EU Data Protection Could Clamp Data Flows

Pointing to this Financial Times article, an unnamed reader excerpts: "'The wide-ranging directive aims to protect data about EU citizens against misuse worldwide. It is backed by the power to cut off data flows to countries that the EU judges not to have adequate data protection rules and enforcement.'"

The USA is already doing this

[Tor]

USA already has extraterritorial laws of this nature. For instance, one law enacted circa 1997 says that any US citizen has the right to sue anyone from anywhere that does business with a Cuban entity (specifically, a Cuban entity which uses native Cuban resources that the US citizen considers his or hers). Not only that, but the lawsuit would take place in a US court.

Another one is the US law which prohibits trade with nations that the US considers to have "inadequate" copyright protections.

This legislation by the EU has been mentioned in Slashdot earlier, before it was temporarily shelved due to US pressure. The status quo is that US organizations like Microsoft can easily build up a vast array of information on citizens in, say, Germany, whereas German companies are prohibited from doing the same due to privacy protection laws. Hence, this law which applies the same standard to everyone who does "business" with Germans.

Eh?

[mindstrm]

No.. I don't think so. Here's why.

This is really about consumer protection. The EU is saying that, if your country can't guarantee the same standards of consumer privacy protection, then we are not going to permit our local businesses to export data to you.

This is GOOD. This is GOOD for the EU citizen.

Re:We need some international treaties

[mpe]

I can't see how it over-reaches territory, if you deal with a foreign country then you must abide by their domestic laws, this has always been the case.

It isn't over-reaching at all. A government is prefectly entitled to restrict how anything may be exported.
The only way in which it would be over-reaching would be to attempt to apply it to situations of an EU citzen who was not present in an EU member state at the time.

What about Canada?

[Dwonis]

Let's say Canada gets satisfactory data protection laws. Since most of Canada's packets go through the US, will be be cut off too?

Also, aren't the links privately-owned?

I support legislation against various network DoS attacks (including spam), but this is rediculous.
------
I'm an assembly guru ... What's a stack?

Data Protection Legislation

[The+Trinidad+Kid]

First up, I have registered a number of organisations under the UK data protection act, work for a major UK bank, and am a politician manque so I know what I'm talking about.

The data protection regulations affect:
(1) the storing of information about an individual in an electronic format which can be accessed via indexes.
(2) the storing of information about an individual in non-electronic format but with electronic indexes by which it can be searched and collated.

Data Protection regulations require an individual to give informed consent for any use of data that they provide. The customer relationship is protected (ie any organisation can legitimately keep data collected by them about thier clients).

This is a good thing, it protects the customers data - in databases. It does not affect data packets in transfer, or other non-indexed/databased information.

However if I take data from a customer and that customer indicates to me that I may make that information available to other bodies I can only pass that information over to those bodies under the condition that they respect the customer wishes. To this extent Data Protection legislation is viral like open source licenses. I, the customer, make my information available to you for you to do certain things with. If I permit you to distribute it, you may do so provided that my wishes are respected.

The US is not regarded by the EU as having appropriate Data Protection regulations (we think your money laundering regulations are weak as well).

We need some international treaties

[cperciva]

We need some international treaties -- like those regarding Antarctica and the moon -- which tell nation-states to keep their hands off the internet. Legislators don't understand the internet, so the only way intelligent regulations are going to be put in place is when they come from the internet community (eg, IESG).

Re:We need some international treaties

[YKnot]

The directive isn't primarily aimed at the internet. It's about what companies are allowed to do with information on the net as well as outside of it. The main aspect is data gathered by financial institutions. That's mostly a non-internet thing.
Europe has a different, more restrictive view on protection of person-related information. Companies are trying to evade the restrictions by moving data across the border and having it processed by non-european companies. The regulation tries to stop this malpractice.
The EU has been accused of trying to impose laws beyond its frontiers. The regulation does not tell non-EU companies how they may handle data. It tells EU companies how they must not use data and forbids exporting that data to circumvent the law. This is not even close to the US pushing the DMCA beyond US territory.

Re:We need some international treaties

[Aztech]

I can't see how it over-reaches territory, if you deal with a foreign country then you must abide by their domestic laws, this has always been the case. As a US company, if you try and sell a product into the UK and it doesn't meet their safety requirements or whatever, it will be deemed illegal, despite the fact it may be legal under US law. This isn't imposing law on another country since you can still sell the (potentially) unsafe product to your US citizens legally.

Remember this only affects data concerning EU citizens, if you're an EU company then you cannot sell data on EU citizens to countries that have questionable data practices, if you're a US company dealing with EU people they you must do the same, obviously a US company can do whatever it likes with data on US citizens.

This does in fact does make some sense, if they didn't put restrictions on foreign countries then EU companies would just move their customer databases abroad and then do whatever they like with it, and because the country is outside EU law, citizens would have no legal control of their data, this would just undermine the whole purpose of the law.

If you've ever seen the "UK-Info" CD, which lets you find out in depth data about households by aggregates data from the British land registry, ordiance survery, electoral roll, company house records, acorn demographics, phone listings etc, they move this data to the Cayman Isles then process and cross reference it and sell it on a CD to the UK. If the CD was cross referenced in the UK it would break a number of data protection laws. Because the information can flow abroad then be sold back to the UK in an aggregated form, it's not illegal, which makes a mockery of the law, so they're trying to ensure citizens have rights on their data if its passed abroad (and choose if it even goes abroad).

The requirements are for companies dealing with EU citizens not just companies within the EU.

I can't see any law solving this issue easily, there are too many loopholes to deal with. As with the UK Info disc, lots of disparate forms of innocuous information are obtained which in themselves aren't a problem, it's when they're cross-referenced and interlinked it becomes an issue, I can't see how the EU can stop foreign countries processing this information.

Enshrining privacy in the law is an honourable pursuit, but ultimately frivolous, if they don't get industry backing it will never work since companies will just hire lawyers to exploit any tiny loophole in the law. Therefore how do we get companies to respect our data? What is commercial incentive for a company to do so?

"Cutting off" is incorrect

[Animats]

That's just alarmist. All the EU Data Protection Directive affects is privacy of personal data, data that has somebody's name, address, etc. attached. If you collect such data within the EU, you can't use it in ways the owner of the data (by law, the person mentioned) didn't specifically approve. To make this enforceable, the EU prohibits getting around the EU rules by sending such data to areas with weaker rules, unless there's an enforceable agreement in place to protect the data while it's outside the EU. The EU has had rules in this area since 1981, and the current rules date from 1995. So this is old stuff in the EU. US complaints are mostly whining by the Direct Marketing Association. Even the DMA, though, points out that companies which actually comply with the DMA's own "principles" don't have real problems. What scares them is that the EU Directive has enforcement power behind it. If a company misuses your personal data, it might be denied the right to maintain files of personal data at all.

Basically, it put a lid on most slimy marketing practices that misuse personal data. Too many US companies are used to getting away with this, and much of the direct mail industry depends on it.

But it has zero effect on open source or anything like that.

Protecting my rights!

[lga]

I think some people here are misunderstanding the Data Protection laws. No one said anything about cutting off all net access to other countries. The law prevents the transfer of Personal Details and customer specific data, eg databases containing details of what I bought. No other data is affected, so there won't be any severing of internet connections. If a company does transfer customer data to a country with less protection then it will be liable for prosecution.

I think this is a good thing. The EU Data Protection laws are there to prevent misuse of personal data. An example: If I were to buy a book from a multinational company in the UK then I would have to give them my address for delivery. At the same time, I would check the box marked "Please tick this box if you do not want to receive special offers carefully selected companies" which would prevent my address and phone number being sold to another company that wants to sell me bookshelves to go with my new book. And who wants to recieve that phone call?

In order to get around the EU law requiring that they honour my request and don't sell my data, the company could send my data to it's US arm and from there sell the data back to a telemarketing company, which could then plague me with phone calls about bookshelves. By making the export illegal the company cannot do this.

I hope that all makes sense.

Steve.

'bout time the EU do this...

[nz_mincemeat]

Draconian from first glance, but it is indeed the best way to safeguard EU citizens' privacy (at least against entities outside the EU nations). Similar to the "ultimate form of security" - disconnecting the computer and bury it under meters of concrete (in terms of concept, effectiveness and amount of inconvenience caused.)

As for the U.S. diplomatic feathers being ruffled - it's about time somebody/something stood up to their schoolyard-bully style of foreign policy.

First the Kyoto accords, then the Spy Plane "accident"... all within three months!

Notes from someone affected

[glassware]

My legal department representative walked into my room the other day and announced, "I need you to work on the EU Data Directive." There's a surprisingly little amount of information to use.

So far, the explanations I have received from our vendors and our partners are unsatisfactory. People aren't really aware of the data directive; and those who are aware, refer to a clause called "Safe Harbor" that protects businesses that work on non-EU data but whose websites operate in the EU.

The most cogent explanation I have received so far is that the EU Data Directive acts as a "poison pill," attaching itself to any data that comes from the EU. If a website collects data on users from the EU, that data can never leave the EU - the exception being "safe harbor" companies who do not really have a presence in the EU. I haven't yet received a satisfactory explanation about how a website that operates in the EU and collects data about American users is affected.

Perhaps I should pose a business question: How can a website effectively mix US and EU data in a database? It sounds like we are in the land of do-as-you-please for US data, but anything from the EU cannot be shared, sold, or transferred to partners.

EU has it right.

[7-Vodka]

I really admire the EU informational privacy laws. They have finally got something right.

For those of you unfamiliar with the laws there, they basically state that to do ANYTHING with someone's personal information you have to have a valid reason and the person's permission.

This applies to information already collected before the passing of the laws.
It affects everything. Eg. a teacher can no longer just post student's grades.
Also, if you're collecting data, you have to have a valid reason and are under no circumstances allowed to share personal information gathered with other companies without the express permission of the individual.

This puts the advantage right back into the individual's side of the deal. And so it should.

"just connect this to..."
BZZT.

Re:EU has it right.

[vidarh]

Yes you may have a choice in the first step. But without the privacy laws that EU, and most of non-EU member European states have you have no control over what happens to that information once you've given it away.

What if you give your data to your bank because you're applying for a loan? Should the bank be free to sell that data without letting you know, or asking for your approval?

That is what the EU privacy laws prevents. A company can't collect personal data, whether they are giving a good, trustworthy, valid reason or not, and give or sell or do anythign with it, unless they've received your consent for that specific use.

There's so many valid recipients of personal data out there, that keeping your data to yourself isn't an option for most people.

Because lord knows...

[HongPong]

...If people have different laws than us, they must be embargoed!

Oh yeah, that's what the US [did|does|tried to do] to Cuba.

--

A few facts about EU privacy regulations

[mvdwege]

Ok,

I see a lot of posts which completely misconstrue the point of the EU Personal Data regulations. Whether this is simple ignorance, or fostered by US corporate propaganda I don't know, but I will try to set things straight a little, from my own experience with the Dutch version of these regulations, the Wet Bescherming Persoonsgegevens, or Personal Data Protection Act (I work for a bank, so I am supposed to know this).

First of all, it is perfectly legal for a corporation to build up a customer database and use it for marketing purposes. How long it is allowed to keep this database seems to be open to local regulations, but it is legal.

However, the sting is in what a corp is allowed to do with the gathered data. In effect, the data can only be used inside the corporation itself. It is strictly forbidden to share this with any third parties without the explicit written permission of the customer. In the Netherlands this is enforced pretty strongly, at my work we're not even allowed to give out info to colleagues from another subsidiary.

This is where the EU and the US differ: in the US it is accepted practice to sell customer data to third parties, and we've all seen the horror stories on Slashdot about the consequences of this (spam, among others). The EU is merely hardening its stance (and we've been negotiating for the last few years) vs the US and saying, unless you guarantee the integrity of our citizens' data by law, we will allow noone to export this data to you unless this integrity is protected by contract.

So for the record, this whole discussion is old news (but still interesting), and has nothing to do with the routing of internet packets, as I've seen some people suggest.

Mart

Re:Voluntary dissemination

[vidarh]

I'm not a lawyer, but my company has been looking extensively into this, and I believe the following should reflect current EU law reasonably well:

Sites not situated in the EU, or that have a substantial presence outside the EU and process and perhaps also collects, the data outside the EU (a EU citizen accessing thei EU based companys website run and operated in the US, for instance), will not be directly affected.

Further, private citizens sending their information out of the EU can continue doing so.

Companies sending private EU citizens information out of the EU to a company voluntarily complying with EU's "safe harbor" rules (applies for the US and other countries with crappy privacy protections), or that have adequate privacy laws (applies for instance to Norway, which has always had strict privacy laws, and have harmonized their laws with EUs as a member of the European Economic Area) are still allowed to do so without any more restrictions than what they are bound with for use within the EU.

I also believe that companies that do give customers a real choice to opt in or out of transmission of their data abroad to a non-safe harbor complying company, and inform their customers of the consequences of letting their data be transmitted can do so. I haven't verified that, however, so if you plan on doing so and you're in the EU, check with your lawyer, and don't blame me.

The whole point of the law is to require the companies to get consent and force them to provide information on where they got the personal information about someone, if that can be reasonably achieved (and it can if they have bought the data), and what they plan to do with it.

And to ensure that the consumer can require the data to be corrected in the case of mistakes, or deleted provided it is legal for the company to do so and there's no contractual obligation on the person the data is about to let them maintain it.

ObDisclaimer: Don't do this at home. Check with your lawyer if you're a company that plan on exporting personal data from the EU. Not doing so can jeopardize the companys financial health, and possibly result in a prison sentence for you.

Re:Directed POINTEDLY at the US

[vidarh]

First of all it has nothing to do with IP packets, but with restriction of transfer (whether over the internet, on paper or however you want to transfer it) of personal data. If you do it, and get caught, you risk heavy fines and jail time.

Second, the reason it is directed at the US in particular is that the US has virtually no privacy protection whatsoever, and is one of the worst countries in the world when it comes to privacy protection. Coincidentally it is also one of EUs most important trade partners, and therefore EUs privacy laws would be more or less worthless without making sure that personal data isn't transported to the US without binding contracts to ensure the US recipient of personal data doesn't abuse it.

Data embargo?

[Spy+Hunter]

It is backed by the power to cut off data flows to countries that the EU judges not to have adequate data protection rules and enforcement.

If that's a threat, we truly have a global information economy. Think how silly that would have sounded ten years ago.

it's about time...

[janpod66]

The US has been trying to dictate US-style business practices for a long time. In many areas that is actually good, but when it comes to privacy, US laws and practices are unacceptably poor. Rampant identity theft and theft of large numbers of credit card numbers and other customer information (kept around by web sites long after an order has been fulfilled) in the US are examples of that. It is good that Europe is putting their foot down on this matter.

And Europe certainly has the clout and experience to do so. B2C E-commerce has existed in Europe about a decade longer than in the US, and Europe itself is a multicultural economy comparable in size to the US and with a significantly larger population.