Cedric Laurant

Posts Tagged ‘United States’

, , , , , , , , , , , , , , ,

Conference: “Is Your Company under Threat? New Digital Risks & Computer Attacks: Forensic & Data Protection Aspects” (Medellin, Colombia – 16 Nov. 2011)

In Conferences, Spanish on 11 November, 2011 at 04:01

UPDATE (28 Nov. 2011): the video of the conference is now available at http://envivo.eafit.edu.co/EnvivoEafit/?p=10790.

Next week, I am organizing with two colleagues a conference in Medellin, Colombia, about the country’s recent data protection law entitled: “Is Your Company at Risk? New Digital Risks and Computer Attacks: Forensic and Data Protection Aspects – International Perspectives and the New Colombian Legislation”. Now that the Constitutional Court has approved the law, the time has come for the government to implement it into regulations, and for companies to start seriously considering how they will put in place the measures necessary to comply with the new rules.

In this conference, we plan on talking, from the forensic expert’s point of view, about the threats Colombian companies are facing with the latest waves of cybercrimes and computer attacks, the new risks they must address and the new challenges they must tackle.  We will then cover the new law itself: its scope, the legal and regulatory privacy framework in Colombia, and the legal impact for companies.  In a third and last part, the focus will be to explain the position of the new law within the landscape of current or emerging data protection laws in Latin America, but then also in the more global context of legislative and public policy developments in the European Union and the United States, and what these developments mean for Colombia at a time when its government is drafting its new data protection regulatory framework.

Conference speakers are:

  • Álvaro Alexander Soto, Director, Digital Forensic & Security Lab, Asoto Technology Group (forensic company with offices in Medellin and Bogota (Colombia), and Washington, D.C. (U.S.A.)),
  • Arean Velasco, Attorney, Velasco & Calle d’Alleman (a law firm with offices in Medellin, Colombia) and
  • Cédric Laurant, Principal, Cedric Laurant Consulting (consulting firm based in Brussels, Belgium)

Practical information: the conference will take place on 16 November 2011, 18:00-20:00 at the Universidad EAFIT, Carrera 49 N° 7 Sur – 50, Medellín (Colombia) – Bloque 38, Auditorio 125.  Language: Spanish.  Free entrance.  Prior registration required at info@cedriclaurant.com or right before the event at the conference venue.  More information in the flyer below.

Please do share this event with people who could be interested.

Conference: "Is Your Company at Risk? New Digital Risks and Computer Attacks: Forensic and Data Protection Aspects - International Perspectives and the New Colombian Legislation" (EAFIT, Medellin, Colombia - 16 Nov. 2011) (p. 1)

Conference: "Is Your Company at Risk? New Digital Risks and Computer Attacks: Forensic and Data Protection Aspects - International Perspectives and the New Colombian Legislation" (EAFIT, Medellin, Colombia - 16 Nov. 2011) (p. 1)

Conference: "Is Your Company at Risk? New Digital Risks and Computer Attacks: Forensic and Data Protection Aspects - International Perspectives and the New Colombian Legislation" (EAFIT, Medellin, Colombia - 16 Nov. 2011) (p. 2)

Conference: "Is Your Company at Risk? New Digital Risks and Computer Attacks: Forensic and Data Protection Aspects - International Perspectives and the New Colombian Legislation" (EAFIT, Medellin, Colombia - 16 Nov. 2011) (p. 2)

Share

, , , , , , , , , ,

“Privacy is Freedom”: Public Voice Event in Mexico City (31 Oct. 2011)

In Conferences on 31 October, 2011 at 15:29
"Dia de los Muertos" (photo by Natalie Curtiss, shot on February 26, 2011). Available at http://www.flickr.com/photos/gnatallica/5480065859/ (Creative Commons "Attribution-NonCommercial-NoDerivs 2.0 Generic (CC BY-NC-ND 2.0) license.)

"Dia de los Muertos" (photo by Natalie Curtiss, shot on February 26, 2011).

Two days before the 33rd International Conference of Data Protection and Privacy Commissioners takes place in Mexico City, The Public Voice, an international coalition of NGO’s, and nonprofit organizations, is organizing this Monday a full-day event to discuss the views of Civil Society representatives from Latin America, Europe and North America, but also with several government officials and industry speakers.  The issues featured are the same as the ones that will be discussed for the following three days in the Mexican capital: privacy and data protection, and how they relate to broader issues such as freedom of expression and consumer protection.

The stated goals of the conference are to:

  • review the status of the two Madrid Declarations (Civil Society’s Madrid Privacy Declaration (“Global Privacy Standards for a Global World”) and the Data Protection Commissioners’s International Standards on Privacy and Personal Data Protection.
  • assess cultures and privacy perspectives from around the world;
  • raise public awareness on surveillance technologies and its consequences to consumers, freedom of expression and human rights;
  • explore the ongoing policy and legal issues at stake in Latin America about privacy and freedom of expression.
  • establish networking opportunities between Mexican civil society and consumer rights advocates and members of the Public Voice.

The event hosts are the Electronic Privacy Information Center and the Federal Institute for Access to Information and Data Protection (IFAI), the Mexican Data Protection Authority.  Some of the government speakers they invited include:

  • Marie-Hélène Boulanger, Head of the Data Protection Unit of the Directorate General “Justice” at the European Commission,
  • Jacob Kohnstamm, Chair of the European Article 29 Data Protection Working Party,
  • Jacqueline Peschard, IFAI’s President,
  • Peter Schaar, the Federal Commissioner for Data Protection and Freedom of Information of Germany, and
  • David Vladeck, Director of the Bureau of Consumer Protection of the United States Federal Trade Commission.

The full list of speakers is available here.

If you wanted to attend the meeting physically, unfortunately at this time it is not possible anymore to register to attend the meeting in person.  If you plan on following the event online, just go to the webcast page at the start of the event: today at 08:00am GMT-6.

Several people have already offered to tweet about the event in several languages (currently English, French, Portuguese and Spanish).  If you want to make comments about the panels or even ask questions directly to speakers, you will be able to do so by using the #tpv11 hashtag in your tweets and the speaker’s Twitter username (speakers list on Twitter).  I will be tweeting in English and French from my Twitter account (@cedric_laurant).

Public Voice event in Mexico City (Oct. 31, 2011)

Public Voice event in Mexico City (Oct. 31, 2011)

Share

, , , , , , , , , , , , , , , , , , ,

Emerging Data Protection Laws in Latin America and Doing Business in the EU

In Opinions on 15 September, 2011 at 15:33

Late August I wrote an interview for Nymity for their “Privacy Interviews with Experts” series that covers the recent and emerging developments in data protection in Latin America.  The whole interview is also available here and here (pdf).

Map of Latin America

Latin America

As Latin America increases its attention to data protection legislation and regulation, a number of questions arise. Why now? What is the impetus behind their actions? What will implementation entail? Where do these countries start from in their implementation journeys?  What challenges will they face, especially keeping pace with the EU and at the same time satisfying the demands of other economies, including the US, Russia, China and others with no data protection regulation?

Cedric Laurant, attorney and consultant and founding partner of Cedric Laurant Consulting, provides us with a summary of the privacy challenges coming ahead in Latin America.

Cedric received his legal training in Belgium and the United States, taught courses and seminars in international privacy, data protection law and comparative law as a Visiting Law Professor at the Universidad de los Andes in Colombia between 2007 and 2008, and has talked at various conferences and seminars in Latin America about privacy and related issues.  He directed the publication of the Privacy & Human Rights survey between 2002 and 2006, increasing its scope to cover most Latin American countries.

Cedric speaks about about the current challenges for data protection in Latin America during his presentation at the next IAPP Privacy Academy conference on September 15 in Dallas, TX and at the Public Voice conference preceding the 33rd International Conference of Data Protection and Privacy Commissioners in Mexico City next October 31st.

Nymity: Why data protection law and regulation in Latin America today? Is it the same in all economies, or does it differ country by country?

Laurant: Latin America is the next big region after Asia that will see major changes occur in its data protection regulatory landscape.  Several countries have recently gotten their act together by enacting or drafting new data protection laws. Is it a coincidence or the intent to follow the “mode du jour”? None of the above: data protection has been on the agenda of many Latin American countries at least for the past 10-15 years. What we are seeing now is an increasing political will among all states in the region to catch up with their neighbours, and a growing realization that adopting strong data protection laws will help their economies by increasing their commercial transactions outside and within their borders.

Although all countries in Latin America that currently have a data protection law or are drafting one largely follow the European data protection model, with a few differences here and there, the lack of a harmonized and integrated regional legal system like in the European Union has led countries to adopt laws or draft bills that feature many differences among each other, which creates a diverse patchwork of legal frameworks or regulatory initiatives.

In turn, a common characteristic that appears in many Latin American privacy regimes is the constitutional right of “habeas data”, which despite variations from country to country, enables individuals to complain before a constitutional court to protect their image, privacy, honor, informational self-determination or freedom of information by providing them with the right to access the registries that hold their personal data, the way to amend or correct obsolete data, to insure their personal information remain confidential, and to provide means to remove sensitive personal information.  Lacking from that seemingly rosy perspective is the fact that habeas data only provides an after-the-fact remedy for individuals and through the courts: when it requires a lawyer, it stays out of reach for most plaintiffs, to show damage may be arduous, and it relies on case law and offers poor legal certainty.

Nymity: What are the emerging regulatory highlights, by economy and what is the timeline for their regulatory implementation?

Laurant: Several Latin American countries have recently enacted, or are drafting, a comprehensive legislative framework to protect individuals’ personal information. Starting with Mexico that, since last summer 2010, regulates at the federal level the processing of personal data by businesses, and is working on implementing decrees that should become enforceable early 2012.

Follows Peru with a new data protection law that was enacted last July and now must be detailed in an implementing decree. The Peruvian law establishes a data protection authority, the “National Register of Personal Data Protection” that will keep a record of private and public databases and have the power to levy fines for violations of the law.

Colombia is still waiting for the approval of its recently enacted and first comprehensive data protection law by the Constitutional Court, which according to local counsels, should come during the last trimester of this year.

The Brazilian Ministry of Justice is working on enacting a comprehensive data protection law modeled after the European Data Protection Directive and the Canadian Data Protection Law (PIPEDA). The draft bill, which has been subject to public discussion for several months, guarantees a list of citizens’ basic rights regarding their personal data: the right to access one’s data, correct inaccurate or wrong data, delete them, object to their processing, be compensated for their misuse, and not be subject to purely automated decisions.

Costa Rica is on the verge of adopting a law that is also modeled after the EU Data Protection Directive: it regulates almost all types of personal data processing activities and requires express written consent for many of them. It would also create a new data protection authority that would be competent to issue sanctions for violations of the law. After the Supreme Court of Justice found the law to be free of constitutional defects in April of this year, the bill has made its way back to the Legislative Assembly.

Uruguay is waiting this year for the approval of its data protection law as offering adequate protection pursuant to the European data protection legal framework, after the European body of the Article 29 Data Protection Working Party issued an affirmative opinion late October 2010. Mexico and Peru might wish to obtain that European “seal of approval”, but should they follow that route, they will probably have to wait for 3 or 4 years, especially as the European Union is currently focussing its efforts on reviewing its own data protection framework.

A development worth to notice is the growing number of countries in Latin America (Brazil, Uruguay and Mexico) that have added data breach notification clauses in their data protection law, similar to the ones that exist in almost all US State statutes and are burgeoning in some EU Member States.

Nymity: What challenges will those economies face?

Laurant: A major hurdle for these countries is the questionable level of independence of their data protection authorities and the effectiveness of their enforcement means: will they obtain enough means – financial, human and material – entrusted to them by their governments to fine the companies that do not comply with the rules, and will they get the true authority necessary to enforce the new rules?

Another obstacle is the pervasive lack of awareness about data protection by the vast majority of the population: it may take quite some time before companies learn about their new obligations and implement them into their data processing activities.  It will also take efforts for individuals to understand their new rights and for the authority to educate stakeholders about the new law.

At a broader level, where cross-border data transfers among all countries in the region will be at stake, the lack of an integrated regional data protection framework will give headaches to companies willing to transfer data to each other while following the legal mandates.

Nymity: How long might their journey take?

Laurant: As it is the case of all the economies that have already adopted data protection or information privacy rules around the world, it will take several years for Latin American states to fully implement them in the ground and get a high enough rate of compliance.  One example might illustrate the challenges ahead: it took 20 years for Colombia, after it recognized the right to privacy in its Constitution of 1991, to come up with its first comprehensive data protection bill. It will probably take as much time for its data protection framework to reach maturity and satisfy awareness, compliance and implementation levels similar to the ones in Europe and the United States.  However, to use again the example of Colombia, changes are gradual and cannot only be assessed based on changes in the law, but also through case law. In this regard, the Colombian Constitutional Court’s decisions have shown exceptional clarity by building since 1992 a comprehensive case law about habeas data that already embodies most of the data protection principles of international data protection instruments – something some of the biggest developed economies have not achieved yet.

Among the foreseeable factors that are likely to impede the path to successful implementation of data protection rules are: a higher level of corruption than in developed economies, a much weaker public sector with limited budgets for administrative and judicial bodies, a deficit in technical expertise, a poor level of trust in the justice system and consumer protection, and a lesser degree of reliability in commercial transactions.

Nymity: What are the key challenges each economy will face from Europe? What do you recommend these economies do about these challenges?

Laurant: If these economies intend at some point in time to get the adequate protection ‘seal of approval’ from the EU, they will have to demonstrate that the law that exists in their books is enforced in practice and effectively protects individuals. It will probably prove harder to obtain than in the case of Argentina that was the first Latin American country to get the approval but has not delivered yet on all its promises. One of the difficulties comes from how they will protect their transborder data flows after receiving personal data from EU countries. However, the EU recognition will definitely help them with increased prospects of European investments, in particular in the business process outsourcing sector and in data and call centers.

In this context, a growing conflict has already reared its head between the United States and the European Union, each of them trying to influence Latin America in adopting its own data protection model, and multiplying commercial initiatives or courting them individually with unilateral trade agreements. Most of the progress to be done in data protection in those countries will come indeed from the economic incentives to develop commercial transactions with the rest of the world and attract investment from foreign companies, especially with the regions that already impose strict rules on international data transfers to protect their consumers. But it may not come by making each of them sign unilateral trade agreements. The European Union got started thanks to the brilliant idea of European states forming a group around a purely economic objective – build a common market and a community of countries around the production of coal and steel – then promoting within their united territory the circulation of goods, services and capital.  Likewise, the same idea could be a leading factor in fostering Latin American economies to make progress on increasing international data transfers and commercial transactions: through the building of economic alliances among themselves. The best for the region is most likely to build up its own data protection model, based in part on its strong habeas data heritage and its civil law system, then to agree over multilateral trade treaties that would highlight the protection of international data flows as a key requirement.

Nymity: What recommendations do you have for companies that do business in Latin America? What might they begin to do to anticipate the upcoming data protection changes?

Laurant: I would advise international companies doing business throughout Latin America to embrace the upcoming data protection standards coming along in the region. Even though it will turn out to be a more costly business proposition for them, it will only be in the short term. The advice is: get an edge over your domestic and international competitors by adopting the highest data protection standards available throughout the region, and right from the start. Translating these standards to fit into the Latin American regional context means:

  1. be as transparent as possible towards your prospective customers in how you will use their personal information;
  2. do not be seen as following the herd of domestic companies that will probably have a harder time to comply with the new rules than you will;
  3. being seen as an early adopter will be good for business and the building of your reputation;
  4. in some of the countries where trust between businesses and consumers is particularly low, trust your consumers even more: it will breed reciprocal trust in your products, services, brand and reputation;
  5. follow all consumer protection and data protection regulations, and go even beyond strict compliance by doing better than domestic companies;
  6. develop a reputation for being fully reliable for your customers.

Nymity: What recommendations do you have for companies in Latin America that want to do business outside of Latin America? What data protection measures might they consider, perhaps in addition to their emerging laws and regulations?

Laurant: If your country does not have a clear and binding data protection legal framework, lobby your Parliament members to work on one; if business is mainly with European countries, encourage your government to start the process of the “adequate protection” recognition with the European Commission. In the meantime, you will have to demonstrate that you protect well enough the personal data transferred from the EU and comply with administrative procedures and contractual steps such as signing standard contractual clauses, adopting rules that apply throughout the company everywhere it does business (“ binding corporate rules”) or obtaining approval for individual transactions by national data protection authorities.

Share

, , , , , , , , ,

New Blog: “Information Security Breaches & The Law”

In News on 7 August, 2010 at 22:15

Last June, I have started with a colleague, Marie-Andrée Weiss, a blog dedicated specifically to the topic of information security breaches (“Information Security Breaches & The Law”) from both a legal and technical perspectives.

The blog, which is written in English and French, and later will also be in Spanish, will include opinions, comments on recent news, laws or other developments, research notes and conference reports in the area of information security breaches, mainly in the United States, Europe and Latin America.  It also features a “Security Breaches Library” that includes links to major recent reports and surveys, upcoming conferences, calls for papers and news, all on the same subject of information security breaches.

It should be of interest to company executives concerned with information security issues in their business, as well as to professionals practicing in the field of information security, privacy and data protection, along with the interested general public.

Below is an outline of the first blog posts:

  • Will France adopt a law requiring the notification of security breaches? (August 6, 2010): A French bill “to better guarantee the right to privacy in the digital age” has implemented the European Directive 2009/136/EC by requiring the data controller to inform the “Data Protection Correspondent” or the French data protection authority, of a breach of integrity or confidentiality. Those involved in the breach must also be informed, at least if security breaches are “likely to adversely affect” their personal data. The bill follows the recommendation of the Directive to notify individuals of security breaches for all sectors, not just electronic communications. It was adopted by the French Senate on March 24, 2010 and is currently before the National Assembly. (A French version of this article is also available here.)
  • Article 29 Data Protection Working Party reports on implementation of Data Retention Directive (July 19, 2010): The Article 29 Data Protection Working Party has adopted on July 13, 2010 a report on the EU Data Retention Directive (2006/24/EC). This report is the Working Party’s contribution to the evaluation of the implementation of the Data Retention Directive by the European Commission, which is due by September 15, 2010. The report details the results of a joint inquiry made by the data protection authorities about the compliance, at the national level, with the obligations of telecom providers and Internet service providers with both the Data Retention Directive and articles 6 and 9 of the EU e-Privacy Directive (2002/58/EC).
  • Are ‘clouds’ located outside the European Union unlawful? (July 16, 2010): A central aspect of every cloud service contract is the security of data processing. It is therefore important, if only for liability reasons, that responsibility for specific security measures be clearly assigned. This can be done by using security service level agreements between the cloud service provider and its client that clearly assign who is responsible for which particular security measure. Storing data in a cloud located outside the EU raises specific legal compliance issues. According to some experts, such clouds are even unlawful. There are, however, some ways to make sure that, even if a data controller stores data into a cloud located in a third country, he is still in compliance with German data protection law. A data exporter must use, in order to satisfy the adequate level of data protection requirement, specific standard contractual clauses for all contracts with a cloud service company located outside the EU. Binding corporate rules are the alternative solution, though only for private clouds.
  • The Safe Harbor Framework: not a “safe harbor” anymore for US companies? German expert body insists on stronger compliance stance (July 9, 2010): On April 29, 2010, the Düsseldorfer Kreis, an informal group of German data protection authorities, published a decision that could have significant repercussions on U.S. companies importing personal data from organizations operating in the European Union. One of these repercussions is that German organizations exporting personal data to the United States should check if the U.S. data importer does indeed comply with the Safe Harbor Framework. Security plan recommendations will provide for a useful guideline to E.U. data exporters to help them comply with the Safe Harbor’s Security Principle.
  • Canada May Soon Have a Data Breach Law (June 5, 2010): a bill called the “Safeguarding Canadian’s Personal Information Act” (C-29) that would amend Canada’s national privacy legislation. C-29 would introduce a security breach disclosure (also called “notification” in the United States) requirement in PIPEDA. Canada does not yet have such a law, contrary to the United States where the majority of states have enacted data breach notification statutes.

Share

, , , ,

European Parliament Debates “SWIFT” Transatlantic Bank Data Deal

In News digest on 10 February, 2010 at 16:02

The European Parliament discusses today, and votes tomorrow on, the transatlantic deal the US Government and the EU Council brokered last year.  It is an interim agreement (called the “FDMA” or “Agreement between the European Union and the United States of America on the processing and transfer of Financial Messaging Data from the European Union to the United States for purposes of the Terrorist Finance Tracking Program (“TFTP”)”) that was agreed between both parties last November. It will enter into force as soon as the EP votes on it, on 11 February, and last until 31 October 2010.  The EP’s consent is required under the provisions of the recent Lisbon Treaty to make the agreement enter into force.  The European Parliament can only give its consent or refuse it.

The European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE Committee”) issued last week a Recommendation with respect to how the EP should vote on the FDMA.

What is at stake?

A bit of history is required to understand the stakes of the current vote.  In her report on behalf of the LIBE Committee, the Rapporteur, Jeanine Hennis-Plasschaert, states that each agreement that the EU and the US have negotiated on justice and home affairs issues since 11 September 2001 features many of the same problems in relation to personal data and legal protection.  To overcome these difficulties, the EP has required since 2003 the definition of a coherent EU data protection legal framework as well as negotiations for a transatlantic binding agreement on this issue.

In 2006, it was revealed that the US government had obtained access since 2001 to all of SWIFT‘s data – including European bank customers’ financial information that was originally stored on servers based in the United States.  This news story led to a storm of protest in the EU – in particular as regards the TFTP’s perceived lack of compatibility with the obligations under the EU Data Protection Directive (95/46/EC) as well as Member States’ laws implementing that Directive.

“Slippery slope”

The LIBE Committee’s report argues that:

“As far as the TFTP is concerned, it must be considered as a departure from European law and practice in how law enforcement agencies would acquire individuals’ financial records for law enforcement activities, namely individual court-approved warrants or subpoenas to examine specific transactions instead of relying on broad administrative subpoenas for millions of records.” [...]

“[W]hat might have kicked off as an urgent temporary measure (in reply to 9/11) became de facto permanent without specific approval or authorisation by EU authorities or a real transatlantic evaluation of its impact and forward looking transatlantic negotiations covering at the same time security, judicial cooperation and data protection impact.”

The LIBE Committee’s report is critical of the FDMA and calls for the EP to withhold its consent on 11 February for the following reasons:

“[T]he current debate is not about SWIFT as such but about how Europe could cooperate with the US for counter-terrorism purposes and how financial messaging data providers are requested to contribute to this fight, or indeed more generally the law enforcement use of data collected for commercial purposes.” [...]

“[I]t is not difficult to imagine that accepting the proposed FMDA (as it stands) could lead down the slippery slope of accepting other requests for commercial data with (f.e.) Skype, PayPal and other companies in the information-telecommunication field being potentially interesting for law enforcement purposes.”

EP Committee argues the deal violates EU data protection rules

Among the most crucial legal considerations that the LIBE Committee report highlights are:

  • Violation of the principle of proportionality: when it receives a US government’s request to produce data related to e.g. an individual, SWIFT is not able to produce that specific data because of technical reasons.  The only data it could provide is ‘data in bulk’, which may contain personal data such as the name or address of an individual, and not be limited to the specific purpose for which US authorities may need information for counter terrorism purposes.

This shows that if SWIFT has to transfer most of its data to the US Government it will not be able to comply with the EU Data Protection Directive’s principles of necessity and proportionality.  “This cannot be subsequently rectified by mechanisms of oversight and control,” writes Rapporteur Jeanine Hennis-Plasschaert.

  • Violation of the principle requiring prior judicial authorisation – Uncertainty regarding onwards data transfers to third countries: The FMDA does not provide that transfer requests be limited in time and be subject to prior judicial authorisation.  Neither does it does define enough the conditions under which the US Government plans on sharing TFTP data with third countries.  The public control and oversight of the access to SWIFT data by US authorities is not defined either.
  • Undefined retention time: The FMDA provides that all non-extracted SWIFT data will be erased after a specified period but does not provide any length of time.

By “non-extracted data”, the FDMA refers to the data US law enforcement authorities have not needed for terrorism-related investigations.  Only if such data is “no longer necessary to combat terrorism or its financing” (Article 5 (i)) will the US authorities not keep the data for longer than 5 years after their receipt (Article 5 (l)).  For all data that might be necessary “to combat terrorism or its financing”, or for data that is extracted but found not to contain usable information, the duration of retention is not indicated in the Agreement.  This implies that the US Government could legally keep that data for up to 100 years.  (See “Representations of the United States Government”.)  The same retention issue occurred during the negotiation of the EU-US PNR (“Passenger Name Record”) Agreement that the EU Council, the Commission and the US Department of Homeland Security negotiated between 2003 and 2004.  In that case, the US Government had used a 100-year retention period as the regular duration period to keep such PNR data.

  • Undetermined provisions on access, rectification, compensation and redress outside the EU: these rights are not defined adequately in the FDMA.

The EP report states:

“The FMDA does not guarantee European citizens and companies the same rights and guarantees under US law as they would enjoy in the territory of the EU.  Furthermore, the FMDA does not indicate under what circumstances an individual or company outside the territory of the US is to be informed of the fact that an unfavourable administrative decision has been taken against him/it.”

What happens next?

If Parliament refuses consent on Thursday 11 February, the FMDA will not enter into force and its provisional application would terminate upon notification by the EU to the US authorities.  In such case, the US-EU Agreement on Mutual Legal Assistance of 2003 (“MLAT”, or Mutual Legal Assistance Treaty) and bilateral agreements on mutual legal assistance between the US and certain EU Member States would provide the framework pursuant to which future financial data exchanges would have to be pursued.  This MLAT includes, but is not limited to, terrorist offences.  Not only does it greatly limit the scope of data requests to investigations of specific individuals or companies “suspected of or charged with a criminal offence”, but the transfer of data to the US is also governed by the domestic law of the Member State(s) concerned.  The request for information must identify the person (legal or natural), indicate the grounds for suspecting he/she has committed a crime, and show how the information relates to the criminal investigation or proceeding.

Links:

Share

Follow

Get every new post delivered to your Inbox.

Join 318 other followers