The Bush administration is pressing European regulators to
weaken proposed privacy standards for consumers, saying that the current
blueprint would make it difficult for U.S. financial institutions to
conduct business abroad.
In a March 23 letter addressed to John Mogg, director general of the
European Commission, the departments of Treasury and Commerce struck a note
of worry about standard contract clauses proposed by the group for business
agreements between U.S. and European companies.
Such contracts outline what companies can and can't do with consumer data in business deals across country lines. But a difficulty arises in the fundamental differences in consumer privacy protections in Europe and the United States. The European Union's privacy directive, for example, stipulates that consumers must have access to data collected about them and have the opportunity to destroy or change such data.
The United States' policy is more liberal, centering on the collection and
resale of data from public records and giving consumers the ability to "opt
out" of information sharing, privacy experts say. Because the EU has
stricter privacy laws, U.S. companies could run into problems in the
exchange of such data across international borders.
"The debate is nearing a showdown, and the European Commission appears to
be taking the tact that: 'We're going to play by our rules, and if U.S.
financial institutions want to do business in international markets covered
by the EU, then they have to play by our rules,'" said Bill Bradway,
co-founder of Meridien Research, which specializes on studying the impact
of technology on financial institutions globally.
Last week's letter stated that the financial sector may be "adversely
affected" by the EU's proposal and that the standard clauses "impose unduly
burdensome requirements that are incompatible with real-world operations."
These concerns were previously described in a joint Treasury-Commerce
letter sent to the EU in February.
Representatives from the EU office in Washington, D.C., could not be
immediately reached for comment.
The Internet plays an increasingly critical and complicated role in
setting privacy standards. Because capturing data over the Internet is
standard practice for many companies, including financial institutions,
companies could run into roadblocks if they have to treat data from
European customers differently from those in the United States.
"In order to do business in Europe, financial services companies are going
to have to comply with this much, much stricter privacy provision of the EU
directive," said Debra Pierce, an attorney with the Electronic Frontier
The EU's proposal would affect the largest financial institutions,
including JP Morgan, Merrill Lynch and Morgan Stanley Dean Witter, because
they are operating overseas or have plans to do so.
Within the letter, the departments of Commerce and Treasury urged the
commission to give the parties involved more time to find an adequate
The letter suggests potential conflicts could arise if stipulations in the
standard clauses fail to match guidelines financial institutions are
implementing in accordance with the Gramm-Leach-Bliley Act of 1999, which
mandates consumer privacy protections.
The Bliley Act requires financial institutions, including insurance
companies, brokerages and banks, to let customers opt out of potential
data-sharing practices among those three parties. Privacy experts say that
the EU directive is much more strict.
Also at issue is what's known as "safe harbor," which doesn't cover
financial institutions. Safe harbor is an arrangement negotiated by the
Department of Commerce and the EU in which companies agree to abide by a
set of guidelines dealing with the transfer of data, for example, between
countries with strict privacy protections to those with more lax policies.
The safe harbor applies to large commercial companies operating globally,
such as Coca-Cola or McDonald's. Only a small number of companies have
signed up, however.
Those provisions are less stringent that the contract standards. For
example, they allow companies to provide some reasons why customer
information can be shared without consent, privacy experts say. Therefore,
standard contract clauses could not only impose harsher privacy standards
on financial institutions than the Bliley Act; they could also levy
stronger restrictions than are placed on companies operating under safe
"The whole other can of worms is the jurisdiction question. How far can
another country reach in another country's business?" asked EFF's Pierce.