Financial Institutions and the Safe Harbor Agreement: Securing Cross-Border Financial Data Flows
Tallman, David A., Law and Policy in International Business
Information is a marketable commodity in the modern economy. (1) Financial institutions, in particular, have strong incentives to transfer consumer information to affiliates and others to engage in cross-marketing and cross-branding activities. (2) Data transfers may often take place across international borders, with enormous benefits for international trade. (3) However, even as modern technology increases the utility of information, it creates greater opportunities for intrusions into individual privacy. (4) New York Attorney-General Eliot Spitzer has stated, "New technology has brought extraordinary benefits to society, but it also has placed all of us in an electronic fishbowl in which our habits, tastes and activities are watched and recorded." (5)
In 1995, the European Union (EU) promulgated a Directive requiring EU member states to implement stringent privacy protections and prohibiting the transfer of data from the European Union to any country that does not provide an "adequate" level of privacy protection. (6) In Part II, this Note will discuss the EU Directive and compare it to U.S. privacy regulation, particularly to the privacy protections for financial information embodied in the Gramm-Leach-Bliley Act. The Note will then address the Safe Harbor Agreement entered into by the United States and the European Union, under which data transfers from the European Union can take place to U.S. companies that agree to meet certain intermediate privacy protection standards. However, the financial services industry is excluded from the Safe Harbor agreement. Although the non-transferability provisions of the Data Protection Directive have yet to be rigorously enforced, financial institutions currently have no acceptable Safe Harbor alternatives that guarantee the transferability of personal data for the long term. In the absence of a viable alternative to the Safe Harbor, financial institutions will be unable to secure the uninterrupted ability to transfer data from the European Union to the United States.
If cross-border data flows are interrupted, financial services firms can expect to experience serious difficulties. Consider ABC Bank, a hypothetical multinational financial conglomerate that operates in Europe but has branches and affiliates in the United States. There may be situations in which ABC will want to share information regarding its European customers with its U.S. affiliates to enable its affiliates to market financial services to those customers. (7) Direct marketing of associated services to consumers, particularly attractive to many financial institutions in the aftermath of the Gramm-Leach-Bliley Act's consolidation of the financial services industry, (8) could be impeded by restrictions on cross-border data transfer. (9) In addition, ABC will certainly collect large amounts of personal information for its internal databases in the course of its operations. ABC may be able to contract for data processing and analysis most cheaply with an unaffiliated American company. Taking advantage of this market efficiency would require cross-border data transfer. Perhaps most importantly, a centralized human resources system may require ABC to transfer employee data internationally in order to pay salaries and to provide employee benefit programs. (10)
Additionally, a number of transactions vital to the international financial system rely on cross-border data flows. Payment systems that require the transfer of personal information, such as credit card transactions, could be hindered by strict application of the Directive's non-transferability rules. (11) Investment bankers often rely on market analysis, takeover maneuvers, and due diligence activities, in which transferring personal data is of significant importance. (12) The credit reporting system also relies on the free transfer of information about consumer credit, even across national boundaries. (13)
Part III of this Note will discuss the options currently available to the financial services industry if it wishes to legally transfer data from the European Union to the United States. …