U.S. and EU Agree on Data Protection Principles

[David Farber <dave () farber net>]

Begin forwarded message:

From: "Stewart Baker" <stewart.baker () gmail com>
Date: December 14, 2008 9:51:58 PM EST
To: "David Farber" <dave () farber net>, "David Farber" <farber () cis upenn edu 
>
Subject: U.S. and EU Agree on Data Protection Principles

From DHS leadership blog:  http://www.dhs.gov/journal/leadership/

Data protection and data sharing took a big step forward yesterday at
the U.S.-EU Justice and Home Affairs Ministerial meeting in
Washington. The French EU Presidency, the European Commission, and the
U.S. Departments of Homeland Security, Justice, and State agreed to a
Statement on Information Sharing and Privacy and Personal Data
Protection and recorded progress on a set of principles that will
advance both data privacy and data sharing in a law enforcement
context. http://www.dhs.gov/xlibrary/assets/usa_statement_data_privacy_protection_eu_12122008.pdf

The U.S. and the European Union have long been seeking common ground
on data protection and data sharing principles. The U.S. proposed the
discussion after divisive negotiations over airline reservation data
("PNR") finally resulted in an agreement between the U.S. and the EU.
The PNR agreement did two things: on the one hand, the U.S. set forth
data protection rules for PNR, and on the other hand the EU agreed to
approve the sharing of PNR with the U.S., thus protecting from penalty
airlines and third countries that cooperate with U.S. antiterrorism
measures by providing such data.

Noting that U.S. and EU standards for law enforcement data protection
we in fact quite similar, the U.S. proposed a broader set of talks,
with a view to reaching a broader agreement with the same basic
structure as the PNR arrangement: (1) an agreed set of data protection
principles and (2) protections so that private companies and third
countries are not punished for cooperating with antiterrorism data
gathering measures. A High Level Contact Group was formed to explore
this possibility.

The talks began to bear fruit this year. In May, the two sides
disclosed that they had reached substantial agreement on twelve data
protection principles that both EU and U.S. law enforcement agencies
observe.

More progress was made, as the parties took up the remaining job of
reaching agreement on ways to protect those who cooperate in data
gathering measures. The parties accepted an experts' report that
disclosed broad agreement on matters such as private entities'
obligations, preventing undue impact on third countries, and
procedures for resolving questions arising under the principles. For
example, the third country provision states that "when the European
Union or the United States has international agreements or
arrangements for information sharing with third countries, each should
use their best endeavors to avoid putting those third countries in a
difficult position because of differences relating to data privacy."
These principles demonstrate both sides' willingness to avoid
penalizing private entities and third countries because of possible
U.S.-EU differences over data protection.

More negotiations lie ahead, of course. In particular, the parties
noted that they have not reached agreement on redress (how to handle
individuals' complaints about how their data was treated) and
reciprocity (making sure that the U.S. and EU do not demand higher
data protection standards from others than they demand of themselves
and their member states).

But, while negotiations are in progress toward a binding agreement
that will mutually recognize both privacy regimes, the U.S. and the EU
are already providing some comfort to those whose data is collected
and to those who help to collect or share such data. Along with the
principles, the parties issued a statement promising that, while
negotiations continue, the U.S. and EU will "use best endeavours to
refrain from activities which undermine these principles." This
statement means that the U.S. and EU will discourage deviations from
the agreed law enforcement data protection provisions, which should
reassure those whose data is collected for law enforcement purposes.
At the same time, the parties' undertaking should encourage law
enforcement agencies, private entities, and other countries to provide
data without fear of being drawn into conflicting demands by U.S. and
EU data protection regulators.




-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com