U.S. Firms Abstain From EU Privacy Pact

Commerce Secretary Norman Y. Mineta tried to drum up support Thursday for an international privacy pact that so far has failed to draw much enthusiasm from the U.S. companies it was designed to protect.

Fewer than a dozen American firms have agreed to abide by the so-called safe-harbor agreement with the European Union, officials said Thursday. The pact, which took effect Nov. 1, was negotiated by the Commerce Department to ensure that U.S. firms could continue doing business in Europe without running afoul of the region’s stricter data-protection laws.

For more than two years, American companies have been worried that European regulators would begin prosecuting them for using personal information about consumers without permission, endangering the $350 billion in trade between the U.S. and Europe.

“By signing up for the safe harbor, U.S. companies are assured that they are in compliance with [European laws], while at the same time, U.S. and European citizens know that their personal information is protected when transferred across the Atlantic,” Mineta said.

The privacy pact took years to negotiate but left neither side satisfied. European regulators complain that the rules don’t go far enough in protecting the use of personal information collected about Europeans by U.S. firms, ranging from Internet purchases to airline meal preferences. American companies fear they will expose themselves to new legal liabilities if they adopt the safe-harbor agreement.

It’s also unclear whether the Bush administration will continue to support the agreement. Mineta has been tapped to become Bush’s Transportation secretary. Commerce Department officials said Thursday they have not been in contact with Bush’s representatives on the issue.

Many U.S. firms are taking a wait-and-see attitude.

“It’s like an eighth-grade dance,” said Lauren Hall, executive vice president of the Software & Information Industry Assn., which has refrained from endorsing the pact. “Everyone’s standing around the punch bowl, but no one wants to be the first one on the floor.”

Most affected are U.S. technology firms with operations in Europe and large e-commerce retailers, such as America Online, Amazon.com and EBay. The dispute also has drawn interest from airline carriers and financial-services firms.

Among other things, the safe-harbor agreement requires that U.S. companies disclose how they use personal information, give European consumers a chance to stop their information from being released and offer a third-party dispute resolution service.

Dun & Bradstreet, which sells financial data about millions of businesses worldwide, is the largest company to seek safe-harbor protection so far. Others include a software company, a health-care service company, several information-services companies and a firm that helps locate unclaimed assets.

In return for signing up, the companies are assured that they will not be prosecuted under Europe’s tough privacy laws, which typically require that companies get a consumer’s prior approval before selling or sharing their personal information.

U.S. companies got a reminder of that risk in November when a French court evoked a national law to order Yahoo to stop allowing Nazi artifacts to be offered on its online auction site.

“That showed that Europeans are serious about enforcing their national laws,” said Marc Rotenberg, director of the Electronic Privacy Information Center, a privacy watchdog organization. Yahoo said this week that it would halt auctions on its sites worldwide of items that “promote hatred.”

In addition, Rotenberg noted that some U.S. firms, including Amazon.com and Citibank, have already run into regulatory problems for allegedly violating privacy rules in specific European nations.

In 1998, the European Union issued a directive that prohibited the transfer of personal data about Europeans to non-European nations unless it could be shown that the information was being protected. Negotiators at the Commerce Department have been working ever since to carve out an exception for U.S. firms. Most important, the safe-harbor agreement allows U.S. firms to avoid getting prior approval from Europeans before using and sharing most of their information, a process that American executives say is too complicated and costly.

Many large companies are evaluating their options. Some may alter their information-sharing practices and stop transferring data about Europeans outside of the region. Others could attempt to reach separate pacts with regulators in European nations where they do business.

“We’re not saying safe harbor is the answer for everybody,” said Hall of the software industry group.