EU asked to tone down privacy standards

The Bush administration says the current blueprint would make it difficult for U.S. financial institutions to conduct business abroad.

Stefanie Olsen Staff writer, CNET News
Stefanie Olsen covers technology and science.
Stefanie Olsen
3 min read
The Bush administration is pressing European regulators to weaken proposed privacy standards for consumers, saying that the current blueprint would make it difficult for U.S. financial institutions to conduct business abroad.

In a March 23 letter addressed to John Mogg, director general of the European Commission, the departments of Treasury and Commerce struck a note of worry about standard contract clauses proposed by the group for business agreements between U.S. and European companies.

Such contracts outline what companies can and can't do with consumer data in business deals across country lines. But a difficulty arises in the fundamental differences in consumer privacy protections in Europe and the United States. The European Union's privacy directive, for example, stipulates that consumers must have access to data collected about them and have the opportunity to destroy or change such data.

The United States' policy is more liberal, centering on the collection and resale of data from public records and giving consumers the ability to "opt out" of information sharing, privacy experts say. Because the EU has stricter privacy laws, U.S. companies could run into problems in the exchange of such data across international borders.

"The debate is nearing a showdown, and the European Commission appears to be taking the tact that: 'We're going to play by our rules, and if U.S. financial institutions want to do business in international markets covered by the EU, then they have to play by our rules,'" said Bill Bradway, co-founder of Meridien Research, which specializes on studying the impact of technology on financial institutions globally.

Last week's letter stated that the financial sector may be "adversely affected" by the EU's proposal and that the standard clauses "impose unduly burdensome requirements that are incompatible with real-world operations." These concerns were previously described in a joint Treasury-Commerce letter sent to the EU in February.

Representatives from the EU office in Washington, D.C., could not be immediately reached for comment.

The Internet plays an increasingly critical and complicated role in setting privacy standards. Because capturing data over the Internet is standard practice for many companies, including financial institutions, companies could run into roadblocks if they have to treat data from European customers differently from those in the United States.

"In order to do business in Europe, financial services companies are going to have to comply with this much, much stricter privacy provision of the EU directive," said Debra Pierce, an attorney with the Electronic Frontier Foundation (EFF).

The EU's proposal would affect the largest financial institutions, including JP Morgan, Merrill Lynch and Morgan Stanley Dean Witter, because they are operating overseas or have plans to do so.

Within the letter, the departments of Commerce and Treasury urged the commission to give the parties involved more time to find an adequate solution.

The letter suggests potential conflicts could arise if stipulations in the standard clauses fail to match guidelines financial institutions are implementing in accordance with the Gramm-Leach-Bliley Act of 1999, which mandates consumer privacy protections.

The Bliley Act requires financial institutions, including insurance companies, brokerages and banks, to let customers opt out of potential data-sharing practices among those three parties. Privacy experts say that the EU directive is much more strict.

Also at issue is what's known as "safe harbor," which doesn't cover financial institutions. Safe harbor is an arrangement negotiated by the Department of Commerce and the EU in which companies agree to abide by a set of guidelines dealing with the transfer of data, for example, between countries with strict privacy protections to those with more lax policies.

The safe harbor applies to large commercial companies operating globally, such as Coca-Cola or McDonald's. Only a small number of companies have signed up, however.

Those provisions are less stringent that the contract standards. For example, they allow companies to provide some reasons why customer information can be shared without consent, privacy experts say. Therefore, standard contract clauses could not only impose harsher privacy standards on financial institutions than the Bliley Act; they could also levy stronger restrictions than are placed on companies operating under safe harbor provisions.

"The whole other can of worms is the jurisdiction question. How far can another country reach in another country's business?" asked EFF's Pierce.