Privacy advocates have expressed concern about Brussels' Commissioner Viviane Reding's decision to leave in place the Safe Harbour framework used by some companies to transfer data from Europe to the US. The EC's vice president tabled her draft bill for the overhaul of the EU's 1995 data protection law on Wednesday. However, …
Amerikia, Amerika, über alles
While Zink (rhymes with Fink) is in favor with the idea of "harmonisation" of data-handling on both sides of the Atlantic, he does not say which who will harmonise with who (or is that whom?)
I suspect that the sort of harmonisation that Zink is in favor of is of that the rest of the world will harmonise with 'merkin-land i.e. we want all your data, we want it now, and its none of your business what we do with it, you're a terrorist suspect after all.
It's really is time for the EU to grow a pair...
I used to wonder why so many people disliked/hated 'merkin-land, my only surprise is why it has taken me so long to realise why.
"Data Protection" == PATRIOT Act ?
I think not.
I haven't ever heard the Patriot act positioned as anything to do with data protection. It was passed under the guise that it would help protect against terrorist activities by allowing for enahnced monitoring and data sharing abilities. I always assumed that it was clearly not aligned at all with data protection - and not stated to be.
So the self regulating, self auditing Safe Harbor scheme in the US is under question again.
Not the first time that the Patriot Act is being mentioned - just one of many laws that means that off shore companies are forced to hand over data that if was in the EEA , EU or UK would be protected by the European or British laws.
Having read the draft proposal of what is to come, there really needs to be a properly controlled scheme that is independently assured to provide the ability to verify off-shore resources. With virtualisation/cloud/Catchphrase of the moment - there is even more transfer of data outside of the EEA and without updated laws and controls, we will become a small island once again.
Safe Harbor is a Joke
"With respect to personal data received from the EU, please state that you comply with these principles: ...."
"Thank you. You are now enrolled in the Safe Harbor scheme."
And that's pretty much it. No audit -- no oversight at all. Nothing for customers to inspect. And even though it's that easy there are operations claiming to be on the Safe Harbor list when they are not (not hard to check, though).
I can't see a way for Safe Harbor to be a wise basis for firms to export PID from the EU, regardless of what the EC says. I think a SOC2 type II with a clear and explicit listing of GAPP controls might actually do better. In an outsourcing context where the data has already been properly consented, and there are explicit contract provisions preventing disclosure, GAPP may be good enough.