EU-U.S. privacy dispute won't end soon

Effective in October, the directive is set to become law in all 15 EU states. The law will give citizens new control over their personal data and prevent database-marketing firms, Web sites, credit card companies, medical firms, and others from exchanging personal data with countries that do not provide "adequate" protection of the data.

U.S. officials said they hoped to negotiate a compromise by the end of the year to keep data flowing, but according to reports about EU concerns, progress has been slow.

Members of Privacy International (PI), a civil rights group based in the United Kingdom and Washington, said today they are not satisfied with U.S. plans for dealing with the EU privacy directive. The statements came after the group met Commerce Department and State Department officials for an hour and a half today.

The group intends next year to file complaints with individual EU privacy commissions against European firms that it suspects are not safeguarding data or are exchanging sensitive records with companies that don't meet the EU standards. The complaints could be followed by consumer protection lawsuits.

To prevent U.S. companies' data transfers from being cut off by the EU, the Clinton administration has proposed safe harbors that would allow firms to continue exchanging data if the companies voluntarily comply to basic principles, such as notifying people of their data-collection practices, letting people "opt out" of giving up their personal information, and stating who the firm shares the data with.

The safe harbor proposal mimics many of the self-regulatory privacy guidelines already in place by many e-commerce Web sites. Still, Privacy International says the European Union should not bend the rules for the United States because it is not offering adequate enforcement of the guidelines--most EU countries have a privacy commission to deal with complaints and noncompliance.

"We realize the U.S. officials are hell-bent on defending their entrenched position," said Simon Davies, the executive director of PI who attended the meeting. "But there is no common ground between the activists and the US government.

"The proposed safe harbors create a false sense of security," he added. "There are not deals to be cut here. The ball is the U.S. court and it's up to it to do the right thing."

Commerce Department officials were not immediately available to comment on the status of the negotiations with the EU or the meeting with Privacy International. But they have said in past interviews that the department's talks with the EU are positive and that they plan to reach an agreement by year's end.

Gerard de Graaf, who is first secretary for trade at the European Commission's delegation to the United States, said today that discussions were fruitful and would continue through early next year. The main sticking points are the U.S. proposals to give people access to data collected by companies and adequate enforcement.

"Things are going well and moving into the right direction. It's taking a bit longer than we expected," de Graaf said.

"We want the principles in question to be strengthened in some areas. We think the U.S. [proposal for] reasonable access leaves too many loopholes--that it is too vague," he added. "But we are very sympathetic to concerns that access shouldn't lead to abuse and enormous costs." A consensus is critical. "They are our main trading partner and from our perspective, it's important to talk to the United States," de Graaf said.

Privacy International hopes that EU officials will listen to its concerns before cutting a deal, however. "The [EU] is truly committed to enforcing this law that took them 10 years to pass," said David Banisar a staff attorney for Electronic Privacy Information Center and member of PI.

"The U.S. has only tried to repackage voluntary guidelines over and over," he added. "The EU knows it can't reach an agreement with United States that doesn't involve substantive protections."

Banisar said the United States would be smart to endorse legislation similar to a proposal being pushed forward in Australia. The federal government there said it would introduce privacy laws for the private sector that will be developed by business, but strictly enforced by regulators, according to the Associated Press.

The dissatisfaction out of London comes as a major U.S. privacy effort, TRUSTe, today trumpeted its success in getting Web sites to sign up for its privacy logo program, a key element in efforts to rely on industry self-regulation to safeguard consumer privacy.

TRUSTe said it has 424 licensees--up from 42 a year ago--including all the major "portal" sites--America Online, Excite, Infoseek, Lycos, Microsoft, Netscape, Snap, and Yahoo. TRUSTe counts 45 of the top 100 Web sites as licensees. (Snap is a joint venture between NBC and CNET: The Computer Network, publisher of News.com.)

Still, privacy activists insist that voluntary programs, such as the safe harbor proposal, don't give people inherent privacy rights and recourse if a privacy agreement is violated.

"The EU is not going to accept a solution that doesn't address the rights of Europeans," said Jason Catlett founder of Junkbusters, which offers privacy protection technologies.

"And if American companies provide higher levels of protection for European customers, then Americans are going to take note--they won't want to be treated like second-class citizens with less protections than Europeans," he added.