Deadline for EU Data Privacy Law Prompts Worry Among Businesses By JENNIFER L. SCHENKER and JULIE WOLF Special to THE WALL STREET JOURNAL The mounds of data that zap electronically across borders may face some travel restrictions as a European Union law takes effect this week. Three years of talks between the EU and the U.S. have failed to find a compromise on how to protect the privacy of data, and that has businesses and consumer groups worried. The issue arose in 1995, when Citibank Deutschland AG came under attack for a co-branded credit-card program with Deutsche Bahn AG. The program, Germany's data police decided, invaded the privacy of citizens because the sign-up questionnaire was too nosy and the data was processed in the U.S. The bank made headlines by offering to allow Germany's data police to come to the U.S. to inspect its data-processing arrangements. Citibank solved its problems in Germany, but the European Commission reasoned national data regulators couldn't possibly travel to the U.S. to verify the compliance of all of the companies in Europe that send personal data abroad for processing. Instead, the commission passed a law that gave national data regulators wide powers to control what type of data can be processed abroad and let them halt exports of personal data to countries that don't have adequate protection, such as the U.S. EU member states were given three years to institute necessary changes. Intensified Negotiations Businesses panicked at the prospect of having data flows cut off, databases erased and huge fines levied. Negotiations intensified between Europe and the U.S., which planned to ensure data protection mainly through industry self-regulation. Three years later, just days before the deadline, a solution has yet to be found, and Citibank and other multinationals doing business in Europe are back in the headlines again, the targets of privacy advocates who want to inspect transborder data flows. At issue is how U.S. companies operating in Europe can send data back to the U.S. without running afoul of strict new EU legislation on data protection. The issue won't be settled before the legislation goes into effect Oct. 25 although U.S. and EU officials say they are hopeful enough progress has been made to ensure that companies won't see their data flows interrupted on Oct. 26. "The message to business should be don't panic," advised Francis Aldhouse, deputy data-protection registrar at the U.K.'s office of data protection. "Nothing great and dramatic" is going to happen this week when the directive goes into force, he said. Threat of Legal Action But uncertainty abounds, and big companies in Europe are worried they could face legal action from a variety of quarters, including Privacy International, a Washington, D.C.-based watchdog group that plans to increase its activities in Europe. "This is not a deal that can be cut between the White House and Brussels," said Simon Davies, Privacy International's director. "The data-protection directive establishes new constitutional rights in Europe and gives us a mandate to move forward." Between now and Jan. 15, Privacy International will meet with 25 multinational corporations and government agencies it has identified. The group wants to examine data flows through available public records to determine whether these companies are in compliance with the new laws. At the moment all personal data gathered from European clients that is processed outside the EU is suspect. Hong Kong, Quebec and New Zealand are the exceptions because they have received the commission's stamp of approval for providing adequate protection. Only three EU countries are expected to meet the commission's Oct. 25 deadline for implementing the data-protection directive -- Italy, Greece and Finland. "Business can not live with such uncertainty," said Mark Loliver, legal adviser to the European Federation of Direct Marketing. Possible Solutions Solutions on the table include: 1. Setting up safe harbors, a compromise that would allow U.S. companies operating in Europe to ship data back to the U.S. even though the U.S. itself won't get the European Commission's stamp of approval for adequate protection. The U.S. Commerce Department would issue principles on data privacy, and companies agreeing to abide by these would be allowed to transfer data from Europe to the U.S. 2. Drawing up model contracts between companies operating in Europe and those that process data overseas. The foreign companies would have to commit to meeting Europe's data privacy standards. 3. Implementing new software solutions that are designed to allow companies that handle personal information about consumers to meet privacy requirements. Both the U.S. and EU have shifted considerably from their original positions. The commission is no longer insisting that the U.S. adopt national data-protection legislation. And the U.S. now concedes that consumers should be able to complain to an independent group about a company's behavior. The commission will have to get the support of member states for any compromise at two meetings this month, the first of which will be held Monday. Model Contract Meanwhile the International Chamber of Commerce, British Federation of Business and a number of other organizations are jointly working on a model contract that could be drawn up between a company operating in Europe and the company which processes data for it abroad, said Colin Fricker, director of legal affairs at the U.K.'s Direct Marketing Association and a member of the model contract working party of the Confederation of British Industry. Separately, some companies hope to tackle the problem with technological solutions. NCR Inc., a Dayton, Ohio, data-warehousing specialist said that beginning in January it will build in new software features that will allow the auditing of computer databases to ensure compliance with government data privacy regulations. Its clients include financial institutions and retailers. For its part, Privacy International says neither model contracts or technological solutions offer adequate protection. "Companies in the U.S. continue to maintain that industry code of practice and privacy-enhancing technology afford protection and it does not -- it is a very tiny step in the right direction," said Privacy International's Mr. Davies. "The message we want to give the U.S. is why are you following an outdated libertarian philosophy when you know it is going to cost you dearly." _________________________________________________________ DO YOU YAHOO!? Get your free @yahoo.com address at http://mail.yahoo.com