Will EU Sanction Transatlantic File Transfers?Companies and governments are beginning to pay more attention to the European Union directive on data protection, which takes effect in the fall.
A key focus of concern is Article 25, which allows the transfer of personal information from EU member countries only to other countries that can ensure an adequate level of protection for that information.
Will companies be able to transfer their files to the United States after Oct. 24? No one is quite sure right now. It seems unlikely that there will be a general prohibition on the flow of data to the United States. Still, some transfers could be prohibited.
The directive is not as sweeping as some have suggested. It already includes exceptions likely to cover most basic international financial transactions. Credit-card bills and airline reservations will continue to flow across international borders.
How will the EU determine adequacy for other data transfers? The directive expressly states that adequacy will be assessed in light of all of the circumstances surrounding a data-transfer operation.
Consideration will be given to the nature of the data, the purpose and duration of the proposed data-processing activity, the rules of law in force in the country to which the data will be transferred and that country's professional rules and security measures.
A recent EU paper raises the possibility of creating a so-called white list of countries that have adequate levels of protection. Because of the absence of omnibus privacy laws in many countries -- including the United States -- the EU paper notes the difficulty in making countrywide determinations.
However, a particular <I>sector<I> might be suitable for inclusion on the white list if it can show a proper level of protection and effective enforcement.
Who in the United States might qualify for inclusion on an EU sectoral privacy white list? One sector here that probably complies with just about all EU privacy principles is the U.S. government. The way the EU treats the United States under the directive will offer an interesting example of how others may be treated.
The Privacy Act of 1974 law established a code of fair information practices for most federal agency records containing personal information about individuals. In fact, the act was the first statutory implementation of fair information practices.
Subsequently, fair information practices became the key concept underlying all international privacy activities. The Organization for Economic Cooperation and Development used fair information practices as the cornerstone for its 1980 privacy guidelines. European national data-protection laws and the EU directive are based on the same basic principles.
A review of the Privacy Act of 1974 finds all necessary elements. The principles of transparency and finality are represented, as are requirements for access, security, data quality and limits on data collection.
The act also provides remedies, including civil and criminal penalties. Despite its age and some significant shortcomings, the act remains a complete and competent code of fair information practices.
If the U.S. government were found to offer an adequate level of protection, it would not be insignificant. Personal information from government agencies routinely flows back and forth across national borders. Governments cooperate on immigration, law enforcement and public health matters all the time, and personal records are shared.
In addition, the federal government has civilian and military personnel and their families all over the world, and personal information flow is essential to the movement of these people.
Will it be easy for the government to meet the EU requirements? Not necessarily. There is at least one major fly in the ointment. The Privacy Act of 1974 only grants rights to American citizens and aliens admitted to the United States for permanent residence.
Foreign nationals have no express rights under the Privacy Act. Thus, for example, they cannot make requests for access to or correction of their records maintained by federal agencies.
However, the government could argue that access rights are available under the Freedom of Information Act so that foreign nationals are not foreclosed from seeing their records. If pressed, the government could extend correction rights to foreigners by executive order or could seek amendment of the Privacy Act.
The EU's response could be a good indication of how strict compliance with fair information practices must be. The United States has a much better case than most other sectors. If the EU deems our government to be adequate despite a few defects, then this conclusion may offer a signal about the degree of flexibility in making decisions under the directive.
Surprisingly, I have found no evidence that the issue has even been discussed. It is not clear whether anyone in the federal government has considered that the EU directive might affect federal transfers of personal data.
U.S. representatives have been so busy insisting that we don't have to do anything to meet the EU standards that they have ignored one area where this argument is correct.
Perhaps it is time for the United States and the EU to reach agreement on a data-protection issue. It would nice to begin with something that could easily yield a result that would benefit both sides and solve the first of many joint data-protection problems.
Robert Gellman is a Washington-based privacy and information policy consultant and former chief counsel to the House of Representatives subcommittee on information, justice, transportation and agriculture.