separately, some companies hope to tackle the problem with technological solutions. NCR Inc., a Dayton, Ohio, data-warehousing specialist said that beginning in January it will build in new software features that will allow the auditing of computer databases to ensure compliance with government data privacy regulations. Its clients include financial institutions and retailers. For its part, Privacy International says neither model contracts or technological solutions offer adequate protection. "Companies in the U.S. continue to maintain that industry code of practice and privacy-enhancing technology afford protection and it does not -- it is a very tiny step in the right direction," said Privacy International's Mr. Davies. "The message we want to give the U.S. is why are you following an outdated libertarian philosophy when you know it is going to cost you dearly." _________________________________________________________ DO YOU YAHOO!? Get your free @yahoo.com address at http://mail.yahoo.com
Those who are affected in the first place are US companies who are used to collect and process personal data from their customers without any embarrassment. They will be excluded from the European market, if they do not follow European Data Protection rules. Until now the US goverment has decided to leave this matter to self regulation. However, US industry did not manage to come up with an appropriate codex. If industry does not comply until the end of the year, FTC promised that they will introduce a bill at congress which will comply with European data protection standards. On the other hand, the US did not even manage to adopt the Guidelines on the Protection of Privacy and Transborder Flow of Personal Data by OECD. The discrepancy in the US system is exposed by the fact that general laws for data protection and privacy were avoided in favour of specific laws for single areas or techniques. Other countries, in particular those in Eastern and Central Europe have, in spite of massive lobbying by D. Aaron, adopted laws on data protection and privacy since they do not want endanger their future participation in the EU. T. Schlickmann
At 12:39 AM -0700 10/20/98, Theodor.SCHLICKMANN@BXL.DG13.cec.be wrote:
Those who are affected in the first place are US companies who are used to collect and process personal data from their customers without any embarrassment. They will be excluded from the European market, if they do not follow European Data Protection rules.
Sounds good to me...a trade war with the Communist Confederation of Europe.
Until now the US goverment has decided to leave this matter to self regulation. However, US industry did not manage to come up with an appropriate codex.
Because in these United States we have certain constitutional rights. Some of those rights include the First and the Fourth Amendments. Taken together with other rights, the conclusion is this: The government cannot insist on the form of data stored in data bases. (There have been unconstitutional, in the opinion of many, encroachments on this right, and especially of what businesses and others may do with data. Releasing or selling video rental records, for example.) To be more concrete, if I compile lists of who is writing articles on Usenet, I have no obligation to either purge these records or show them to others or not sell them or _anything_. The government cannot get at my records except under limited situations. Europe's "data privacy laws," which I have been critical of for more than ten years now, are an abomination. While the laws sound well-intentioned, they effectively give the state the power to sift through filing cabinets and disk drives looking for violations. And the laws create much mischief. A node for the Cypherpunks distributed list probably could not legally be run in many European states (maybe none of the EEC states now that they are conforming to the same laws). Why not? Check the provisions on compiling lists and the need for permission from the compilee, and the need to register the lists with various bureaucrats. (This example came up several years ago in connection with the U.K.'s data privacy laws. As the law read, lists of e-mail addresses fell under the reporting requirements, as did data bases of customers, vendors, and other such stuff a company might collect.) Of course, like all bad laws, these laws are only enforced at the convenience of the state. While Germany may not hassle the Cypherpunks list operators in Berlin, they may very well use the data privacy laws to force the Church of Scientology to open up their lists of members, to register the lists, to purge the lists, etc. And France will probably use the laws to harass Greenpeace. Bad laws. Bad to invade file cabinets.
If industry does not comply until the end of the year, FTC promised that they will introduce a bill at congress which will comply with European data protection standards. On the other hand, the US did not even manage to adopt the Guidelines on the Protection of Privacy and Transborder Flow of Personal Data by OECD.
Because fucking OECD deals don't take precedence over our Constitution.
Other countries, in particular those in Eastern and Central Europe have, in spite of massive lobbying by D. Aaron, adopted laws on data protection and privacy since they do not want endanger their future participation in the EU.
These laws on "data protection and privacy" are in many ways laws _against_ privacy. After all, if data are actually private, the authorties won't see any violations. "We have to destroy privacy in order to protect privacy." Let the war with the statists in Europe commence. --Tim May Y2K: A good chance to reformat America's hard drive and empty the trash. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, ComSec 3DES: 831-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments.
At 09:39 AM 10/20/98 +0200, Theodor.SCHLICKMANN@bxl.dg13.cec.be wrote:
Those who are affected in the first place are US companies who are used to collect and process personal data from their customers without any embarrassment. They will be excluded from the European market, if they do not follow European Data Protection rules.
Until now the US goverment has decided to leave this matter to self regulation. However, US industry did not manage to come up with an appropriate codex.
The big problem in the US isn't the government's failure to tell big companies what protection to provide for their transactions - it's their insistence on adding more and more requirements that businesses, especially banks, and local governments, collect and retain information that makes data correlation simpler, and creation of database systems that collect more information. The most common are the requirement for SSNs as a tax-collection ID for banks and employers, and the use of the SSN for Medicare making it simplest for medical insurance companies to use it as an ID. Then of course there's the near-universal requirement for collecting SSNs in return for drivers' licenses, and "deadbeat dad databases" that require employers to register new employees in government databases, even those of us who are neither dads nor deadbeats. Once all your transactions have personal identifiers on them, it's nearly trivial to track everything that you do. Thanks! Bill Bill Stewart, bill.stewart@pobox.com PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639
participants (4)
-
Bill Stewart -
David Watts -
Theodor.SCHLICKMANN@BXL.DG13.cec.be -
Tim May