---

VNU Net: EC bans passing consumer data to the US

By Steven Mathieson, VNU
Net

The Europeans are coming. As of today, UK businesses cannot
begin passing consumer data to states outside the European Union
(EU) that lack adequate levels of protection without the
individual’s permission.
At the moment this includes the
US.

The regulation, enacted in the UK as part of the 1998 Data
Protection Act, is an EU-wide attempt to provide higher levels of
data protection for its citizens, and is one of several pieces of
IT-related legislation planned by the European Commission (EC), the
EU’s executive body.

Meanwhile, the EC is setting its anti-monopoly dogs on
technology firms. Brussels-based Directorate IV, which plays a
similar anti-trust role to the US Department of Justice and whose
judgements are binding throughout the EU, started a preliminary
investigation into Microsoft’s Windows 2000 operating system two
weeks ago.

And last week, it began a four-month probe into the merger of US
telcos MCI WorldCom and Sprint – which may force the merged company
to sell Sprint’s internet services – and it recently completed
investigations of German mobile operator E-Plus and the Italian
telecoms sector.

Furthermore, as of today, the UK’s more relaxed national system
for investigating unfair business practices becomes more European –
that is, more active.

“The EC is trying to do an awful lot at the same time,” said the
secretary general of parliament/industry liaison group Eurim,
Philip Virgo. “There’s nine directives this year, plus the telecoms
review, plus the investigation of Microsoft. There’s a view that
the EC is trying to do online everything to do with the Single
Market it has failed to do offline.”

Eurim is presenting evidence to a House of Lords select
committee that examines European legislation today. EC directives
are normally enacted automatically by EU national parliaments, and
after scrutiny by select committee in the UK.

In this case, the Data Protection Act satisfies the requirements
of the 1995 Data Protection Directive. As vnunet.com reported
earlier this week, the act makes the use of cookies without active
consent illegal. Cookies are pieces of code placed on web-users’
computers, allowing them to be tracked.

The regulations also stop new transfers of consumer data outside
the European Economic Area – the EU, plus Iceland, Norway and
Liechtenstein – although existing transfers can continue until next
year. (See the Data Protection Registrar website for detailed
information.)

As for transferring consumer data to the US – a common event,
given that many UK ecommerce sites are subsidiaries of US companies
– negotiations between Europe and the US are taking place, but to
date the two sides have not reached agreement. A Home Office
spokesman said the government hopes the talks will reach a
resolution by the end of this month.

Eurim’s Virgo said one problem with the EC and US reaching an
agreement on privacy, is that such legislation exists at the level
of individual US states, rather than the federal government. “The
most draconian legal procedures taken anywhere to date [on privacy]
have been under US state legislation,” he said.

On anti-competitive behaviour, EC Directorate IV’s flurry of
activity is partly a product of the high level of merger activity
in telecoms, according to Robert Bell, head of communications group
and partner at law firm Nabarro Nathanson – but this is not the
whole story.

“For some time, there’s been a real worry in Europe that the
cost of telephony has been very high,” he said. “This has spurred
Directorate IV into a number of enquiries, and also Directorate
XIII [the department that looks at telecoms] into looking at the
pricing of calls.”

Antonio Guterres, the Portuguese prime minister, said this week
that cheaper telecoms will be a clear objective of an EU summit to
be held later this month in Lisbon.

The UK approach to anti-competitive behaviour has, up until now,
been more relaxed than the EC’s, although anything with a
pan-European dimension has been dealt with by the Commission since
the UK joined the Common Market in 1973.

But today sees the Competition Act 1998 come into effect, under
which UK firms can claim injunctions against companies they say are
indulging in unfair behaviour, rather than waiting for a regulator
to investigate. “We’re switching from quite a laid back regime, to
an active one,” said Nabarro’s Bell. “The Competition Act is
modelled on the EC approach of blanket prohibitions of abuses of
dominant positions.” The Office of Fair Trading and the new
Competition Commission will handle UK-based investigations.

Meanwhile, elsewhere in Brussels last week, UK intelligence
expert Duncan Campbell told the European Parliament’s justice
committee that the Anglo-American spy network Echelon – whose
existence was denied until recently – was used to help American
business interests beat European firms.

Echelon uses UK listening stations to tap voice and data
traffic, and the intelligence is shared by other English-speaking
countries including Australia and Canada, rather than the European
Union. Prime Minister Tony Blair denied Campbell’s allegations of
commercial spying.

But it is a good demonstration of split British attitudes
towards Europe: while the UK enacts European data privacy laws and
adopts its approach to anti-competitive behaviour, it still spies
on Europe then shares the data with its ex-colonies.