Official questions EU data protection rules

Europe's most senior data protection official has called for clarification of existing European Union rules on data protection,...

Europe's most senior data protection official has called for clarification of existing European Union rules on data protection, amid concerns that corporations are abusing the right of people to see data about them.

European data protection ombudsman Jacob Soderman has written to European Commission president Romano Prodi, expressing fears that data protection rules are being misinterpreted.

"This misinterpretation risks subverting the principle of openness and the public's right of access to documents, both at the level of the Union and in the Member States," Soderman said.

In his letter the ombudsman proposed changes to existing data protection directives that date back to 1995. The letter to Prodi and the paper, The misuse of data protection rules in the European Union can be found on the ombudsman's Web site at:

Soderman's initiative comes after a two-day conference on data protection in the EU, held in Brussels. His call for action was backed up by a survey of more than 9,000 EU citizens, who said they feel the level of data protection for individuals in the EU is inadequate.

Most respondents in the survey said they fear their data could be misused while they used the Internet, in particular when conducting online financial transactions.

The conference also brought to light concerns of large businesses, which, along with some EU member states, are calling for the EU data protection directives to be revised in order to simplify the routine process of data transfers.

In particular, the EU rules have put Europe at odds with the United States because the rules forbid data transfers to any country beyond the EU that has inferior data protection policies.

This obstacle has caused legal problems for US firms, including Microsoft, that wish to send data across the Atlantic.

Microsoft was forced to pay a small fine to Spanish data protection authorities two years ago for not obeying the letter of the law when sending details about its employees in Spain to and from its headquarters in the US.

In response to some of these concerns the EU devised the so-called "safe harbour" code. If a company signs up to follow the code, as some including Microsoft have done, then they can freely transfer data. Signing up involves making a promise not to use the data in any way that would not be acceptable within the EU.

"By imposing duplicative, burdensome and costly requirements particularly on global companies, [the EU laws] interfere with companies' ability to run their businesses effectively and efficiently," the Global Privacy Alliance said at the conference.

The Global Privacy Alliance represents companies including Citigroup Fidelity Investments, General Motors, IBM and Oracle.

"At the same time, it is unclear if this approach provides any added privacy protection," the alliance said.

Data transfer appears to be difficult even within the 15-nation European Union as the different countries haven't implemented the various data protection laws harmoniously.

The UK, Finland, Sweden and Austria have requested changes to the data protection regime with the aim of cutting red tape and facilitating cross-border data transfers.

"The rules must give effective protection to individuals' personal data without unnecessarily restricting the processing needed to deliver the services which our increasingly technologically sophisticated society demands," the four countries said in a recent joint proposal made to the European Commission.

Read more on Privacy and data protection