April 05, 2001, 4:12 PM — The Bush administration's rejection last week of a European privacy plan has left multinational financial services firms in limbo over how to export data to the U.S. without violating Europe's privacy laws.
Officials from the Department of Commerce and the Department of the Treasury said the proposal to have financial services firms sign contractual agreements guaranteeing privacy protection for personal data exported from Europe is unworkable. Instead, in a letter received by the European Commission last week, the Bush administration said it wants the commission to recognize existing U.S. privacy laws as suitable for European residents.
So far, the two sides appear to be at an impasse.
The Bush administration's letter said the contracts would "impose unduly burdensome requirements that are incompatible with real-world operations."
But an EC official dismissed the U.S.'s position. "They expressed their concerns, but in our view, these concerns are unfounded," said the Brussels-based official, who requested anonymity.
As proposed by European authorities, the privacy contracts "are not something to be negotiated," said David Aaron, a former Commerce Department official. "They are kind of 'take it or leave it.' "
"So, in effect, [the Europeans] are putting a squeeze on the financial services industry," said Aaron, who is now an attorney at Dorsey & Whitney LLP in Washington. "I would object to that if I were the administration, and I'm glad that they have."
The U.S. and the European Union last year negotiated a "safe harbor" agreement (which Aaron was involved in crafting) that allows U.S. companies to export data from Europe, provided they agree to voluntarily follow a set of privacy rules, such as allowing customers access to their data.
But the agreement didn't apply to financial services companies because such firms, unlike those in other industries, already face privacy regulation under existing law. Instead, the U.S. government wants European officials to recognize privacy protections included in the 1999 Gramm-Leach-Bliley Act, the 1970 Fair Credit Reporting Act and other existing U.S. laws.
Kirk Herath, chief privacy and public policy officer at Nationwide Financial Services Inc. in Columbus, Ohio, which has life insurance customers and a car insurance subsidiary in Europe, agreed with the administration's position.
"We believe that we have adequate regulations, and layering another set of protocols . . . would be onerous to the company and very costly, and I'm not sure it would get you anything more," he said.