Financial institutions have not signed on to the safe harbor privacy agreement hammered out in July by negotiators from the United States and the European Union, but they ought to, or will likely miss out on business opportunities in Europe, says Barbara S. Wellbery, one of the primary architects of the pact.
The European Commission Directive on Data Protection, a standard put in place two years ago that imposes strict controls on how companies can use information about their customers, is more stringent than U.S. standards, and the Europeans had urged the United States to adopt tougher privacy laws. Among other things, the directive restricts information-sharing by corporate affiliates.
As a compromise, the negotiators created the safe harbor agreement, which lets companies voluntarily submit to European Union guidelines. Those that sign on have more leeway for doing business in Europe than those that do not.
Ms. Wellbery, who heads the electronic commerce task force for the International Trade Administration in the Department of Commerce, told the Consumer Bankers Associations 2000 Privacy Conference: If youre not doing business with Europe, you can continue to snore on. If you are, you should be thinking about what level of risk youre willing to operate on, how you can weather a front-page story in a European or U.S. newspaper that says you didnt protect privacy, and what that would do to your brand.
The European Commission directive requires each of its 15 member states to implement various regulations and procedures, including one that prohibits members from transferring personal data to any country outside the European Union unless they demonstrate adequate data protection. In July, the commission announced that American institutions meeting safe harbor principles would be recognized as having such protection.
Ms. Wellbery said the directive represents the prospect that Europe could control data flows and said $120 billion a year in trade depends on international data-sharing. We see information as the holy grail and the third rail in the economy.
She pointed out that the directive involves all personal data files. For example, a European office of a U.S.-headquartered company could not send its employee telephone list to the United States unless it had signed on to safe harbor.
In response to U.S. protest, the European Commission has issued a temporary standstill on enforcing the provision. But Ms. Wellbery told the conference that it was only a political and not a legally binding arrangement.
She said the International Trade Administration has been trying to convince the Europeans that the American approach of self-regulation can be an effective way of protecting privacy. Still, she said, there is no denying that the Europeans have their own ideas. Its definitely a more omnibus, more legislative, more prescriptive more European, in a nutshell approach.
U.S. bank regulators have so far resisted safe harbor, Ms. Wellbery said. The agreement requires institutions to sign up with an independent organization from the private sector (such as the American Arbitration Association) and with one government agency (such as the Federal Trade Commission) to handle the institutions enforcement of the safe harbor guidelines. The agreement goes beyond the stipulations made by the Gramm-Leach-Bliley Act in prohibiting institutions from sharing customer information with an affiliate without the customers consent.
Stephen Durkee, vice president of privacy implementation at Citigroup Credit Services Inc., asked what would happen if a bank that had not joined the agreement purchased a company that had. Ms. Wellbery replied that she would encourage the bank to follow suit and join. Otherwise, she said, any information acquired under safe harbor by the purchased company would have to be deleted.
If youre going to join safe harbor, I suggest you do it thoughtfully and with the consent of your entire organization, she said.
Japan issued a first draft of legislation similar to the European Unions directive in September. Hong Kong and Taiwan already have legislation in place that cannot be enforced because of Chinas lack of privacy protection laws. Legislation has been passed recently in Canada, and Australia has legislation pending, Ms. Wellbery said.