US rejects European Union's privacy rules on data sharing

American consumers would be robbed of time and money-saving practices if the European Union's Directive on Data and Privacy were...

American consumers would be robbed of time and money-saving practices if the European Union's Directive on Data and Privacy were enacted in the US, according to a study sponsored by the Financial Services Coordinating Council (FSCC).

According to a study by Ernst & Young for US-based FSCC, at least US$16bn (£11.2bn) worth of current financial services would be lost and bank and insurance customers would be forced to spend an additional 305 million hours annually on their personal finances if a US version of the EU's privacy rules on data sharing were introduced to the US. The FSCC is a group of associations that represents US insurance companies and banks, including the American Bankers Association and the American Council of Life Insurers.

The study results should serve as a warning to lawmakers that consumers would be greatly harmed by privacy rules that amend the privacy provisions that went into effect under the Gramm-Leach-Bliley Financial Services Modernisation Act of 1999, according to the FSCC. Congress is concerned that the EU directive could become a global standard.

While the EU directive may work well to serve the needs of European governments and European consumers, it would have a very different impact if applied in the US because of cultural differences, said Cynthia Glassman, an economist with Ernst & Young and director of the study project. In addition, the EU directive is stricter than any existing privacy policy in the US.

The study examined the potential impact of the directive on customers at 90 large US financial institutions. It assumed that the directive would be interpreted to allow those institutions to only offer consumers opt-in policies, and less than 10% of consumers would choose to allow their information to be used by the institutions, said Glassman.

US consumers have come to rely on savings and conveniences that result from information sharing by financial companies, said Jim Pitts, executive director of the FSCC's Privacy Project. These conveniences are being threatened by proposals on the federal and state level to adopt laws patterned on the EU directive, which has been in effect in Europe since 1998, he said.

Among the consequences of implementing the EU system would be a loss of 67 million hours per year because consumers would no longer be able to call one number, such as a call centre, to access multiple accounts. A loss of another 31 million hours would result from consumers no longer being able to use centralised Web sites to access multiple accounts.

In addition, special offers based on data collected from consumers and targeted marketing would be lost, the study says.

The computer systems at some financial institutions also could be affected, especially legacy systems that are unable to comply with some of the privacy requirements, said Glassman. The study notes that technologies designed to enable new products and services based on customer information could be cut short by privacy policies.

Because the study is an effort to examine the impact of the EU directive if it were implemented in the US it does not mention the "safe-harbour" agreement negotiated by the US Commerce Department and EU last year, which provides some legal protection to US companies and organisations that gather personally-identifiable data in Europe from employees and customers.

The safe-harbour agreement is meant to bridge the US and EU's different privacy approaches and to provide a streamlined means for US organisations to comply with the directive. So far, 30 companies have notified the Department of Commerce that they adhere to the safe-harbour framework.

Read more on IT legislation and regulation