U.S. Data Access Proposal Shows Need for More Protection, EU Official Says
The EU needs tougher data protection if member nations aim to share communications traffic data with U.S. police agencies, European Data Protection Supervisor (EDPS) Peter Hustinx said Fri. His comment followed a May 12 report that the U.S. wants bilateral pacts with EU nations giving it access to Internet and telephone traffic data held under a new EU data retention directive. That talks on this are underway isn’t surprising, given blurring of cross-border physical and data transfer barriers, observers said.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
It’s unclear why discussion of U.S. access to EU data made news. The data retention directive got EC approval in Dec. and member countries are making it national law. In March, U.S. envoys meeting informally with EU officials on freedom, security and justice said they were “considering approaching each member state to ensure that the data collected on the basis of the recently adopted directive on data retention be accessible to them,” an EU Council memo said. The Presidency and the Commission “replied that these data were accessible like other data on the basis of the existing mutual legal assistance agreements (bilateral as well as EU/U.S. agreement).” The EC said it would convene an experts’ meeting on the matter.
The EDPS doesn’t like the directive and wants stronger data protection controls in national laws, Hustinx told us. He feels the debate, whose topics includes the chance of communications traffic data from European citizens finding their way to the U.S. and perhaps other non-EU countries, stresses the need for a data protection law specific to law enforcement and judicial matters.
Data flows and trade are becoming virtually seamless, said John Wolaver, special asst. to the CEO of McManis Monsalve Assoc., which firms on technology and risk. The jurisdictional lines between countries and data transfers are becoming almost non-existent, he said, so the U.S. and EU need specific guidelines on how to collect, protect and retain data. The EU is ahead of the U.S. in setting rules for retaining data needed to fight terrorism and organized crime, Wolaver said.
The EU directive and NSA data storage are spawning a “global storage-area network,” said Anne Renouf, who advises firms on finance and data technology transfer. A new form of jurisdiction is one result, according to Renouf. “Data is jurisdiction,” she said: “The viability of the nation state as a regulatory regime is diminished as data emerges as an independent jurisdiction. The process of data storage, retrieval, and conversion constitutes the development of new jurisdictions on the face of multinational, intergovernmental, international organizations.
“While the NSA data warehousing venture and the EU data retention directive, among others, are stipulated by nation states and their govts., the actual consolidation of data storage produces 7.9 million data jurisdictions, each one and all of whom will grow exponentially in jurisdictional independence,” said Renouf.
Data retention under the EU directive seems to differ from U.S. National Security Agency (NSA) storage, said Axel Spies, who represents the German Competitive Carrier Assn. (VATM). European citizens’ traffic data aren’t transferred automatically to security agencies, but remain with telecom carriers and ISPs, he said. That means the data sets remain under the control of national or state data protection agencies with access to them
The directive has a “relatively narrow definition of the criminal acts for which the data can be used” -- and doesn’t foresee giving police agencies the right to process the data for any purpose, Spies said. EU and national laws set minimum and maximum retention periods, after which traffic data must be scrapped, he said.