EU Privacy Rule Worries U.S. Firms

A sweeping measure by the European Union aimed at protecting its citizens’ privacy in the digital age has left U.S. companies and government officials struggling to comply and protect the billions of dollars in trade that depends on data flows across the Atlantic.

Adopted in October, the European Union Directive on Data Protection sets strict rules for companies that handle European consumers’ personal data, ranging from food choices on airline flights to credit card purchases.

The measure underscores long-standing differences between the patchwork approach to privacy protections in the United States and more aggressive European policies shaped by a history of abuses dating back to Nazi Germany.

The directive could affect countless American companies because it bars transmission of personal information to any country without “adequate” safeguards, a vaguely defined standard that deeply worries U.S. firms.

Those concerns are at the heart of negotiations between Washington and the European Union, which are set to resume March 16, two months before their next summit, and focus on whether U.S. privacy practices will prove adequate under the new rules.

If the negotiations fail, executives at many giant U.S. firms fear they could be the targets of trade skirmishes in which privacy policies are used as weapons.

But even a compromise could be costly for U.S. companies and put them in the awkward position of affording greater protections to overseas consumers than those in their own country.

The rules, for example, could force U.S. firms to give European consumers greater notice about how their personal information is used, obtain their permission before passing it to others and possibly even submit to costly audits of their data handling practices.

The looming battles are illustrated by an ongoing case in which Sweden is poised to block the Sabre Group, a giant Fort Worth-based airline reservation system, from transmitting data ranging from passengers’ meal preferences to requests for wheelchair assistance.

Confusion Over Impact

The case hinges on a law that predates the directive but is being closely watched as the type of conflict that could be repeated across the continent as the measure is implemented.

“Is this a foreshadowing of things that might happen to other companies?” said Sterling Miller, a Sabre attorney. “You bet it is.”

The stakes are significant because trade between the United States and Europe tops $550 billion per year. Increasingly, that trade is dependent on, if not embodied by, the free flow of computer data across the Atlantic.

Citigroup Inc., the largest international issuer of credit cards, handles all of its worldwide transactions at a data center in South Dakota. Ford Motor Co. transmits detailed records on European employees. And electronic commerce giants such as Amazon.com field orders around the world on computers in the United States.

The directive is mainly aimed at the 15 member countries of the European Union. Each is required to create a government agency to enforce privacy laws, for instance, and to guarantee that consumers can access and, when appropriate, correct or delete information companies keep on them.

But the component that has captured U.S. attention is Article 25, which bars transmission of data to any country that doesn’t ensure “an adequate level of privacy.”

The vagueness of that language has alarmed U.S. companies and privacy experts, including Peter Swire, an Ohio State University professor who this week was tapped to coordinate the Clinton administration’s privacy policies. In a recent book, Swire said the directive even makes it illegal for U.S. travelers to come home with names and phone numbers of European clients on their laptop computers.

European officials insist the directive will never be taken to that extreme and say they have no intention of starting a trade war. Nevertheless, many U.S. companies fear they could be vulnerable to rogue European privacy bureaucrats and point to Sabre as an example.

The squabble centers on what Sabre officials describe as an unexpected turn in a routine registration process several years ago. The Swedish Data Inspectorate said it would only approve Sabre’s application if the company started notifying Swedish passengers that their flight reservation data is transmitted to the United States.

Sabre executives objected because doing so would impose a costly and cumbersome new requirement on the company’s affiliated travel agents. But Sabre’s primary concern was that rival reservation systems weren’t being forced to make the same changes, some because they are based in Europe and others because they simply hadn’t bothered to register.

Sabre, formerly a unit of American Airlines, has been allowed to continue routing data to its Tulsa, Okla., center because the company has appealed the Swedish decision through three layers of the country’s court system. Miller, the company’s senior attorney on the issue, said they expect to hear soon whether the Swedish Supreme Administrative Court will hear the latest appeal.

In the meantime, many U.S. companies are casting a wary eye on the case because, as Miller said, “this is an example of what you could see in Germany or France or somewhere else if their national data privacy boards want to make it an issue.”

For now, the European Union has agreed not to enforce the privacy directive while negotiations with the United States continue. If Europe were to lift that enforcement ban, U.S. officials have threatened to treat any data stoppage as a trade violation and take the matter to the World Trade Organization.

David Aaron, undersecretary of Commerce, has led the efforts to carve out a “safe harbor” arrangement for U.S. companies that volunteer to comply with certain principles. To be shielded from European interference, companies would have to take steps, including providing greater warnings to consumers about how their data will be used.

But the talks have repeatedly snagged on two key issues: how much access European citizens should have to data held by U.S. companies and how the terms of any safe harbor arrangement will be enforced.

The latter is a particularly nettlesome point because U.S. proposals rely heavily on industry self-regulation, a mechanism European officials simply don’t trust.

“We would not accept a situation where the only way to deal with a problem is to sort it out with the company that is the root of the problem in the first place,” said Gerard de Graaf, a member of the European negotiating team. “Our member states would think we have gone mad.”

Approaches Vary by Continent

The debate underscores deep differences between Europe and the United States on privacy issues.

The United States has traditionally relied on a patchwork of self-regulation and narrowly tailored laws. This piecemeal approach helps to explain why the United States is the biggest market in the world for the type of personal data that fuels everything from the catalog industry to investment scams.

In European countries, on the other hand, privacy is more typically regarded as a fundamental human right, often guarded by omnibus legislation. The approach can seem heavy-handed by American standards, De Graaf said, but it is shaped by fears of privacy abuses dating back to the Nazi atrocities during World War II.

European officials know that Sabre is a trustworthy company, De Graaf said. Nevertheless, the fact is “that Sabre could build a database of Jewish people or Muslims or handicapped” people based on their meal and seating requests.

The White House has spent much of the last few years pressuring U.S. companies to upgrade their privacy policies, partly to improve the United States’ bargaining position with Europeans. That effort has prompted unprecedented cooperation among dozens of giant companies, including Microsoft Corp. and America Online Inc.

Waiting for an Agreement

Privacy advocates are paying close attention to see if these same companies, in their pursuit of a safe harbor, make concessions to European citizens that they have been reluctant to grant to U.S. consumers.

Aaron, the top U.S. negotiator, has pledged to have an agreement in place by June 21, the next scheduled summit between the United States and the European Union. But many privacy experts are skeptical and point to a string of missed deadlines.

“Aaron was sure they’d have an agreement by last summer, then by last October, then by the end of the year,” said Marc Rotenberg, director of the Electronic Privacy Information Center in Washington. “Now he’s sure by the summit in June. I’ve never met anybody quite so sure and so wrong so many times.”