Data transfer feud re-ignites

David Bicknell

The data protection row between Europe and the US has flared up once again, leaving IT managers with little guidance...

David Bicknell

The data protection row between Europe and the US has flared up once again, leaving IT managers with little guidance over exporting personal data across the Atlantic.

Last week, the European Parliament threw out a proposed agreement with the US over the transfer of personal data between the two continents, despite two years of negotiation.

The situation means that a user-driven code of conduct over data privacy is likely to gain prominence, though organisers claim suppliers favour their own privacy solutions.

Agreement over the sharing of personal data between the two continents could take up to two years, commentators said. The process will be hindered by US presidential elections this autumn.

The European Parliament mandates the European Commission to toughen up proposals for access to data, and enforcement measures. But the EC has already said it does not believe it can improve the agreement without upsetting the US.

At the heart of the disagreement is the difference between US and European attitudes towards data privacy. In Europe, data privacy is covered by legislation, while in the US, self-regulation was deemed sufficient. A string of recent breaches, however, has led the Federal Trade Commission (FTC) to call for legislation.

Although the commission recently voted by four votes to three to call for legislation, none is expected before the US election. The FTC has also said it does not expect to be the body that EU privacy "hawks" want to oversee US enforcement of Safe Harbour.

While users are left with no clear lead on the export of personal data, a privacy code of conduct from the ICX user group has been backed by Shell and formulated by European privacy lawyers. However, insiders claim it is facing opposition from suppliers such as IBM and NCR.

They believe that suppliers want to kill the user-driven code in favour of privacy software solutions backed by pressure groups such as Truste.

IBM spokeswoman Armgard von Reden said IBM did not back the code. She said IBM did not believe a cross-sectoral code would improve on existing data protection legislation. "We can see that a specialist code for sectors such as financial services or direct marketing would be fine, but not this cross-sectoral code," she said.

Safe Harbour Accord timeline

  • Sept 1998: Talks on data transfer between EU and US start

  • Oct 1998: European Directive establishes rules for EU states to permit transfers of personal data only to countries outside the EU where there is adequate protection for such data. Directive to be incorporated into national law

  • 1999: Talks between two continents continue over proposed accord dubbed "Safe Harbour". March 2000 deadline set

  • Feb 2000: EU and US negotiators swap visits to thrash out deal

  • May 2000: EU-US summit claims "significant progress in our dialogue on data protection with the approval by EU Member States of safe harbour"

  • July 2000: European Parliament throws out agreement and calls for renegotiations.

  • Read more on IT risk management