Author (Person) | Chapman, Peter |
---|---|
Series Title | European Voice |
Series Details | Vol.8, No.32, 12.9.02, p23, 26 |
Publication Date | 12/09/2002 |
Content Type | News |
Date: 12/09/02 Susan Binns, the European Commission's leading policy advisor on data privacy, sets the scene for future developments in a Q & A with business editor Peter Chapman. Q: CAN you explain the background to the review of the Data Protection Directive? Why is EU data privacy legislation needed? A: It became clear that we needed EU data protection legislation when member states started legislating to protect personal data, mostly in the 1980s, and their legislation inevitably diverged on some points. Some member states did not legislate at all. This created problems in the internal market: there was the celebrated case of FIAT France (where national legislation was in force) not being able to send employee data to FIAT in Italy (which had no data protection law at the time). So, this is classical internal market legislation: bringing member states' rules closer to each other so that data can flow freely between them. The rule is to harmonise towards high standards, so the directive also provides a high level of data protection for individuals. As to the review, the short answer is that article 33 of the directive says that the Commission must make a report on its implementation. But even if that requirement were not there, the Commission's view is that it is right to review legislation periodically to ensure that it is achieving what it is supposed to achieve. As Commissioner Frits Bolkestein said when we launched the review: 'We have to keep the Data Protection Directive under review to ensure that it is working in the interests of our citizens, businesses, public authorities and other interested parties.' Q: What is likely to be the focus of the review? A: We have deliberately left it rather broad. Setting the agenda in advance of the open consultation process that is now in full swing would have risked distorting the results. The high point of the consultation will be the conference we are organising on 30 September-1 October here in Brussels. If the Commission itself has any priorities, they are themselves broad ones. First, the internal market. Has the directive had the desired effect in the sense of removing barriers to the free movement of data and, if there are still difficulties, is it because the directive is faulty, or because the member states are not applying it properly? If, on the other hand, we have removed the barriers, is it really on the basis of a level playing field and does it guarantee the desired high level of protection? Second, improving the quality of our legislation. Can we achieve the same objectives in a less burdensome way? Can the requirements be made clearer for end-users? Have we struck the right balance between leaving member states room for manoeuvre - which is in principle good from a subsidiarity point of view - and avoiding ambiguity and legal uncertainty, which is bad for economic operators? Q: Is a totally revised directive needed? Or will you just target specific problem areas? A: If we knew the answers to these questions, we could have skipped the review. Nothing is ruled out at this stage. But the contributions we have received so far point towards the possible need for some specific improvements rather than a root and branch revision. Some specific improvements may not even involve amendments to the directive. Q: Can you identify any such issues? How might they be dealt with? A: One example of a problem that appears to need a non-legislative solution is that of the continuing low level of understanding among 'data subjects' - that's everybody - about their rights. This has emerged clearly from many sources, not least our online questionnaires (http://europa.eu.int/yourvoice/dataprotection_en.htm). The national data protection commissioners in particular will need to continue working on that. They can also iron out some of the wrinkles where some provisions in the directive are being interpreted differently in various member states, simply by agreeing among themselves on a common approach. This could deal, for example, with differences in interpretations of what actually constitutes 'personal data'. As for examples of areas that may need amendments to the directive, we are looking, among other things, at the pros and cons of making less onerous the requirements for processing operations to be notified to the data protection authorities. We are also looking at the rules on international transfers to see if they adequately reflect the reality of global data flows. But I stress that these are only examples and that we are not yet at the stage of reaching conclusions. Q: What is the current state of play on the US Safe Harbor? What can be done to enforce it? A: You seem to imply that the Safe Harbor is not being enforced. I am not sure where you get that impression from. The Commission published a report on the Safe Harbor in February which certainly did not come to that conclusion and nobody challenged our report. It is true that the Safe Harbor's enforcement mechanisms are very different from what we are used to in Europe. It relies in the first instance on alternative dispute resolution bodies. But Safe Harbor commitments are also underpinned by law, notably the Federal Trade Commission Act. It is also true that the system has not been severely tested up to now, in the sense that not many unresolved complaints have been brought to the attention of the dispute resolution bodies. Hardly any complaints is surely good news! The present situation is that 236 companies or organisations have signed up - a mixture of very big ones like Microsoft, IBM, Disney, Procter and Gamble and so on, and smaller companies you and I have never heard of. The number is a bit disappointing, but we are in touch with the Department of Commerce about ways to encourage more companies to come in. Q: Are there any other trade issues you are currently examining in relation to data privacy? For example can you say what the state of play is regarding the Microsoft .Net Passport? A: I think the whole question of how the internet is regulated is something that needs more work. This goes much wider than privacy, of course, but privacy is an important part of it. Consumers expect their own country's laws to apply when they make transactions from their own homes, but it is not clear to what extent this is a workable solution. As regards Microsoft .Net Passport, our data protection commissioners' working party is currently looking into this. They recognise that Microsoft has put in place some measures to address data protection requirements, but consider that there are a number of legal issues that require further analysis. In the meantime, we have had the Federal Trade Commission's settlement with Microsoft in which Microsoft has undertaken to make some changes and our DP commissioners will need to consider to what extent those changes meet some of their concerns. I should add that Microsoft is cooperating fully in this process. Q: Are there any plans to try and smooth data flows in financial services? A: I suppose you are referring particularly to the US, because this sector is not covered by the Safe Harbor for various reasons. Yes - Commissioner Bolkestein has been in correspondence with Ken Dam at the US Treasury and in July, some of his senior staff, accompanied by officials from the main regulatory bodies - the Fed, the Securities and Exchange Commission and so on - were in Brussels for talks with officials here. They also made a presentation to the data protection commissioners working party - the article 29 working party. Both sides are in a constructive mood, but this is a complicated area and it may take some time to work something out. In the meantime, I am not aware that any data flows are not being prevented. It's just that the process could - no, should be made less onerous. Q: Aside from the Safe Harbor, the Commission's website has approved 'model contracts' that companies can use to smooth data transfers to countries outside the EU. Business says the contracts are unwieldy. Are there any new ones created by industry groups that are currently under consideration? A: Yes. We always envisaged that the proposals for model contracts would come from the private sector, even if this did not work out on the first occasion when the Commission approved such clauses. A group of business organisations led by the International Chamber of Commerce has submitted a draft. It is too early to say whether we shall be able to approve it as it stands. The Commission will consider its position once it has an opinion from the article 29 working party, which next meets in the first week of October. What is clear is that while we are open to different - more business friendly perhaps - ways of doing the same thing, the Commission will not approve clauses that result in a lower level of protection than the clauses it has already approved. We are certainly keen to see developments that ease the business of moving data around internationally while not compromising its protection, and we very much appreciate the amount of work that the organisations concerned have done on this. Q: Since 11 September has the approach to data privacy changed? A: I would say rather that it has come more sharply into focus. When things are calm, people tend to take both their security and their fundamental rights and freedoms somewhat for granted. The awful events of a year ago sparked off a debate that not only concerned security, but also all the things you put at risk if your only concern is security - and those include, of course, privacy. It is a matter of striving to find the right balance and the perception of where exactly the right balance lies has probably shifted just a little towards security. I am talking about the EU member states here. The shift has been bigger in the United States - not surprisingly - and especially at the expense of the privacy of non-US citizens. Q: Critics say the EU has agreed to water down protection in the new telecoms privacy directive. Is this fair? Are necessary safeguards to privacy in place? A: This directive comes mainly under Commissioner Erkki Liikanen's responsibility and that of DG Information Society, of course, but no, I do not think that protection under the directive was watered down. On the contrary, it was strengthened in some areas, such as protection against the annoyance of email spam and the protection of location data for mobile phone users. On the controversial question of retention of traffic data for law enforcement purposes by service providers, the text finally adopted is in effect very little different from the old one and, as regards safeguards, actually brings out more clearly that the European Convention on Human Rights and relevant case law must be respected.
She was one of the architects of the Safe Harbor agreement that helped avert a trade dispute with the US by warding off wholesale bans on data flows between the EU and US. Question and answer session with Susan Binns, the European Commission's leading policy advisor on data privacy. |
|
Subject Categories | Business and Industry, Internal Markets |