Saturday, March 31, 2007

Stop! Make sure you’re on the white list!

The European Data Protection Directive divides the countries of the world into two lists: the white list (with “adequate” data protection) and the black list (without “adequate” data protection). All the EU countries automatically get on the white list. The European privacy regulators have the unenviable task of assigning other countries to that list, and they have taken a very conservative approach, only putting countries on that list that have a clone of EU-style data protection. So, Argentina and the Channel Islands are deemed to have “adequate” data protection, but the USA is not. In other words, data flows from Europe to such places as Bulgaria, Romania and Argentina are unimpeded by regulatory constraints, but similar flows to the USA are subject to considerable regulatory process. Of course, all this exists in a parallel universe, rather divorced from reality. I doubt many people in Europe would honestly believe that their data is more protected in Argentina or Bulgaria than in the USA.

It’s time to scrap these artificial concepts. White lists and black lists are inherently unfair, and they simply do not reflect the realities of privacy protection, especially when they are based on rather arbitrary legalistic concepts, far divorced from the realities of the world. Such concepts might have been defensible in the days before the Internet, when global transfers of data were rare, but they are patently absurd in the era of the World Wide Web, when data zips around the planet with the click of a mouse.

I’m all for robust data protection legal obligations. What we really need are global standards. You don’t get those by creating silly white lists and black lists. And if you don’t agree, you can always choose to move all your sensitive data to Argentina. It’s on the white list.

No comments: