David BicknellThe data protection row between Europe and the US has flared up
once again, leaving IT managers with little guidance over exporting
personal data across the Atlantic.
Last week, the European Parliament threw out a proposed
agreement with the US over the transfer of personal data between
the two continents, despite two years of negotiation.
The situation means that a user-driven code of conduct over data
privacy is likely to gain prominence, though organisers claim
suppliers favour their own privacy solutions.
Agreement over the sharing of personal data between the two
continents could take up to two years, commentators said. The
process will be hindered by US presidential elections this
autumn.
The European Parliament mandates the European Commission to
toughen up proposals for access to data, and enforcement measures.
But the EC has already said it does not believe it can improve the
agreement without upsetting the US.
At the heart of the disagreement is the difference between US
and European attitudes towards data privacy. In Europe, data
privacy is covered by legislation, while in the US, self-regulation
was deemed sufficient. A string of recent breaches, however, has
led the Federal Trade Commission (FTC) to call for legislation.
Although the commission recently voted by four votes to three to
call for legislation, none is expected before the US election. The
FTC has also said it does not expect to be the body that EU privacy
"hawks" want to oversee US enforcement of Safe Harbour.
While users are left with no clear lead on the export of
personal data, a privacy code of conduct from the ICX user group
has been backed by Shell and formulated by European privacy
lawyers. However, insiders claim it is facing opposition from
suppliers such as IBM and NCR.
They believe that suppliers want to kill the user-driven code in
favour of privacy software solutions backed by pressure groups such
as Truste.
IBM spokeswoman Armgard von Reden said IBM did not back the
code. She said IBM did not believe a cross-sectoral code would
improve on existing data protection legislation. "We can see that a
specialist code for sectors such as financial services or direct
marketing would be fine, but not this cross-sectoral code," she
said.
Safe Harbour Accord timeline
- Sept 1998: Talks on data transfer between EU and US
start
- Oct 1998: European Directive establishes rules for EU states to
permit transfers of personal data only to countries outside the EU
where there is adequate protection for such data. Directive to be
incorporated into national law
- 1999: Talks between two continents continue over proposed
accord dubbed "Safe Harbour". March 2000 deadline set
- Feb 2000: EU and US negotiators swap visits to thrash out
deal
- May 2000: EU-US summit claims "significant progress in our
dialogue on data protection with the approval by EU Member States
of safe harbour"
- July 2000: European Parliament throws out agreement and calls
for renegotiations.