The European Union's Data Privacy Directive (Data Privacy Directive) went into effect in 1998.1 It provided that companies operating in the European Union, or dealing with the personal data of E.U. citizens, must comply with certain regulations to protect the privacy of those customers. The first effect of this directive was to standardize data privacy laws of the E.U.'s Member-States. The second, more widespread, effect was to require non-E.U. nations to prove to the European Union that their systems of data privacy laws were sufficiently rigorous to protect the rights of E.U. citizens who dealt with companies in those nations. To this end, many other nations enacted or modified their own far-reaching, bureaucratically enforced data privacy laws, and were determined to be compliant.
Instead of completely rearranging its state and federal privacy laws, the United States and the European Union devised a Safe Harbor Agreement (Safe Harbor). The Safe Harbor, concluded between the United States and the European Union in 2000, is a method of allowing each side to continue to trade with the other while compromising on issues of data privacy following the enactment of the European Data Privacy Directive. The Safe Harbor, however, did not resolve all trans-Atlantic privacy issues. As it currently exists, the Safe Harbor only applies to a part of the U.S. and European economies.2 The financial services industry, among others, has been left out to sea.
In the United States, the financial services industry also faces new privacy regulation due to the passage of the Gramm-Leach-Bliley Act of 1999 (GLB).3 This sweeping reform of financial privacy law imposed burdens on financial services similar to those that the Safe Harbor imposed on other industries. The European Union has deemed the GLB insufficient to serve the same purpose as the Safe Harbor.4 Negotiators from the European Union and the United States have not yet agreed on any solution to this problem.5 U.S. negotiators want the Europeans6 to accept current U.S. financial privacy laws as adequate protection. E.U. negotiators present their privacy concerns as "not something to be negotiated."7 According to then-E.U. internal markets commissioner Frits Bolkenstein, the GLB "doesn't pass the 'adequacy' requirement under Europe's data privacy rules."8 The situation has remained unresolved for more than two years, leaving financial services "under a standstill agreement with the European Union that states that as long as the U.S. and E.U. officials continue in their 'good faith' negotiations, no enforcement action will be taken."9 This ad hoc arrangement, however, cannot endure forever. The lack of agreement has left banks and insurance companies adrift in the seas of international trade.
This Note will examine the problems of financial services privacy regulation with regard to commerce between the European Union and the United States and will attempt to provide a solution that is acceptable to both sides. Part I discusses and compares the relevant privacy laws currently in effect in E.U.-U.S. trade. Part II analyzes U.S. laws to examine how they compare with the Safe Harbor, and how changes to those laws might remedy any deficiencies. Part III presents possible solutions to this dilemma.
A. Introduction to Privacy Laws