The world's most exclusive club?
Jinfo Blog

By Tim Buckley Owen

Item

Israel has recently become only the seventh country to join the charmed circle of nations to which European personal data can be sent unhindered for processing.  If this really is “the year of the Cloud”, and if emerging nations are to continue to power the global economy for the foreseeable future, then data protection is one of the Cloud’s biggest pieces of unfinished business.

Europe has some of the toughest data protection legislation in the world and approves third party countries only grudgingly.  “Adequate” is the term it uses in the official Commission Decision admitting Israel – and indeed for the handful of other countries currently in the club: Argentina, Canada (sort of), Switzerland, Jersey, Guernsey and the Isle of Man.

Canada is admitted only so long as the recipient of the information is subject to the Canadian Personal Information Protection and Electronic Documents Act (says the Out-Law newsletter), and there are also some concessions for the United States.  Data can be sent to those US organisations that comply with the Federal Trade Commission’s Safe Harbor arrangement with the EU and Switzerland, which “bridges the gap” between the two areas’ differing approaches to privacy.

If even developed nations have such difficulty joining the club, what hope – Argentina honourably excepted – for emerging ones?  It’s just recently that LiveWire reported on a European Union Opinion on who’s responsible when personal information is processed goodness knows where in the Cloud – and there will be many more issues to address where emerging economies are concerned.

It was in November 2009 that Simon Sorockyj, from the Hong Kong Office of the law firm Pinsent Masons, wrote an exasperated note lambasting the region’s government for failing to implement section 33 of the Personal Data (Privacy) Ordinance, which restricts the transfer of personal data to countries lacking a data protection regime.  Currently there’s nothing to prevent Hong Kong data from travelling to China where, frankly, anything might happen to it.

Recently another law firm, Linklaters, has reported that the Hong Kong Privacy Commissioner has set a strategic goal of bringing section 33 into force – either “in the next few years” or “as soon as possible”, depending on which interpretation you go by.  Meanwhile, though, Hong Kong has no chance of getting onto the EU’s “adequate” list and commerce suffers from cumbersome bureaucratic delays as a result.

Data protection can only grow in importance among the many compliance issues that information managers have to wrestle with – especially among emerging economies.  Where to go for help? 

One place might be ENISA, the European Network & Information Security Agency.  Even better, though, might be to seek the advice of the Article 29 Working Party of EU member states’ data protection authorities.

« Blog