A senior European data privacy official yesterday warned foreign, and in particular, US companies, that failure to recognize the fundamental right of European Union citizens to personal data privacy is not acceptable.
Elizabeth France, the UK Data Protection Registrar, told attendees of the InfoSecurity Conference, London, that the European Union is determined to guarantee personal data privacy of individuals, and expects all companies to adhere to laws laid out in the EU Data Protection Directive 1998 (DPD) enacted last October. This includes companies from countries outside the EU where similar laws may not exist and where, she warned, the attitude of mind does not protect the data privacy rights of individuals.
France cited the habit of some US companies of hoarding personal data, on the grounds that it might be useful at some later date as an example of an attitude which is not acceptable in the EU.
The EU does not expect other countries to pass similar data privacy laws to those enshrined in the DPD, said France. However, so long as any country does not offer the same levels of data protection as the EU, the terms of the DPD make it illegal to export personal data to such countries including, at the moment, to the US. The EU and the US have been negotiating to come up with a compromise on the ban of data transfer to the US since the introduction of the directive in October.
France said that the EU would be producing a list of countries which do not have to establish individual agreements in order to be recipients of data on EU citizens. The list so far contains countries in the European Economic Area, such as Norway, Iceland and Liechtenstein. For all other countries, the EU is developing model contracts clause which companies will have to sign as a guarantee that they will adhere to the principles of the data directive.
The DPD 1998 requires companies to give details of what will be done with collected data, how it will be processed and who will have access to it. Companies will not be allowed to process data collected without consent from the individual, except in special circumstances, such as if publication does not breach legal obligations, national security, or the interests of the individual.
Enforcement of the directive will be introduced in two stages. By 2001, individuals will be have the right to access any and all information held on them, whether it is electronically or on paper, and require it to altered if inaccurate. By then individuals will be also be able to take legal action against companies that refuse to release data on demand, and to sue if that information is inaccurate, or has been collected, altered or passed on to third parties without their consent. Data that was manually collected (held on paper) before May 1998 will be exempt from this protection until 2007.
France conceded that for some companies, adhering to the DPD may prove a costly requirement but, she stressed, expense is no defense. It will be up to [companies] to ensure that they implement computer systems which allow the easy recovery of subject information, she said.
