This is the second in a series of posts that examine the principles governing the transfer of data across borders between the European Union and the United States, and the effect that the USA PATRIOT Act has on businesses, citizens and governments outside the United States. Although this is a U.S.-oriented site and I am a British citizen, the issues I surface here affect all readers, whether living and working inside or outside the United States.
Why were the Safe Harbor principles created in the first place? To maintain trade between Europe and the United States, with Europe fully aware of the lax attempts at data privacy performed on the part of the U.S.’s biggest companies.
Why Europe needed Safe Harbor principles
The vast majority of people using services on the web — be it web-based email like Hotmail or Yahoo!, social networks like Facebook and Twitter, or anything as minute as a website requiring registration– tend not to think about where their personal data like photos and email is stored.
On the whole, these services are designed to save us time and energy, and we have come to want the offerings of these services on-demand, without thinking too much about privacy. We expect our respective governments, wherever we are in the world, to protect us to a level where we can act and communicate freely.
However, an inequality in legal protection between the United States and the European Union could have massive consequences for users of ‘the cloud’.
Data protection legislation differs greatly between the European Union and the United States. With a vast number of organisations branching out to worldwide offices during the dot-com boom, it was clear to legislators that data transfer and protection laws needed a global overhaul. A particular area of focus for data legislation was the European Union, with dozens of countries sharing elements of the same law.
Member states of the European Economic Area (EEA), a community of European countries, acknowledge the “four freedoms” of data protection. This allows the freedom of goods and citizens across European borders and grants data to take advantage of these same privileges.
The EU ratified the “Data Protection Directive” in 1995, which mandated that all current and future EEA member states incorporate agreed-by-consensus rules into their own respective laws by the end of 1998. In the United Kingdom, for example, the Data Protection Act 1984 already existed but was amended to accommodate the new provisions of the EU directive. The renewed law became the present incarnation of the Data Protection Act 1998.
The core principles of the directive took into account data usage transparency and the legitimate use of data, seeking to ensure that only the required personal data was collected by companies. But these principles also allow for data only to be processed if a series of conditions are met to ensure the data is stored securely and safely, and if the person owning the data belongs to or relates to accept that these terms are met.
