U.S., EU agree on data protection framework
- By Wyatt Kash
- Dec 17, 2008
Efforts to improve data protection and data sharing practices between the United States and the European Union took a significant step forward with the declaration of a new set of common principles late last week.
The French EU Presidency, the European Commission, and the U.S. Homeland Security, Justice and State departments agreed to a Statement on Information Sharing and Privacy and Personal Data Protection at a meeting in Washington. The statement marks new progress on a set of principles intended to advance data privacy and data sharing in law enforcement circles.
“The U.S. and the European Union have long been seeking common ground on data protection and data sharing principles,” said Stewart Baker, DHS’ assistant secretary for policy in a posting on the department’s “Leadership Journal” blog.
Baker said U.S. officials proposed the discussions after divisive negotiations over airline reservation data eventually resulted in an agreement on the handling of Passenger Name Record (PNR) data between the United States and the EU.
A central component of the PNR agreement was a set of data protection principles that shield private companies and other countries from punishment for cooperating with antiterrorism data-gathering measures.
The new agreement builds on those principles, although discussions are continuing. Negotiators still must fully resolve ways to protect those who cooperate in data-gathering measures. And they are still hammering out issues of redress (how to handle individuals’ complaints about how their data was treated) and reciprocity (making sure that the United States and EU do not demand higher data protection standards from others than they demand of themselves and their member states), Baker said.
Data security experts generally praised the agreement. “This agreement focuses on data that law enforcement can access,” said Alan Paller, director of research at the SANS Institute, and as such, it solves one major problem. But it still doesn’t fully address the conflicts in data privacy rules that affect commercial and other or non-law enforcement organizations, he added.
“Though not complete, the agreement in principle helps all organizations and citizens whose activities span both regions from getting caught up in inconsistent enforcement,” said Michael Daconta, chief technology officer at Accelerated Information Management and former metadata program manager at DHS. “Data privacy, like most enterprise concepts, is not really unique between governments,” but it is “extremely encouraging to see our governments driving toward consensus by first finding common ground.”
Wyatt Kash served as chief editor of GCN (October 2004 to August 2010) and also of Defense Systems (January 2009 to August 2010). He currently serves as Content Director and Editor at Large of 1105 Media.