EU chief prepares for Washington summit to clear data minefield

Date: 14/02/02

By Peter Chapman

THE EU is set to plug the gaps which left US multi-billion dollar financial services firms outside a 'safe harbour' deal, struck two years ago to stave off a transatlantic trade war.

In an interview with European Voice, senior data-privacy official Stefano Rodota said EU representatives would meet their US counterparts in Washington next month to examine ways for American securities companies to legally transfer information to and from Europe.

Rodota, who chairs the Italian data protection commission and the EU's powerful 'Article 29 committee' of national data commissioners, said financial services were left out of the safe harbour agreement because they are not controlled by the Federal Trade Commission, the US government body that currently polices the deal.

'We need the possibility to look at financial services in relationship with some official bodies competent for intervening and solving controversies in this field,' Rodota said.

He added that his group would hold talks with the US financial services regulator, the Securities and Exchange Commission (SEC), during their trip.

'If it is not possible, I think we can develop model contracts for giving an answer to this very important problem,' he explained.

Rodota said executives and officials would seek ways to include the US media industry, which has also been shut out of the agreement.

The safe harbour offered protection for US companies shifting data from Europe to America - even though the Union's 1995 framework directive restricted exports of data to countries such as the US that were deemed not to have 'adequate' safeguards in place.

Safe harbour firms promised to respect data privacy and US authorities agreed to ensure they do so.

But the US financial services firms left out of the deal were saddled with huge extra costs and bureaucracy to comply with the EU law.

The European Commission has already published some general model contracts that offer an 'off-the-shelf' alternative to joining the safe harbour; any company using them is automatically deemed to meet the terms of the Union's strict data privacy code.

But Rodota admits these are 'not popular' with industry because firms complain they remain over-exposed to legal challenges from those people whose data is being used - known as 'data subjects'. But he said industry groups are free to draw up their own model contracts and to send them to Brussels for approval.

He said the Article 29 committee - named after the part of the 1995 directive that established it - is examining alternative model contracts drawn up directly by the American and Japanese chambers of commerce in Brussels and there is scope for financial services firms to use them.

Rodota says his mid-March trip to Washington will also provide a chance to re-assert the need for data privacy safeguards in the wake of last September's terrorist attacks on the US.

A fierce proponent of individuals' right to protection, he calls for a 'balanced' response to the events of 11 September.

Inside the EU, he claims data privacy should actually be strengthened in controversial new areas when the 1995 law is reviewed later this year.

'Data protection is now a fundamental right,' he says. 'It means we cannot cancel data protection but have to balance it with other fundamental factors like security or developing of commerce.

'We are now entering in an age where economic pressure on one side and terrorism on the other side could impinge dramatically [on] data protection.

'I must say that we - the data protection commissioners - are very worried about this point.'

He said there 'should be an evaluation of data protection in areas like genetics and all new forms of surveillance, such as video and bio-metric surveillance [the use of images of unique identifiers such as the human eye] to accord traditional rules with the new reality'.

Rodota said video cameras, often used by police forces to detect road crime as well as drunk and disorderly behaviour, have now become commonplace in European towns and cities.

He insisted that footage taken by these cameras is the equivalent of a piece of personal data such as a phone number or address and should be protected under privacy rights.

'Video surveillance is a specific problem,' he said. 'We could try to have some uniform rules.

'We also need to distinguish between what is truly needed for security reasons and what is purely risky for people without having a truly important social need.' Frits Bolkestein have at his disposal?

Full harmonisation of laws is a non-starter, because countries would have to get rid of their national foibles. The best choice would be 'mutual recognition', claims Pullen.

This would require a company to register only with the authorities in its home country, instead of anywhere in the EU that it does business.

Firms would have to comply only with the specific laws in their home state, and not have to bother with potentially conflicting renditions of the same EU directive elsewhere.

But even mutual recognition is unlikely to be secured because of national sensibilities over keeping the power to apply the rules.

If that's the case, the EU could make the directive more flexible by removing risks posed by glaring loopholes - while giving industry better guidance on how to comply.

'The institutions have got to find a better balance between protecting the rights of individuals and protecting legitimate commercial interests,' Pullen says.

There should be more guidance and less prescription - an approach that allows you to comply with principles and, if you get it wrong, regulators should enforce the law.

'The problem is that, as usual, we have a lot of prescriptive rules and very little proper enforcement.

'We have major brands spending a fortune coming into compliance and a lot of others are ignoring it.

'It is the usual story of a lot of onerous law that is not working in practice because of a lack of effective enforcement.'

• Primary Source