Just how important it is for Bermuda to pass a proposed data protection act that is compatible with the European Union?s can be seen by recent developments in the US. The Personal Data Offshoring Protection Act of 2004 (H.R. 4366) was introduced on May 13 in the US House of Representatives and would prohibit the transfer of the personal data of a US citizen to a country without adequate data protection laws.

The bill would also require businesses to give US citizens notice before transmitting personally identifiable information to foreign affiliates or subcontractors located in countries with adequate privacy protections. The bill, if passed, would essentially bring the US under the same strict data protection umbrella as the EU.

It directs the Federal Trade Commission to certify those countries that have legal systems providing adequate privacy protections and requires the certification of countries whose laws meet the requirements of the EU?s Data Protection Directive.

Therefore, as argued previously in this column, Bermuda should comply with both the EU and US data protection provisions both as a means of protecting consumers on the Island and as a means of ensuring businesses here can operate freely in North America and Europe.

According to Graham Wood, a lawyer at Appleby Spurling & Hunter, anything less would fall short and expose Bermuda companies to a loss of business. In a presentation given to the Bermuda branch of the Information Systems Audit and Control Association (you can read it at www.isaca.bm), Wood compares Bermuda?s situation with that of the UK, when it introduce data protection (DP) legislation in 1984. ?By the time of its introduction the UK had already lost some major data processing contracts with Swedish and Danish organisations because both Sweden and Denmark prevented the export of data to states that did not provide similar DP legislation,? he says. ?The same reasoning may now apply to Bermuda. Will the country lose business if we do not fall in line??

Data protection would apply in the case of a Bermuda-based holding company with a subsidiary in the UK, that regularly sends it financial details (including payroll data) for audit purposes. Professional advisors based in Bermuda would also need access to personal data from a UK company in order to provide services to the company. ?We could introduce specific DP legislation that mirrors the EU legislation,? Wood argues. ?It should be noted that the EU DP Convention provides that the ?Committee of Ministers may invite any State that is not a member of the Council of Europe to accede to this Convention?. The problem with this is that is the regulatory approach taken by the Convention that would be wholly inappropriate for Bermuda. Any legislation that is introduced must therefore be ?Bermudianised?.?

He notes that the changes might mean Bermuda could have difficulty getting such legislation accepted by the EU. As a further example on how data protection legislation is changing the way businesses have to operate these days, I just have to point to the recent punch up between the US and the EU over the transfer of airline passenger data between the two countries.

After almost a year of negotiation, the European Commission recently announced it had extracted new commitments from the US government guaranteeing protection for the personal data of transatlantic air passengers. The US wanted EU countries to transfer personal data of passengers on airlines travelling to the US before they arrived on US soil. However the battle looks set to continue. Last month, the European Parliament decided to begin legal proceedings against the European Commission?s decision about the information transfer.

@EDITRULE:

Apple issued a new security update to its Mac OS X 10.3.4 and 10.2.8 platforms this week. A number of security issues are fixed in the update. Apple does not reveal what these are in a bid to keep the vulnerabilities secret from hackers. The update also increases security by alerting users when an application is automatically started for the first time. The alert is intended to warn users when they click on an untrustworthy link that tries to automatically open a downloaded application designed to cause harm to the system. Microsoft has also issued a security update for Windows 2000 users. The ?hotfix? corrects a fault that leaves Windows 2000 domains open to a security policy violation. Reportedly, if a Windows 2000 domain is of exactly eight characters, domain accounts with expired passwords can still be used to log into the domain. Go to www.SecureBermuda.com where I have put the direct links to the updates issued by Apple and Microsoft.

@EDITRULE:

CNET is offering a free online course from June 14 to August 2 for those of you who want to learn how to buy and use a digital camera. Sign up for the free course ww.cnethelpu.com.

@EDITRULE: