Bridging the transatlantic data divide

Simon Rendell, head of IT law, Osbourne Clarke

Simon Charlton, IT law consultant, Bird & Bird

Mike Pullen, euro law specialist, Dibb Lupton Alsop

The EU and the US are currently in protracted discussions about the future of data protection.

While Europe wants tight regulatory controls on how personal data can be passed between companies on either side of the Atlantic, the US has grudgingly offered an approach to the solution in the form of a "safe harbour". This means businesses could voluntarily sign a code of conduct.

If the issue cannot be resolved at a US-EU summit on 21 June, the disparity in approaches could disrupt the flow of personal data across the ocean and create havoc for business.

So which side is right in the eyes of the lawyers who deal with these problems everyday?

Simon Rendell, head of IT and communications law at Osborne Clarke, believes that while the EU generally has the right approach by insisting there should be some controls on data transfer, it has drawn up directives on the matter without understanding what the impact on businesses could be.

"Businesses, especially internet businesses, need to understand data protection laws in the countries where they are looking to expand in order to plan their business strategies over the next five years, but at the moment that is impossible.

"The current state of affairs is a lawyer's dream because we are getting umpteen instructions on how internet companies should handle these issues."

But Rendell says: "We cannot give our clients the advice we would like to because only a client the size of Microsoft could do an international survey of data protection regulations."

As to the US's peace offering of the "safe harbour" scheme, Rendell is sceptical.

"It is not a long-term solution. It is just a knee-jerk reaction to try and find a solution to the disagreements between the US and the EU," he says.

But Simon Chalton, IT law consultant to Bird & Bird, thinks the problem has been over-played.

"The problem is not as serious as some might say. It's only serious because Europe has adopted this model for data protection and therefore Europe is saying that personal data shall not be transferred to countries that do not have protection.

"There are ways around the problems. For example, if you have a contract between a US company that does not have data protection laws and an EU company that does, then you can write it into the contract that data protection laws must be complied with. While the US law may not say a lot about data protection, it does say a lot about the enforceability of contracts," he says.

Equally, Mike Pullen, European law specialist at Dibb Lupton Alsop's Brussels office, believes that for most companies there is an easy way around the restrictions imposed by the EU. This is because all data transfer is permitted if the subject of the information gives permission.

"If you are in the type of industry where you are in constant contact with your customers, then gaining consent is merely a matter of getting them to sign a form.

"The directive makes work difficult for direct marketers and risk brokers because they are a few steps removed from the data provider."

At the moment, says Pullen, an EU-based company wanting to transfer data has to have a data controller in each country that it intends to send data to or from. "It seems it includes each country within the EU."

But he says: "It should leave room for some shopping around within the EU because the data protection authorities in each country are so different. The directive needs clarification, potentially through a court case."

As to the proposed EU clampdown on data transfers to the US, if the latter does not give in on regulation, Pullen has nothing but contempt. "It's a nonsense. How many transfers of data are there from the stock exchange each day? The EU is trying to impose its level of protection on other countries by force."