WASHINGTON - The European Union on Wednesday approved new rules governing how American businesses, including banks, may share customer and employee data across the Atlantic.
When the rules take effect, which is expected in October, the roughly 1,000 U.S. institutions with European operations will have to comply with both the European Union rules and rules mandated by the Gramm-Leach-Bliley Act of 1999.
"This doubles the burden for financial institutions," said privacy law expert L. Richard Fischer, a partner in the Washington firm of Morrison & Foerster. "The major task is sorting out the differences and operating under two sets of rules. That is always expensive for banks."
U.S. banks will have to "make decisions as to how the notice differs from what Gramm-Leach-Bliley requires," he said. "The [U.S. and European] rules deal with similar privacy principles in very different ways."
For example, the stricter European rules focus on information sharing among affiliates and third-party service providers, including requiring businesses to give customers a chance to refuse to have their information shared.