[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

EU Privacy Directive

Deadline for EU Data Privacy Law
Prompts Worry Among Businesses

The mounds of data that zap electronically across borders may face
some travel restrictions as a European Union law takes effect this
week. Three years of talks between the EU and the U.S. have failed to
find a compromise on how to protect the privacy of data, and that has
businesses and consumer groups worried.

The issue arose in 1995, when Citibank Deutschland AG came under
attack for a co-branded credit-card program with Deutsche Bahn AG. The
program, Germany's data police decided, invaded the privacy of
citizens because the sign-up questionnaire was too nosy and the data
was processed in the U.S. The bank made headlines by offering to allow
Germany's data police to come to the U.S. to inspect its
data-processing arrangements.

Citibank solved its problems in Germany, but the European Commission
reasoned national data regulators couldn't possibly travel to the U.S.
to verify the compliance of all of the companies in Europe that send
personal data abroad for processing. Instead, the commission passed a
law that gave national data regulators wide powers to control what
type of data can be processed abroad and let them halt exports of
personal data to countries that don't have adequate protection, such
as the U.S. EU member states were given three years to institute
necessary changes.

Intensified Negotiations

Businesses panicked at the prospect of having data flows cut off,
databases erased and huge fines levied. Negotiations intensified
between Europe and the U.S., which planned to ensure data protection
mainly through industry self-regulation.

Three years later, just days before the deadline, a solution has yet
to be found, and Citibank and other multinationals doing business in
Europe are back in the headlines again, the targets of privacy
advocates who want to inspect transborder data flows. At issue is how
U.S. companies operating in Europe can send data back to the U.S.
without running afoul of strict new EU legislation on data protection.
The issue won't be settled before the legislation goes into effect
Oct. 25 although U.S. and EU officials say they are hopeful enough
progress has been made to ensure that companies won't see their data
flows interrupted on Oct. 26.

"The message to business should be don't panic," advised Francis
Aldhouse, deputy data-protection registrar at the U.K.'s office of
data protection. "Nothing great and dramatic" is going to happen this
week when the directive goes into force, he said.

Threat of Legal Action

But uncertainty abounds, and big companies in Europe are worried they
could face legal action from a variety of quarters, including Privacy
International, a Washington, D.C.-based watchdog group that plans to
increase its activities in Europe.

"This is not a deal that can be cut between the White House and
Brussels," said Simon Davies, Privacy International's director. "The
data-protection directive establishes new constitutional rights in
Europe and gives us a mandate to move forward."

Between now and Jan. 15, Privacy International will meet with 25
multinational corporations and government agencies it has identified.
The group wants to examine data flows through available public records
to determine whether these companies are in compliance with the new

At the moment all personal data gathered from European clients that is
processed outside the EU is suspect. Hong Kong, Quebec and New Zealand
are the exceptions because they have received the commission's stamp
of approval for providing adequate protection. Only three EU countries
are expected to meet the commission's Oct. 25 deadline for
implementing the data-protection directive -- Italy, Greece and Finland.

"Business can not live with such uncertainty," said Mark Loliver,
legal adviser to the European Federation of Direct Marketing.

Possible Solutions

Solutions on the table include:

1. Setting up safe harbors, a compromise that would allow U.S.
companies operating in Europe to ship data back to the U.S. even
though the U.S. itself won't get the European Commission's stamp of
approval for adequate protection. The U.S. Commerce Department would
issue principles on data privacy, and companies agreeing to abide by
these would be allowed to transfer data from Europe to the U.S.
2. Drawing up model contracts between companies operating in Europe
and those that process data overseas. The foreign companies would have
to commit to meeting Europe's data privacy standards. 

3. Implementing new software solutions that are designed to allow
companies that handle personal information about consumers to meet
privacy requirements. 

Both the U.S. and EU have shifted considerably from their original
positions. The commission is no longer insisting that the U.S. adopt
national data-protection legislation. And the U.S. now concedes that
consumers should be able to complain to an independent group about a
company's behavior.

The commission will have to get the support of member states for any
compromise at two meetings this month, the first of which will be held

Model Contract

Meanwhile the International Chamber of Commerce, British Federation of
Business and a number of other organizations are jointly working on a
model contract that could be drawn up between a company operating in
Europe and the company which processes data for it abroad, said Colin
Fricker, director of legal affairs at the U.K.'s Direct Marketing
Association and a member of the model contract working party of the
Confederation of British Industry.

Separately, some companies hope to tackle the problem with
technological solutions. NCR Inc., a Dayton, Ohio, data-warehousing
specialist said that beginning in January it will build in new
software features that will allow the auditing of computer databases
to ensure compliance with government data privacy regulations. Its
clients include financial institutions and retailers.

For its part, Privacy International says neither model contracts or
technological solutions offer adequate protection. "Companies in the
U.S. continue to maintain that industry code of practice and
privacy-enhancing technology afford protection and it does not -- it
is a very tiny step in the right direction," said Privacy
International's Mr. Davies. "The message we want to give the U.S. is
why are you following an outdated libertarian philosophy when you know
it is going to cost you dearly."

Get your free @yahoo.com address at http://mail.yahoo.com