banner
toolbar
February 23, 2000

U.S. and Europe Reach Tentative Pact on Personal Data
By JERI CLAUSING Bio
 After more than two years of negotiations, the United States and the European Union said on Wednesday that they had reached a tentative agreement on privacy laws governing the gathering of personal data about European consumers by American companies.

While both sides characterized the agreement as a breakthrough, key details, including how it would apply in cyberspace, remained unresolved.


Related Article
Trans-Atlantic E-Commerce Uncertain
(June 1, 1999)
Europeans are protected from the commercial gathering and selling of personal data -- including the kind of information gathered my many Web sites -- without their informed consent, while in the United States, industry is allowed to police itself.

David Aaron, the undersecretary of commerce for international trade, said the EU, meeting in Brussels, had agreed in principle to accept the United States model. But the few details revealed Wednesday suggested that, in fact, American companies would be leaning closer to the European model, since they would need consumer consent to transfer data to the United States and would be required to post notice of how the data would be used.

Companies that violated their stated practices would be subject to prosecution by the Federal Trade Commission and states and would be publicly sanctioned.

How American companies collect and use personal data about Europeans has been at issue since the European Union more than two years ago passed a directive prohibiting the flow of personal data about EU citizens to third countries that do not provide "adequate" privacy protections. The EU specified that consumers should be given notice and choice about what information is being collected about them, how it is used and access to the information companies have compiled on them.

The Clinton administration, on the other hand, has resisted efforts to pass similar privacy laws at home, pushing instead a model of self-regulation. For more than two years it has been negotiating to get the EU to accept a "safe harbor" plan that would allow companies that agree to follow specific standards to be exempt from potential legal action or data cutoffs generated by the directives.

A key sticking point has been enforcement, and whether a self-policing model was akin to letting the fox guard the hen house.

Gerard de Graf, first secretary in the European Commission's Washington office, said the EU gave in on self-enforcement after receiving assurances from the Federal Trade Commission that it would not only accept jurisdiction on complaints coming from Europe but would "deal with those complaints in an expedited way."

One privacy advocate, Deidre Mulligan of the Center for Democracy and Technology, said such an agreement would set a double standard that gives Americans "second-class" status in the privacy arena.

Mulligan said that all the effort by the Department of Commerce over the past two years "only benefits EU citizens when we know that U.S. citizens are extremely concerned about their privacy."
A key sticking point has been enforcement.

"I understand that Secretary Aaron's job is to promote free trade, but I firmly believe that the benefit of improved practices by companies should flow to U.S. citizens. And certainly enforcement actions that are funded by U.S. citizens should first and foremost be used to advance the privacy of U.S. citizens."

The thrust of the tentative agreement deals mainly with transfers of data between offices of multinational companies, like IBM, de Graf said.

The more complicated issues of how that directive will apply to cyberspace remain in dispute, he said. The United States, he said, has contended that the directive has no jurisdiction over Web sites operating outside of Europe.

"We internally in the EU haven't taken a final view as to whether our directive applies to Web sites that actively seek personal information," de Graf said. "So in the safe harbor agreement, we have said this doesn't deal with any jurisdictional issues."

But he added: "Politically, of course, this sends a strong signal about what we think is an acceptable way of collecting personal data. So if you are a Web site, you want to take this very seriously."

In addition to the directive's application in cyberspace, de Graf said the EU has not yet made a decision on whether a new U.S. law laying out how personal data must be handled by American financial institutions would be sufficient to meet the directive.

Aaron and de Graf said the two sides would continue working to resolve the final details but they hoped to get agreement from U.S. companies and the EU's member nations by the end of March. Aaron is leaving the Department of Commerce for a private law firm on March 31.

Related Sites
These sites are not part of The New York Times on the Web, and The Times has no control over their content or availability.

Jeri Clausing at jeri@nytimes.com welcomes your comments and suggestions.

Home | Site Index | Site Search | Forums | Archives | Marketplace

Quick News | Page One Plus | International | National/N.Y. | Business | Technology | Science | Sports | Weather | Editorial | Op-Ed | Arts | Automobiles | Books | Diversions | Job Market | Real Estate | Travel

Help/Feedback | Classifieds | Services | New York Today

Copyright 2000 The New York Times Company