U.S. still deadlocked with EU on privacy

Despite optimistic progress reports, the United States and European Union are not headed toward a compromise over a strict EU privacy law that threatens to cut off the transfer of personal information between their two international jurisdictions.

Officials had hoped to reach an agreement by Monday but now say they are still working on a plan. Some observers say a final proposal may not come until as late as December.

The European Union's privacy directive has been adopted by seven member countries and is expected to pass muster with the remaining eight. In addition to requiring that firms disclose how they intend to use personal information, it says they cannot exchange data with countries that don't "adequately" protect it.

Privacy and Security Topic Center In Special Reports  No clear path to Net privacy In News  The Paranoiac's Toolkit In Software  The Pentium III and Privacy In Hardware  Talk about online privacy In Message Boards  Find your birth parents online On CNET TV

To the contrary, the United States favors industry self-regulation efforts, which EU officials say have weak enforcement mechanisms. In addition, U.S. companies do not want to be forced to give European citizens access to their personal records.

"We think that our system is more than adequate to protect personal privacy," Commerce Department undersecretary David Aaron, who is the nation's emissary on this issue, said during a speech in the Netherlands last week. "But in Europe, our system is unfamiliar and thus suspect."

To prevent U.S. companies' data transfers from being cut off by the EU, the Clinton administration has proposed safe harbors that would allow firms to continue exchanging information if the companies voluntarily comply with some basic principles, such as notifying people of their data-collection practices, letting people "opt out" of giving up their personal information, and stating who will share access to the data.

But the safe harbor proposal is hitting snags as well.

"New issues have come up regarding enforcement and other areas of implementation that are occupying our time and slowing our progress," Aaron said in his address. "U.S. organizations want assurance that they will have independent and fair reviews of any non-compliance determinations about them."

Privacy advocates are more pointed on the matter: "They are stalling," said Jason Catlett, founder of Junkbusters, a clearinghouse for privacy-protection measures.

Consumer groups contend that EU entities are already breaking the law if they exchange data with U.S. companies that are not meeting standards outlined in the directive.

In the meantime, if an EU consumer files a complaint with a local privacy authority about a data transfer to a U.S. company, the safe harbor negotiations could be thrown into a tailspin. That this could have a negative effect on e-commerce and other business, something that is not lost on Aaron.

"Blockage of data could threaten billions if not trillions of dollars--or euros--in international trade and investment," he stated. "Beyond that, the very future of the vastly promising electronic commerce marketplace may well hang on whether we can find ways to bridge our final differences."