Should there be a European standard for data protection?
Should there be a European standard for data protection to help companies comply with the legal requirements, or should it be left to the companies to devise their own standards? This was the question debated at an open meeting on data protection organised by the European Committee for Standardisation CEN, on the request of the European Commission Enterprise Directorate-General. In Europe, the processing of personal data has to comply with the European Directive on Personal Data, which calls for the completion of the legal prescriptions by self-regulatory action. The directive provides only for a general framework, and much of the effectiveness of the protection it affords will depend on the implementation mechanisms employed. The European Directive was conceived in 1995. Since then, the rapid development of the Internet and electronic business has led to new challenges as increasing quantities of personal data are being processed. Employers and other organisations holding personal information now face the dual challenge of ensuring their data records and control records comply with the legal regulations, and instilling confidence in consumers that the information they communicate will not be used in ways they would not authorise. The Privacy Seminar, 'Standardisation: a business tool for data privacy', was organised against this backdrop, to initiate dialogue between the different bodies interested in data privacy with a view to establishing some kind of European standard for ensuring legal compliance. 'This is the result of a very careful and painstaking investigation into whether there is a role for standardisation and in support of the data protection directive,' said George Hongler, CEN Secretary General. 'Establishing consensus is our raison d'etre. People see standardisation as regulation by the back door, but I don't see this as the case at all. Standardisation is not mandatory, it's a voluntary activity. We at CEN have recognised that the market needs consensus-based agreements.' Over 120 participants were asked to identify the market's requirements in relation to data protection, and the market player's confidence in using a self-regulatory mechanism, such as standardisation, to implement business action in the privacy arena. The need for urgency was underlined. 'If we do not do this in a timely way, we may not do it at all,' said Seminar Chairman Nick Mansfield, also Chairman of ICX, the International Commerce Exchange. 'Whatever we do has to be done by the end of this year.' John Mogg, Director General of the European Commission's Internal Market Directorate General, agreed that a timely solution is required. 'The time for talking is ended. The time for delivery that is convincing to the industry and consumers is now here.' Mr Mogg, who has been instrumental in establishing the 'safe harbour' cooperation agreement on transferring data between the EU and US, said a standardisation agreement would strike a balance between the traditional European legislative approach, and the self regulatory system favoured in the USA. 'In Europe, we have been portrayed as an organisation where regulation is the only route but this is not the case. However, standardisation represents an integrated approach between regulation and self regulation.' Protecting personal data requires not only legislation, but also clear and practical guidelines on how to meet the legal requirements, said Martin Grosskopf of the Canadian Standards Agency, CSA International, who presented the Canadian experience of establishing a standardised mechanism of data protection. Building a consensus between all the parties affected by data privacy in Canada, including consumers, business, regulators and policy makers, took four years. Consensus is necessary, said Mr Grosskopf, for a voluntary standard to have the widespread acceptance it requires. He conceded however that four years is too long in the fast moving world of e-commerce. 'Internet time cannot do things in four years,' he said. 'But we have the mechanisms in place to develop a system with a low level of consensus in six to eight months. This would be constantly reviewed until a more established consensus has been reached.' Presenting the conclusions of the discussion sessions, Evangelos Vardakas, Director in the European Commission's Internal Market Directorate-General, said the European standard would leave room for Member States to meet their own requirements. 'There will be plenty of room for national arrangements and I hope this will not leave room for contradiction.' Compliance with the data protection measures in one Member State will be recognised throughout the Union. 'The ideal situation is to do business all over Europe. This is the final objective of the directive,' said Christine Sotting-Micas of the Internal Market DG. Several delegates raised the question of the price of implementing a European Standard. Seminar Chairman Nick Mansfield said there was no avoiding the fact that the implementation process would cost money. 'The price to do nothing is unaffordable,' he said. 'If the law says you have to do something, then you have to do it, and it's going to take resources. 'Yes you are going to have to put your hands in your pocket, yes you are going to have to get your managers to do something, and yes it's going to cost more than you are doing today.' Some companies might prefer to develop their own systems of compliance, conceded Mr Mansfield, but the costs for small and medium sized enterprises would be uneconomical. For them, the affordable option would be to come to a recognised standards body such as CEN, for help on implementing a standardised European data protection model. The quality assurance that comes with the standardised protection of data could bring with it new business opportunities, the conference was told. The notion of establishing a European brand, such as the successful kitemark of quality employed in the UK, was discussed, although an information campaign would be needed to gain public acceptance. Mr Mansfield said a quality brand would generate its own business. 'Branding brings public confidence and can be linked to products. Those who produce branded products will sell them - there is a well known market here.' Summoning up the conclusions of the two-day session, Mr Mansfield said although the debate had been constructive, there was still much work to be done in gaining consensus in such a complex area. 'Anyone who came here with an expectation of a clear cut solution may feel disappointed, but I think perhaps if you came with that expectation you didn't have a complete grasp of the complexities that we are facing.' A report of the proceedings will be published within six weeks, when it will be made available for public consultation on the CEN website. CEN/ISSS (Information Society Standardisation System), a body created by CEN to provide solutions to the standards question, will then decide whether to bring together experts to write a European Data Privacy Standard.