LONDON–The United States will never be wholly on the white list of countries the EU is developing — that is countries who fully meet the “adequacy” provision of the EU's data protection directive, according to David Smith, assistant registrar at the UK's Data Commissioner's office.
Speaking to a legislative workshop on the UK's new data protection law that went into effect on March 1, Smith said the United States would never adopt legislation governing data transfer. The workshop was part of the International Direct Marketing Fair's seminar program. The show opened on March 14.
Smith noted that negotiations on the so-called “safe harbor” provisions that would allow signatory U.S. companies to continue receiving European data were continuing and he expressed the hope they would soon be concluded.
But he was far less optimistic about reaching agreement quickly than U.S. negotiators have been in recent weeks.
Both Smith and Colin Fricker, the British DMA's legal affairs director, placed more faith in model contracts, which the European Commission is currently considering and in direct contracts between UK firms and their U.S. partners committing the Americans to abiding by UK regulations.
Model contracts, Fricker noted, would exempt signatories from the law's restrictions on data transfer, while direct contracts serve to establish the “adequacy” of protection offered by a US company to data received from the UK.
Smith said the EU's white list would never be a long one. Right now, he said, likely candidates were Poland, Switzerland, Hong Kong, New Zealand and perhaps Hungary. Poland is eager to join the EU and had drafted legislation even stricter than the EU's data protection directive.
Smith stressed the importance of excluding “sensitive information” from data processing and then base marketing campaigns on that information.
“Targeting people with health problems violates the UK's new data protection law,” he said, “and that includes tracking visitors to health-related Web sites.”
Marketers, he added, need explicit consent in order to store sensitive information. One exemption: political parties can process information about voting patterns and voting habits in the UK.
But the definition of sensitive information has limits in the UK, e.g., drawing inferences of racial and religious background from names on lists and marketing to them on that basis would not violate the law.
“We're not going to be silly about this,” he said.