[Infowarrior] - U.S. and EU near deal on sharing data

[Richard Forno]

  U.S. and EU near deal on sharing data
By Charlie Savage
Saturday, June 28, 2008


http://www.iht.com/bin/printfriendly.php?id=14055407

WASHINGTON: The United States and the European Union are nearing  
completion of an agreement that would allow law enforcement and  
security agencies to obtain private information - including credit  
card transactions, travel histories and Internet browsing habits -  
about people on the other side of the Atlantic Ocean.

Seeking to improve information-sharing to fight crime and terrorism,  
government officials have been meeting since February 2007 to reach a  
pact. Europe generally has more-stringent laws restricting how  
governments and businesses can collect and transfer personal data,  
which have led to high-profile disputes over American demands for such  
information.

Negotiators have largely agreed on draft language for 12 major issues  
that are central to a "binding international agreement" making clear  
that it is lawful for European governments and companies to transfer  
personal information to the United States, and vice-versa, according  
to an internal report obtained by The New York Times.

But the two sides are still at odds on several other matters,  
including whether European citizens should be able to sue the United  
States government over its handling of their personal data, the report  
said.

The talks grew out of two conflicts over information-sharing after the  
September 2001 terrorist attacks. The U.S. government demanded access  
to customer data held by airlines and a consortium, known as Swift,  
that tracks global bank transfers.

American investigators wanted the data to look for suspicious  
activity. But several European countries objected, citing violations  
of their privacy laws. Each dispute frayed diplomatic relations and  
required difficult negotiations to resolve.

American and European Union officials are trying to head off future  
confrontations "by finding common ground on privacy and by agreeing  
not to impose conflicting obligations on private companies," said  
Stewart Baker, the assistant secretary for policy at the Department of  
Homeland Security, who is involved in the talks. "Globalization means  
that more and more companies are going to get caught between U.S. and  
European law."

Paul Schwartz, a law professor at the University of California,  
Berkeley, said such a blanket agreement could transform international  
privacy law by eliminating a problem that has led to negotiations of  
"staggering" complexity between Europe and the United States.

"The reason it's a big deal is that it is going to lower the whole  
transaction cost for the U.S. government to get information from  
Europe," Schwartz said. "Most of the negotiations will already be  
completed. They will just be able to say, 'Look, we provide adequate  
protection, so you're required to turn it over."'

But the prospect that the agreement might lower barriers to sending  
personal information to the U.S. government has alarmed privacy-rights  
advocates in Europe.

While some praised the principles laid out in the draft text, they  
warned that it was difficult to tell whether the agreement would allow  
broad exceptions to such limits.

For example, the two sides have agreed that information that reveals  
race, religion, political opinion, health or "sexual life" may not be  
used by a government "unless domestic law provides appropriate  
safeguards."

But the agreement does not spell out what would be considered an  
appropriate safeguard, suggesting that each government may decide for  
itself whether it is complying with the rule.

"I am very worried that once this will be adopted, it will serve as a  
pretext to freely share our personal data with anyone, so I want it to  
be very clear about exactly what it means and how it will work," said  
Sophia in 't Veld, a member of the European Parliament from the  
Netherlands who is an outspoken advocate of privacy rights.

The Bush administration and the European Commission, the EU's  
executive body, have not publicized the talks. But in a little-noticed  
paragraph deep in a joint statement following a summit meeting between  
President George W. Bush and European leaders in Slovenia this month,  
the leaders hailed their progress.

Issued June 10, the statement declared that "the fight against  
transnational crime and terrorism requires the ability to share  
personal data for law enforcement," and it called for the creation of  
a "binding international agreement" to facilitate such transfers while  
also ensuring that citizens' privacy is "fully" protected.

The negotiators are trying to reach accord on minimum standards for  
the protection of privacy rights, like limiting access to the  
information to "authorized individuals with an identified purpose" for  
looking at it. If a government's policies are "effective" in meeting  
all the standards, any transfer of personal data to that government  
would be presumed lawful.

For example, European law sets up independent government agencies to  
police whether personal data is being used lawfully and to help  
citizens who are concerned about any invasions of their privacy. The  
United States has no such independent agency. But in a concession, the  
Europeans have agreed that the American government's internal  
oversight system may be good enough to provide accountability for how  
Europeans' data are being used.

About half a dozen issues remain unresolved, the report said. One  
sticking point is what rights European citizens would have if the U.S.  
government violates data privacy rules or takes an adverse action  
against them - like denying them entry into the country or placing  
them on a no-flight list-based on incorrect personal information.

European law generally allows those who think the government has  
mishandled their personal information to file a lawsuit to seek  
damages and to get the data corrected or expunged. American citizens  
and permanent residents can also generally file similar lawsuits under  
the Privacy Act of 1974, but that statute does not extend to foreigners.

The Bush administration is trying to persuade the Europeans that other  
options for correcting problems - including asking an agency to  
correct any misinformation through administrative procedures - are  
satisfactory. For now, the EU is holding to the position that its  
citizens "require the ability to bring suit in U.S. courts  
specifically under the Privacy Act for an agreement to be reached on  
redress," the report said.

But the Bush administration does not want to make such a concession,  
in part because it would require new legislation. The administration  
does not want to have to request congressional approval of the final  
agreement, several officials said.

David Sobel, a senior counsel with the Electronic Frontier Foundation,  
a nonprofit organization dedicated to data-privacy rights, predicted  
that it would be difficult to persuade the Europeans to drop their  
demand. He said that the administration's depiction of the process of  
correcting mishandled data through agency procedures sounded "very  
rosy," but the reality is that it is often impossible, even for  
American citizens, to win such a fight.

Officials said it remained unclear when the agreement could be  
completed. But there are several pressures encouraging negotiators to  
sprint to a finish. Bush administration officials would like to  
resolve the problem before they leave office next January.

And European Commission officials who support the agreement may have  
an easier time getting it approved now, legal analysts said, before  
Europe completes internal reforms that would give the European  
Parliament - which has been skeptical about security measures that  
could infringe on civil liberties - greater authority to block it.

In addition, businesses that operate on both sides of the Atlantic are  
pushing to eliminate the prospect of getting caught between  
conflicting legal obligations.

"This will require compromise," said Peter Fleischer, the global  
privacy counsel for Google. "It will require people to agree on a  
framework that balances two conflicting issues - privacy and security.

"But the need to develop that kind of framework is becoming more  
important as more data moves onto the Internet and circles across the  
global architecture."