In a move that critics say leaves businesses and consumers in a state of legal uncertainty about how personal data should be handled, the Department of Justice has postponed until autumn the heads of a Bill on the EU's 1998 Data Protection Directive.
"This is a continuing problem, that we delay in implementing European legislation," said Mr Denis Kelleher, a barrister specialising in information technology law. He says that Irish companies are uncertain about their obligations and legal liabilities under the new directive when handling personal data.
As a consequence, they are unable to install computer systems to manage data correctly. "The whole status of data protection law is very vague," he said.
The directive extends privacy protections in the 1988 Data Protection Act to address more comprehensively the way data can be gathered and processed using information technology and the Internet. Paper files will also be included under protections that currently apply to computer-held data only, and - in a key and controversial provision - the new directive places restrictions on the export of data on EU citizens to non-EU countries.
So far, seven EU states have implemented the directive, which, for the past year, has been the subject of a major row between the US and the EU because of its data-handling restrictions. Under the terms of the directive, non-EU countries would have to handle data from EU citizens under the same terms that apply in the EU.
In particular, the US has resisted giving European consumers access to data records held on them by US companies. Access to all data records is a primary provision of the 1988 and 1998 Data Protection Acts.
The directive is of particular concern to businesses because, if implemented as it stands, it could bring to a standstill the operations of the many European-based companies that exchange data with US-based companies. Irish companies which do "back office" processing of data for US companies, are branches of US multinationals, or operate international telecentres could all be affected.
For consumers, the Act could prevent basic electronic commerce transactions because, without a resolution on data-handling issues, US companies could not accept credit card details from Europeans.
Top level negotiations between the US Commerce Department under-secretary, Mr David Aaron, and the EU have failed to produce a compromise, although the US has proposed allowing trade to continue between companies under so-called "safe harbour" principles. These would be voluntary agreements to follow some data privacy guarantees, such as allowing people to opt out of having their data used for marketing purposes.
"Blockage of data could threaten billions if not trillions of dollars or euros in international trade and investment," Mr Aaron said in a speech last month. "Beyond that, the very future of the vastly promising electronic commerce marketplace may well hang on whether we can find ways to bridge our final differences."
But US and European privacy advocates and consumer groups have rejected strongly the proposals put forth by the US. "We take the view that what's on offer from the US is not acceptable," said Mr Jim Murray, director of the European Consumers' Organisation. The group has formally complained to the EU that the safe harbour negotiations have taken place out of public scrutiny and without the opportunity for any formal public response.
Mr Murray, who was formerly the director of consumer affairs in Ireland, also rejects complaints by US companies that EU protections would be too difficult to implement.
According to Ireland's assistant data commissioner, Mr Tom Lynch, "the issues are huge." But he said Ireland's implementation of the law is not a pressing issue because, under the new directive, computer data is given a derogation from the directive's provisions until October 24th, 2001. He also noted that, because the new directive is an extension of an existing directive, "the principles are already in Irish law".
