The Bush administration's rejection last week of a European privacy plan has left multinational financial services firms in limbo over how to export data to the U.S. without violating Europe's privacy laws.
Officials from the Department of Commerce and the Department of the Treasury said the proposal to have financial services firms sign contractual agreements guaranteeing privacy protection for personal data exported from Europe is unworkable. Instead, in a letter received by the European Commission last week, the Bush administration said it wants the commission to recognize existing U.S. privacy laws as suitable for European residents.
So far, the two sides appear to be at an impasse.
The Bush administration's letter said the contracts would "impose unduly burdensome requirements that are incompatible with real-world operations."
But an EC official dismissed the U.S.'s position. "They expressed their concerns, but in our view, these concerns are unfounded," said the Brussels-based official, who requested anonymity.
As proposed by European authorities, the privacy contracts "are not something to be negotiated," said David Aaron, a former Commerce Department official. "They are kind of 'take it or leave it.' "
"So, in effect, [the Europeans] are putting a squeeze on the financial services industry," said Aaron, who is now an attorney at Dorsey & Whitney LLP in Washington. "I would object to that if I were the administration, and I'm glad that they have."
The U.S. and the European Union last year negotiated a "safe harbor" agreement (which Aaron was involved in crafting) that allows U.S. companies to export data from Europe, provided they agree to voluntarily follow a set of privacy rules, such as allowing customers access to their data.
But the agreement didn't apply to financial services companies because such firms, unlike those in other industries, already face privacy regulation under existing law. Instead, the U.S. government wants European officials to recognize privacy protections included in the 1999 Gramm-Leach-Bliley Act, the 1970 Fair Credit Reporting Act and other existing U.S. laws.
Kirk Herath, chief privacy and public policy officer at Nationwide Financial Services Inc. in Columbus, Ohio, which has life insurance customers and a car insurance subsidiary in Europe, agreed with the administration's position.
"We believe that we have adequate regulations, and layering another set of protocols . . . would be onerous to the company and very costly, and I'm not sure it would get you anything more," he said.
Jonathan Winer, an attorney at Alston & Bird LLP in Washington, who is advising financial services firms on European privacy issues, called the model contracts "ludicrous." For instance, he said, if a U.S. company were importing data collected by a company in Europe, it could also be held liable if that business inadvertently or otherwise released data it wasn't supposed to. "It's not a reasonable proposition," he said.
But the situation remains murky for many companies in the financial services business.
"There's no easy shortcut answer for the U.S. and the financial services industry," said Bill Bradway, an analyst at Meridien Research Inc., a financial services consulting firm in Newton, Mass.
Financial instituttions may have to implement different privacy standards for European data, Bradway said, although he added that doing so shouldn't cripple them. "They will solve the problem," he said.
Paul Meller and Juan Carlos Perez of the IDG News Service contributed to this report.
This story, "Bush rejects EU privacy plan" was originally published by Computerworld.