Two months before stringent personal privacy guidelines are to take effect in Europe, the divide between American and European policies in that sensitive area shows no signs of closing.
Because of what the European Union deems to be inadequate privacy protections, the United States is likely to be left off the list of countries that meet the standards of the European Union Data Protection Directive.
This puts American companies, such as credit card issuers with their sophisticated data mining and target marketing strategies, in a difficult position to pursue the European consumer market.
It is all but certain that when the directive becomes effective Oct. 25, there will have been no resolution that satisfies American companies' appetite for personal data and Europeans' fear of the consequences.
U.S. organizations will have to seek special contractual provisions to transfer data on individuals back to the United States.
"There is a fair degree of paranoia in Europe," said Charles A. Prescott, first vice president of international business development and government affairs for the Direct Marketing Association. "In this country we look and wait for real damage like identity fraud, and then we legislate to the existing evil. The Europeans say, 'We have already had that evil. We call it World War II.'"
Privacy is festering as a global issue. Several banking associations have come forward with suggested self-regulatory guidelines in hopes of staving off national punitive or restrictive legislation. U.S. authorities have threatened as much unless private industry gets its act together, and regulators have begun to ask banks to disclose whether they have privacy policies.
The European Union's directive was designed to prevent personal data on Europeans from leaving Europe. The 15 member states of the European Union are generally leery of American-style direct marketing based on personal information collected internally or bought from other sources.
To satisfy the Europeans, the United States would have to pass federal privacy legislation and create an enforcement agency, which most experts do not view as a short-term likelihood.
However, the European Union permits companies to make written commitments, essentially stating they will abide by European privacy laws and be held accountable should a citizen's rights be violated.
The intention is to "give Europeans the same rights (with foreign companies) that they would have in Europe," Mr. Prescott said.
The contracts are subject to approval by local European privacy authorities and by the European Commission. Citicorp entered into the first one in 1995 with Germany, which has been taken as a model for other such agreements.
According to the Center for Social and Legal Research, which publishes the newsletter Privacy & American Business, at least 75 U.S. companies have been drafting such contracts within the past several months. Among those are Banc One Corp.'s First USA credit card unit, NationsBank Corp., Chase Manhattan Corp., GE Capital Services, Morgan Stanley, Dean Witter & Co., MasterCard International, and Visa International.
The Center for Social and Legal Research, based in Hackensack, N.J., is advising the companies and acting as a liaison with European privacy authorities.
The problem with the contracts is that Europeans view them as only a stopgap. They are more concerned about the continuing lack of U.S. legislation and of an czar or ombudsman to oversee and implement it. Moreover, privacy authorities do not have adequate staffs to examine and approve each contract, said Asuncion Caparros, director of the Federation of European Direct Marketing in Brussels.
Alan F. Westin, a Columbia University law professor and publisher of Privacy & American Business, said the Europeans are not "thrilled about reviewing hundreds of contracts," but the contractual approach is "probably the best solution for the next three or four years."
The contracts allow privacy authorities to audit non-EU companies' use of consumer and employee data to ensure that only authorized people have access.
Privacy officials also want to monitor whether companies are keeping profiles of consumers to use for marketing purposes.
Many companies will be forced to change their customer disclosure statements.
"The Europeans are saying that if you want to get consent to use the (customer data) you need to tell the customer what sort of information will be used," said Scott Blackmer, an attorney with Wilmer, Cutler & Pickering of Washington. "That means the company is making legally enforceable promises to the consumer."
"When the Europeans think about data protection, they think about notice and choice, a clear ability on the part of the consumer to choose how their information is used," Mr. Westin said. "They are worried about direct marketing and profiling."
Privacy advocates like Simon Davies of London-based Privacy International have issued warnings to hold major corporations accountable to the data protection and transfer rules. In particular, he has targeted American Express Co. and Electronic Data Systems Corp., according to press reports. Mr. Davies has reportedly threatened to sue those companies because they track customers' purchases and may make that information available to their affiliates.
American Express is changing some of its disclosure statements, said spokesman James Tobin in London. But the European data directive will not have a radical impact on the way his company conducts business in Europe. "We were one of the first companies to implement a privacy system," Mr. Tobin said.
Europeans view sharing information with affiliates as a violation of their privacy principles.
Mr. Blackmer said there is much concern about the Citicorp merger with Travelers Group because the new Citigroup wants information on insurance customers to be available to the banking side of the business and vice versa.
"The whole idea of that merger is for cross-selling, but the data protection rules would impede the company from doing that unless the company told the customers that it will use this information about them to sell them services," Mr. Blackmer said.
Privacy experts said multinationals like American Express, which has a record of being sensitive to privacy issues, will be less affected by the requirements of European privacy laws. On the other hand, American Express and Citibank, for example, might attract closer scrutiny because they are so large and prominent.
Mr. Blackmer, who has worked with corporations on European privacy- compliance contracts, said privacy officials may "single out the largest targets, the companies who have the largest transactions," to make the point that they are serious about enforcement.
The companies that run the most risk under the privacy directive are those that lack formal data protection policies.
Mr. Prescott of the Direct Marketing Association said American banks in particular have not been proactive about the European rules and that can hinder any plans to do business in Europe.
Mr. Westin said banks are slowly waking up to how critical the privacy issue has become in both the United States and Europe.
With U.S. regulators raising questions about it and many bankers just getting up to speed, "We are in a transition phase in terms of what banks are doing about privacy," he said.
While bank regulators are not requiring privacy policies yet, Mr. Westin said, "the very asking of the questions is providing a road map for the banks to say, 'This is what we should do.'"
"American companies have been saying as a chorus, 'Trust us, we are going to do the right thing,' and there is very little evidence of that," said Duncan MacDonald, a 26-year veteran of Citibank, who recently retired as general counsel on privacy issues.
The fact that American businesses have not satisfied the U.S. government's concerns "gives the Europeans an argument," Mr. MacDonald said.