Reform Law's Privacy Provisions Fail to Appease European Union

The privacy provisions in the financial reform law that President Clinton signed into law last week do not go far enough to satisfy the European Union.

The law did not help the cause of reconciling regulatory discrepancies -- the subject of tough negotiations for more than a year between European and American officials -- that could prevent U.S. banks, credit card companies, and others from marketing internationally using data-base techniques that have proved successful at home.

"We will have difficulty agreeing that (the U.S. financial modernization law) is adequate," said Gerard de Graaf, first secretary for trade matters in the Washington delegation of the European Commission. He did not specify the perceived weaknesses but said his side intends to "analyze the law carefully."

European and U.S. officials who spoke at a conference last week sponsored by the newsletter Privacy & American Business agreed that the privacy negotiations are at a pivotal stage and could conclude within six weeks.

At issue is a European Union privacy directive that took effect in October 1998. It stipulates that companies may not transfer data on European citizens into countries -- including the United States -- that are not deemed to have adequate consumer privacy laws.

Because of the gap in privacy protection philosophies -- U.S. laws are regarded as far more lenient and pro-business -- negotiations led on the American side by Ambassador David Aaron have focused on a "safe harbor" agreement that would let U.S. companies transfer data from Europe without violating the EU directive.

The financial reform law is only the latest stumbling block, according to participants in last week's privacy conference outside Washington.

Consumer advocates and some members of Congress share the European perspective on the privacy provisions. Among the most contentious provisions are those that allow companies to share consumer information with their affiliates and let consumers voluntarily "opt out" of marketing campaigns.

Privacy advocates say the onus should not be on consumers to disqualify themselves from marketing campaigns, but rather on the marketers to seek permission first.

Mr. de Graaf's counterpart in the United States, Barbara Wellbery, counselor to the undersecretary of the U.S. Department of Commerce, said that in the best case, the Europeans would declare the Gramm-Leach-Bliley Act and the Fair Credit Report Act adequate.

The Commerce Department maintains that if companies covered by those laws are in compliance, then "they don't have to be concerned about safe harbor language. They are already doing what they should be doing," said Robert Belair, a partner in the Washington law firm Mullenholz, Brimsek & Belair and editor of Privacy & American Business.

Mr. de Graaf said that the chief negotiators, Mr. Aaron and John F. Mogg, European Commission director general, had two "productive meetings" two weeks ago and that they would like to finish their work by mid-December.

"I thought I would be giving a post-mortem on these discussions," said Mr. de Graaf, who described the negotiations as "disappointingly slow. We have reached a stage where we can either agree to agree, or agree that reaching an agreement will be difficult."

One promising result of the discussions, Mr. de Graaf said, is an increased awareness in the United States of the importance of privacy. Some industry experts in the United States say the signing of a safe harbor agreement with Europe would serve as a road map for Congress in passing future privacy legislation.

The Europeans would like to see a federal privacy enforcement agency in the United States. The Federal Trade Commission is the closest to that description, but as Commissioner Orson Swindle said in a speech at the conference, the FTC is "physically incapable" of keeping up with the four million commercial Web sites and the 300,000 more that become active each month.

The United States wants to determine whether domestic companies are violating the safe harbor agreement and seeks assurances from Europe that such authority will rest here, Ms. Wellbery said. The United States would forbid European governments to cut off a company's trans-border data flows unless U.S. authorities find an "extreme case" of abuse.

Evan Hendricks, a consumer privacy advocate and editor of the newsletter Privacy Times, asked Ms. Wellbery whether the government is concerned that a safe harbor agreement could give European consumers more privacy protection than Americans. He was referring to the fact that many U.S. marketing practices -- such as data mining and consumer profiling -- are banned or strictly limited in Europe.

Ms. Wellbery said "consumers can vote with their feet" if they don't like a particular practice. "Europeans have a lot of laws," she added, "but I'm not sure that they can be enforced, or that people know what they are."

Mr. de Graaf said European consumers "don't vote with their feet. It would be a weird idea to Europeans to say, 'Give me some of your information in exchange for some of your privacy.' "

In a step toward the idea of a "privacy czar" that Europeans support, President Clinton last May named as chief counselor for privacy Peter Swire, associate professor of law at Ohio State University. Mr. Swire, who is on leave from the law school there, has written numerous articles on privacy and is co-author of None of Your Business: World Data Flows, Electronic Commerce, and the European Privacy Directive, published by the Brookings Institution last year.

The appointment of Mr. Swire "could be an inching towards some sort of federal privacy office," Mr. Belair said.

But Mr. Swire pointed out an important distinction: "I am part of the administration, unlike in Europe where the (privacy) officials are independent. I can't be a critic of the administration."

Mr. Swire said that because he has only two staff members, it is also unlikely he would assume an "enforcement role." He said his position within the administration "keeps privacy in the mix as legislative matters come up."

Mr. Swire's role resembles the one that Ira Magaziner played as the President's chief electronic commerce adviser.

Mr. Magaziner left the administration last December. Mr. Swire said his mandate is completely privacy-related, adding in an interview: "No one could fill Ira's shoes. He was responsible for a whole range of e-commerce issues at a very formative time."

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER