U.S. Firms Find No Haven in Safe Harbor

European Union's data privacy directive raises 'considerable' trade issues

When Kent Harman goes to Belgium later this year to collect tissue samples from murdered children buried in a mass grave, he will be gathering the most private of personal information—the human blueprint itself.

But as complicated as that process will be, Harmans forensic testing laboratory, Genetic Technologies Inc., will also face the tedious process of complying with numerous new European and international bureaucratic privacy rules, many of which will impede its work. And as governments on both sides of the Atlantic debate the issue of data and personal privacy, many say, all companies doing business in Europe can expect more red tape.

In Genetics case, it must deal with the European Unions data privacy protection principles, one of which requires U.S. companies working with European companies to filter all data through Belgium. In addition, it is complying with a bilateral agreement, the Safe Harbor pact.

"In our industry, we deal in extremely confidential information, such as genetic profiles for personal identification," said Harman, president of the Glencoe, Mo., company. "We have to do everything we can to make [partners and clients] feel comfortable."

But companies that gather less sensitive data—those that track whether a customer prefers mystery novels to science fiction, for example—are questioning why they should have to abide by the EUs privacy regulations. Only 30 U.S. companies, including Genetic Technologies, have signed on to the Safe Harbor agreement designed to link privacy policies in the United States and Europe. By joining the pact, companies shield themselves from Europes potentially crippling enforcement measures, including prosecution or having their data transmission cut off.

Congress waded into the matter earlier this month for the first time with a House of Representatives subcommittee hearing. It is anyones guess how far U.S. lawmakers are willing to go to discourage Europe from enforcing the pact—or how far Europe is willing to go to enforce it—but with just three months remaining before it takes effect, a lot of posturing is taking place on both sides of the Atlantic.

At a hearing March 8 during which the chairman of the EU Data Protection Working Party, Stefano Rodota, testified, Commerce Committee Chairman Billy Tauzin, R-La., said the European approach "provides for extraterritorial enforcement of EU principles on Americans and American companies."

One thing is clear: Congress will not adopt the European approach in crafting privacy legislation of its own. Although some lawmakers are urging stringent new protections, including creating private rights of action, and others have pressed for nothing more than the appointment of a commission to study the matter, most are taking a moderate stance. One likely rallying point is an initiative crafted by Sen. John McCain, R-Ariz., and expected to be resurrected soon. Last year, it enjoyed not only bipartisan support but also the endorsement of Hewlett-Packard Co. executives. The bill never made it out of committee, however.

The EU Directive on Data Privacy, adopted in 1998, bans the flow of European citizens personal data to countries without "adequate" privacy policies in place.

In negotiating the Safe Harbor agreement last year, the U.S. Department of Commerce established a set of principles governing consumer notice, choice, transfer to third parties, security and access.

The agreement goes into effect July 1, but many of the industries most likely to transmit personal data across the Atlantic—travel agencies, airlines, hotels and online retailers, for example—remain conspicuously absent from the list of signatories. Many of the companies that have signed on are in the business of privacy. HP is the sole high-tech company on the list.

U.S. companies, in large part, view the matter as a trade issue; if Europe takes action to hinder trade from U.S. businesses, the United States may retaliate.

"There are considerable trade ramifications to the Safe Harbor," said Rick Lane, director of E-Commerce and Internet Technology at the U.S. Chamber of Commerce, in Washington. "Is it even allowable under the World Trade Organization? There was no authority given to the Department of Commerce to negotiate this agreement."

None of the Chambers members has signed the Safe Harbor pact, according to Lane. They are reluctant to criticize the agreement publicly for fear they will be singled out by Europe for retaliation, but they are pressing Congress to examine its financial and legal implications. "Youre subjecting yourself and third parties to EU privacy law once you sign up for the Safe Harbor," Lane said.