EU says US financial privacy rules are inadequate

Efforts by financial services firms to get European authorities to recognise US financial privacy rules as being on a par with...

Efforts by financial services firms to get European authorities to recognise US financial privacy rules as being on a par with Europe's privacy protections have failed.

European data protection authorities do not believe that privacy safeguards contained in the Gramm-Leach-Bliley Act pass the "adequacy" test requirement under Europe's data privacy rules, Frits Bolkenstein, European Union internal markets commissioner, said. Bolkenstein was visiting Washington this week to meet with US officials and discuss data privacy issues.

As a result, US financial services firms face the prospect of having to comply with Europe's stringent privacy rules, which require customer consent on many transactions. US firms follow an "opt-out" rule.

The Gramm-Leach-Bliley Act allows closer ties among banks, securities firms and insurance companies, as long as they follow certain guidelines for privacy and security of customer information.

Bolkenstein said he believes the safe harbour agreement that now applies to non-financial service firms should be extended to include financial services.

Under Europe's 1998 data privacy directive, the personal data of European residents can only be exported to countries that offer privacy protection similar to Europe's privacy rules. A so-called safe harbour accord between the US and EU outlined provisions for US-based companies to meet those EU rules.

However, when the US and Europe agreed to safe harbour in 2000, financial services were not included. Instead, US officials now want Europeans to recognise the Gramm-Leach-Bliley Act and other financial privacy laws as providing enough protection to meet Europe's privacy requirements.

However Bolkenstein said he "regrets" that financial services aren't included in safe harbour. Companies that sign up for safe harbour agree to provide European residents with a stringent set of privacy protections, such as seeking consumer consent and agreeing to set limits on the use of individuals' data.

"It seems to me that the easiest way to cover financial services would be to extend the safe harbour agreement to that area," said Bolkenstein. He cited a number of weaknesses in Gramm-Leach-Bliley, including the fact it allows sharing of customer data with affiliates.

David Leifer, senior counsel at the American Council of Life Insurers in Washington, said safe harbour makes sense for non-financial services firms that are not faced with privacy rules under Gramm-Leach-Bliley, the Fair Credit Reporting Act and myriad other state rules.

"We feel that we are more than adequately regulated for privacy," said Leifer.

Read more on IT risk management