In Washington for a U.S. government-organised conference on data protection from 16-18 November, European Data Protection Supervisor Peter Hustinx gave a mixed assessment of the United States administration’s attitude on data protection. Noting a «change in climate,» he praised the US Federal Trade Commission (FTC) for becoming more rigorous in enforcing the 2000 EU-US Safe Harbour Agreement. That accord allows companies to transfer data from the EU to US and be in compliance with EU law provided they go through an FTC-run self-certification process. Hustinx, speaking with journalists after the conference, noted that the FTC had recently taken action for the first time against six companies that deceptively claimed they were currently self-certified.

He was less confident, however, when asked about the US Department of Homeland Security (DHS)’s approach. «There has been no major initiative yet,» he said. Secretary Janet Napolitano has shown a «difference of style» from the previous administration but «has really not softened up on requirements,» Hustinx said, referring to a recent keynote speech she gave in Madrid. Asked about Napolitano intensifying efforts to force individual EU member states to sign data sharing accords with the DHS as a precondition to them being on the US Visa Waiver Programme, he voiced concern this was «a prolongation of the old approach of getting as much as possible.» It also cast doubt on whether the future EU-US law enforcement data sharing agreement would be the central legal framework or «just a back-up if something else does not work.»

At the 28 October EU-US justice and home affairs ministerial, it was agreed to negotiate such a treaty, building on common data protection principles adopted the same day. «I encourage them not to rush in to a deal,» said Hustinx. He flagged up potential stumbling blocks, namely that US law does not give Europeans the right to legal redress should data be erroneously recorded or transferred. While the accord’s focus is government-to-government data exchanges, he warned that some of the data could originate from non-government sources.

PARLIAMENT GAINS NEW POWERS

Commenting on ongoing EU-US talks for a separate agreement to allow the US Treasury continued access to bank transaction data held by the Belgium-based SWIFT company, Hustinx said «I have my doubts as to the legitimacy of the whole arrangement» and to its necessity. If the Swedish EU Presidency does not conclude this accord by 1 December when the Lisbon Treaty enters into force, the situation changes, with the European Parliament gaining the power to veto it. Similarly, a question mark hangs over the 2007 EU-US Passenger Name Record Agreement, which requires airlines to transmit passenger data to the DHS, because it has not been fully ratified yet. MEPs may insist that it too be re-negotiated, with Parliament fully involved this time round.