WASHINGTON:
The United States and the European Union are nearing completion of an
agreement that would allow law enforcement and security agencies to
obtain private information - including credit card transactions, travel
histories and Internet browsing habits - about people on the other side
of the Atlantic Ocean.
Seeking to improve information-sharing to fight crime and terrorism,
government officials have been meeting since February 2007 to reach a
pact. Europe generally has more-stringent laws restricting how
governments and businesses can collect and transfer personal data,
which have led to high-profile disputes over American demands for such
information.
Negotiators have largely agreed on draft language for 12 major
issues that are central to a "binding international agreement" making
clear that it is lawful for European governments and companies to
transfer personal information to the United States, and vice-versa,
according to an internal report obtained by The New York Times.
But the two sides are still at odds on several other matters,
including whether European citizens should be able to sue the United
States government over its handling of their personal data, the report
said.
The talks grew out of two conflicts over information-sharing after
the September 2001 terrorist attacks. The U.S. government demanded
access to customer data held by airlines and a consortium, known as
Swift, that tracks global bank transfers.
American investigators wanted the data to look for suspicious
activity. But several European countries objected, citing violations of
their privacy laws. Each dispute frayed diplomatic relations and
required difficult negotiations to resolve.
American and European Union officials are trying to head off future
confrontations "by finding common ground on privacy and by agreeing not
to impose conflicting obligations on private companies," said Stewart
Baker, the assistant secretary for policy at the Department of Homeland
Security, who is involved in the talks. "Globalization means that more
and more companies are going to get caught between U.S. and European
law."
Paul Schwartz, a law professor at the University of California,
Berkeley, said such a blanket agreement could transform international
privacy law by eliminating a problem that has led to negotiations of
"staggering" complexity between Europe and the United States.
"The reason it's a big deal is that it is going to lower the whole
transaction cost for the U.S. government to get information from
Europe," Schwartz said. "Most of the negotiations will already be
completed. They will just be able to say, 'Look, we provide adequate
protection, so you're required to turn it over."'
But the prospect that the agreement might lower barriers to sending
personal information to the U.S. government has alarmed privacy-rights
advocates in Europe.
While some praised the principles laid out in the draft text, they
warned that it was difficult to tell whether the agreement would allow
broad exceptions to such limits.
For example, the two sides have agreed that information that reveals
race, religion, political opinion, health or "sexual life" may not be
used by a government "unless domestic law provides appropriate
safeguards."
But the agreement does not spell out what would be considered an
appropriate safeguard, suggesting that each government may decide for
itself whether it is complying with the rule.
"I am very worried that once this will be adopted, it will serve as
a pretext to freely share our personal data with anyone, so I want it
to be very clear about exactly what it means and how it will work,"
said Sophia in 't Veld, a member of the European Parliament from the
Netherlands who is an outspoken advocate of privacy rights.
The Bush administration and the European Commission, the EU's
executive body, have not publicized the talks. But in a little-noticed
paragraph deep in a joint statement following a summit meeting between
President George W. Bush and European leaders in Slovenia this month,
the leaders hailed their progress.
Issued June 10, the statement declared that "the fight against
transnational crime and terrorism requires the ability to share
personal data for law enforcement," and it called for the creation of a
"binding international agreement" to facilitate such transfers while
also ensuring that citizens' privacy is "fully" protected.
The negotiators are trying to reach accord on minimum standards for
the protection of privacy rights, like limiting access to the
information to "authorized individuals with an identified purpose" for
looking at it. If a government's policies are "effective" in meeting
all the standards, any transfer of personal data to that government
would be presumed lawful.
For example, European law sets up independent government agencies to
police whether personal data is being used lawfully and to help
citizens who are concerned about any invasions of their privacy. The
United States has no such independent agency. But in a concession, the
Europeans have agreed that the American government's internal oversight
system may be good enough to provide accountability for how Europeans'
data are being used.
About half a dozen issues remain unresolved, the report said. One
sticking point is what rights European citizens would have if the U.S.
government violates data privacy rules or takes an adverse action
against them - like denying them entry into the country or placing them
on a no-flight list-based on incorrect personal information.
European law generally allows those who think the government has
mishandled their personal information to file a lawsuit to seek damages
and to get the data corrected or expunged. American citizens and
permanent residents can also generally file similar lawsuits under the
Privacy Act of 1974, but that statute does not extend to foreigners.
The Bush administration is trying to persuade the Europeans that
other options for correcting problems - including asking an agency to
correct any misinformation through administrative procedures - are
satisfactory. For now, the EU is holding to the position that its
citizens "require the ability to bring suit in U.S. courts specifically
under the Privacy Act for an agreement to be reached on redress," the
report said.
But the Bush administration does not want to make such a concession,
in part because it would require new legislation. The administration
does not want to have to request congressional approval of the final
agreement, several officials said.
David Sobel, a senior counsel with the Electronic Frontier
Foundation, a nonprofit organization dedicated to data-privacy rights,
predicted that it would be difficult to persuade the Europeans to drop
their demand. He said that the administration's depiction of the
process of correcting mishandled data through agency procedures sounded
"very rosy," but the reality is that it is often impossible, even for
American citizens, to win such a fight.
Officials said it remained unclear when the agreement could be
completed. But there are several pressures encouraging negotiators to
sprint to a finish. Bush administration officials would like to resolve
the problem before they leave office next January.
And European Commission officials who support the agreement may have
an easier time getting it approved now, legal analysts said, before
Europe completes internal reforms that would give the European
Parliament - which has been skeptical about security measures that
could infringe on civil liberties - greater authority to block it.
In addition, businesses that operate on both sides of the Atlantic
are pushing to eliminate the prospect of getting caught between
conflicting legal obligations.
"This will require compromise," said Peter Fleischer, the global
privacy counsel for Google. "It will require people to agree on a
framework that balances two conflicting issues - privacy and security.
"But the need to develop that kind of framework is becoming more
important as more data moves onto the Internet and circles across the
global architecture."