Cookie Law vs Patriot ActBy: Richard Beaumont | Friday, September 9, 2011 | Tagged: Cookie Law | 1 Comment
I have recently been reading a series of articles about the implications of the USA Patriot Act for data protection in the EU.
These have led me to consider, in my more paranoid moments, whether the Cookie Law was in fact written as a direct response to the potential impact of the US law on the data privacy of EU citizens.
The articles in question were written by Zack Whittaker on ZDNet - and for anybody interested in privacy issues, I would strongly reccommend this in-depth analysis.
Although ZDNet is a US focussed site, Zack is British which perhaps gives the four articles a unique perspective.
However you won't find mention of the EU Cookie Directive in these articles, as they were publish in April this year, when very few people knew about the cookie law. So although the insight into the Patriot Act is all Zack's, the conjecture about the cookie law is mine.
The Patriot Act vs EU Data Protection
In the briefest terms, EU data protection laws mean that processing of any data by EU companies is subject to legislation designed to protect consumer privacy, and ensure the data is not misused.
The protections to that data are also supposed to extend beyond the EU's borders via an international agreement known as 'Safe Harbor'. Under the Safe Harbor arrangements US companies are supposedly held to the same standard of data protection, for European data, as companies in Europe are.
The purpose of this legislation was to enable big companies that move data all over the world to process it - like Microsoft and Google - to keep doing so legally, without whole sections of the digital economy grinding to a halt.
So far so good.
However, US companies are subject to the Patriot Act, drawn up in the wake of the September 11 attacks. The Patriot Act requires US companies to hand over any data to the US security services on demand, and potentially without the need for a court order.
Part of the Patriot Act also requires that companies who have been ordered to hand over data must keep quiet about it, i.e. not tell their customers and partners what they have done.
So even if data has been transferred to the US under Safe Harbor, it can be 'seized' by US security. It also means that US companies can be compelled to request data from the European subsidiaries, purely so it can be handed over, and the subsidiary may never know about it.
Enter the Cookie Law
All of which, to the average person, seems to give an awful lot of power to the US government. European authorities had no defense against this except to cut off all data movement between the EU and USA, clearly a wholly impractical proposition.
The cookie law, assuming it is properly enforced, has two possible consequences.
Firstly, it makes EU citizens more aware that data is being collected about them on the web, what is being done with it, and obtains some consent for the collection and processing.
Secondly, it reduces the volume of data actually collected (assuming not everybody gives their consent).
So with this law in force, if EU citizens' data does get into the hands of the US government, there will be less of it. Possibly equally importantly, the EU company that hands the data over, is to some extent absolved of 'blame' because they have an argument that the data was given knowingly and voluntarily.
Of course there is a lot of data collected that doesn't come via cookie law regulated mechanisms.
I also know that, spelled out like this, it seems a little far fetched that the cookie law was designed to protect, even in some small way, EU citizens from the mighty USA intelligence machine.
If nothing else, it cannot be possible that an organisation like the EU could, as a whole machine, knowingly come up with that kind of plan, and keep it secret.
However, I can't help thinking that somewhere, deep within that European machine, there is someone quietly patting themselves on the back at this small triumph of privacy over the trans-atlantic reach of US law.