Transatlantic Privacy War Heats Up

Welcome Guest. | Log In| Register | Membership Benefits

March 28, 2001 (8:10 AM EST)

By Mary Mosquera,

The transatlantic tug of war over privacy standards notched up as the Bush administration complained to the European Union about the burden its rules will put on U.S. financial institutions.

Senior Commerce Department and Treasury officials said in a March 23 letter released Tuesday that Europe's requirements protecting consumer privacy are "incompatible with real-world operations."

U.S. financial institutions are putting in place privacy protections under the Gramm-Leach-Bliley Act that modernized the banking system. But those privacy protections fall short of those mandated for Europeans by the EU privacy directive.

The debate is rooted in philosophical differences between the United States and European Union over data privacy at the customer level, said Bill Bradway, co-founder of Meridien Research in Newton, Mass., which analyzes uses of technology in financial services. The EU favors the customer, while the U.S. is more liberal toward business, he said.

Proposed standard clauses for contracts that govern the transfer of data from EU firms to companies in the U.S. were the chief sticking point, said the letter to the EU's e-commerce commissioner John Moog. The European Parliament must still approve the standard clauses but they are expected to become effective this summer.

The standard clauses are model contracts that add specific terms beyond those of the EU privacy law.

The adoption of the proposed standard clauses will "introduce uncertainty about the use of contracts," said Treasury undersecretary for domestic finance Donald Hammond and Commerce acting undersecretary for international trade Bernard Carreau in the letter. The officials asked the EU to delay implementing the standard clause rules.

For example, the model contracts would require U.S. firms to notify European consumers how their personal information is used and to give European consumers access to personal information that has been collected about them. The EU privacy law would require U.S. companies to apply EU law in the United States for European consumers, which U.S. lawmakers earlier this month said infringes upon U.S. sovereignty.

The EU rules will affect U.S. banks, brokerage houses, insurance companies, and large multinational corporations with lending and investing operations, but only those, such as Citigroup and American Express, that have European customers, Bradway said. It will not affect America's community bankers.

"We believe there is a serious danger the adoption of the standard clauses will create a de facto standard that would raise the bar for U.S. and foreign firms" and be applied to all e-commerce operations, Hammond and Carreau said.

The privacy debate will continue until the U.S. and EU find some middle ground that the U.S. can live with, Bradway said. "I think the EU Commission feels it has the upper hand. In sports, that's playing the home court advantage," he said.

Technology can be engineered and deployed to meet a different set of privacy requirements for U.S. and European customers, Bradway said. "But it will add a lot of cost and complexity to U.S. institutions that have to provide that environment. They will have to ask if it's worth it," he said.

The EU carries a lot of clout and it has many of the world's large banks, he said. "But other parts of the world have regional identities also. I wouldn't jump to the conclusion that the EU directive is going to be the standard for the world," Bradway said.

The Clinton administration negotiated with the EU a Safe Harbor agreement to allow the self-regulatory nature of U.S. privacy protections to co-exist with the EU's regulatory culture. U.S. companies who signed up promised to follow fair information practices in e-commerce enforced by the U.S. Federal Trade Commission. In return, the EU would not prosecute the U.S. firms or cut off European data from them.

So far, only 25 U.S. companies have signed up for the self-regulating Safe Harbor. Companies that do not participate in the Safe Harbor effort and want to collect personal data from Europeans will have to enter into model contracts that obligate them to the terms of EU privacy law.