US firms fight Euro data protection laws

Companies such as IBM, Oracle and VeriSign are asking for EU laws on data protection to be relaxed, to aid global business

A group of American companies is attempting this week to persuade the European Union to relax its rules governing data protection, claiming they are bad for business.

The 10 companies, who dub themselves the Global Privacy Alliance (GPA) and whose members include IBM, Oracle and VeriSign, believe that the EU has put too much emphasis on the protection of individuals' privacy, and not enough on ensuring the free flow of information between companies.

The GPA wants several significant changes to be made to EU privacy laws -- the simplification of the cross-border flow of data, possibly through industry self-regulation rather than legislation; the harmonisation of EU privacy regulation between member states; the relaxation of restrictions on data sharing between affiliate companies, and the exclusion of 'business contact data' from such laws.

"To further the goal of protecting privacy without undue burden and cost, the GPA believes that the Directive and the member state implementations need to be simplified and member state national laws made more consistent with each other. The GPA also believes that a simpler approach would allow data protection authorities to focus on real threats to privacy," said the Global Privacy Alliance in a submission it made to the European Commission in August.

The Global Privacy Alliance is putting its case at a European Commission data protection conference taking place on 30 September and 1 October 2002.

The EU passed the Data Protection Directive in 1998, and this has subsequently been implemented into national law by all but two -- Ireland and Luxemburg -- of the EU's member states.

As well as regulating the buying and selling of personal data about European citizens and forcing Web sites to tell users when data about them is collected and allow users to refuse disclosure, the Data Protection Directive also restricts the flow of information about Europeans to companies based in countries with -- in the view of the EU -- more lax privacy standards.

The Global Privacy Alliance says that this directive makes it hard for companies to engage in the kind of data flow that they claim is vital for modern e-enabled businesses.

The cross-border flow of data should be simplified, the GPA says, because large companies currently have to arrange "hundreds of different contracts", especially if they have operations in lots of different non-EU countries. According to the GPA, industry codes of conduct would be one better way of handling this.

The Alliance also believes that information related to a person's job should not be covered by data privacy laws.

"Business contact details -- broadly speaking, the information one expects to find on a business card, with perhaps a few additions -- are generally supplied by the data subject with the intention and expectation that these details will be used -- and disclosed -- in the context of the business relationship," claimed the GPA in its submission.

According to the GPA, the EU's privacy laws make it very time-consuming, expensive and burdensome for a US company to store business data on European citizens.

It claims that, depending on the individual member state's requirements, companies can be compelled to notify people that their details are being processed in a database, register such databases with the relevant data protection authorities, and obtain the individual's consent before data is put into the database and shared with third parties.

This process, the GPA says, must be repeated if the database is used in two EU member states that have implemented the EU directive differently.

Who's watching you? Get the latest on spy networks such as Echelon and Carnivore, as well as privacy issues for companies and individuals alike, at ZDNet UK's Privacy News Section.

Have your say instantly, and see what others have said. Go to the ZDNet news forum.

Let the editors know what you think in the Mailroom.