US and Europe Near Agreement on Private Data

WASHINGTON — The United States and the European Union are nearing completion of an agreement allowing law enforcement and security agencies to obtain private information — like credit card transactions, travel histories and Internet browsing habits — about people on the other side of the Atlantic Ocean.

The potential agreement, as outlined in an internal report obtained by The New York Times, would represent a diplomatic breakthrough for American counterterrorism officials, who have clashed with the European Union over demands for personal data. Europe generally has more stringent laws restricting how governments and businesses can collect and transfer such information.

Negotiators, who have been meeting since February 2007, have largely agreed on draft language for 12 major issues central to a binding international agreement, the report said. The pact would make clear that it is lawful for European governments and companies to transfer personal information to the United States, and vice versa.

But the two sides are still at odds on several other matters, including whether European citizens should be able to sue the United States government over its handling of their personal data, the report said.

The report, which lays out the progress of the talks and lists the completed draft language, was jointly written by the negotiators from the United States Homeland Security, Justice and State Departments, and by their European Union counterparts. The talks grew out of two conflicts over information-sharing after the September 2001 terrorist attacks. The United States government demanded access to customer data held by airlines flying out of Europe and by a consortium, known as Swift, which tracks global bank transfers.

American investigators wanted the data so they could look for suspicious activity. But several European countries objected, citing violations of their privacy laws. Each dispute frayed diplomatic relations and required difficult negotiations to resolve.

American and European Union officials are trying to head off future confrontations by finding common ground on privacy and by agreeing not to impose conflicting obligations on private companies, said Stewart A. Baker, the assistant secretary for policy at the Department of Homeland Security, who is involved in the talks. Globalization means that more and more companies are going to get caught between U.S. and European law, he said.

Paul M. Schwartz, a law professor at the University of California, Berkeley, said such a blanket agreement could transform international privacy law by eliminating a problem that has led to negotiations of staggering complexity between Europe and the United States.

The reason it’s a big deal is that it is going to lower the whole transaction cost for the U.S. government to get information from Europe, Mr. Schwartz said. Most of the negotiations will already be completed. They will just be able to say, Look, we provide adequate protection, so you’re required to turn it over.

But the prospect that the agreement might lower barriers to sending personal information to the United States government has alarmed some privacy rights advocates in Europe. While some praised the principles laid out in the draft text, they warned that it was difficult to tell whether the agreement would allow broad exceptions to such limits.

For example, the two sides have agreed that information that reveals race, religion, political opinion, health or sexual life may not be used by a government unless domestic law provides appropriate safeguards. But the accord does not spell out what would be considered an appropriate safeguard, suggesting that each government may decide for itself whether it is complying with the rule.

I am very worried that once this will be adopted, it will serve as a pretext to freely share our personal data with anyone, so I want it to be very clear about exactly what it means and how it will work, said Sophia in ’t Veld, a member of the European Parliament from the Netherlands who has been an outspoken advocate of privacy rights.

The Bush administration and the European Commission have not publicized their talks, but they referred to their progress in a little-noticed paragraph deep in a joint statement after a summit meeting between President Bush and European leaders in Slovenia this month.

Issued June 10, the statement declared that the fight against transnational crime and terrorism requires the ability to share personal data for law enforcement, and called for the creation of a binding international agreement to aid such transfers while also ensuring that citizens’ privacy is fully protected.

The negotiators are trying to agree on minimum standards to protect privacy rights, such as limiting access to the information to authorized individuals with an identified purpose for looking at it. If a government’s policies are effective in meeting all standards, any transfer of personal data to that government would be presumed lawful.

For example, European law sets up independent government agencies to police whether personal data is being used lawfully and to help citizens who are concerned about invasions of their privacy. The United States has no such independent agency. But in a concession, the Europeans have agreed that the American government’s internal oversight system may be good enough to provide accountability for how Europeans’ data is used.

About a half-dozen issues remain unresolved, the report said. One sticking point is what rights European citizens will have if the United States government violates data privacy rules or takes an adverse action against them — like denying them entry into the country or placing them on a no-fly list — based on incorrect personal information.

European law generally allows people who think the government has mishandled their personal information to file a lawsuit to seek damages and to have the data corrected or expunged. American citizens and permanent residents can generally do the same under the Privacy Act of 1974, but that statute does not extend to foreigners.

The Bush administration is trying to persuade the Europeans that other options for correcting problems are satisfactory, including asking an agency to correct any misinformation through administrative procedures. For now, the European Union is holding to the position that its citizens require the ability to bring suit in U.S. courts specifically under the Privacy Act for an agreement to be reached on redress, the report said.

But the Bush administration does not want to make such a concession, in part because it would require new legislation. The administration is trying to achieve an agreement that would not require Congressional action, Mr. Baker said.

David Sobel, a senior counsel with the Electronic Frontier Foundation, a nonprofit organization dedicated to data-privacy rights, said the administration’s depiction of the process of correcting mishandled data through agency procedures sounds very rosy, but the reality is that it is often impossible, even for American citizens, to win such a fight.

Officials said it remains unclear when the agreement can be completed. But there are several pressures encouraging negotiators to sprint to the finish.

Bush administration officials say they would like to resolve the problem before they leave office next January. If the agreement does not require legislative action, Mr. Bush could complete it with a signature.

European officials may have an easier time securing its approval now, before the European Union completes proposed changes. Member nations now ratify such accords, but the changes would hand ratification power to the European Parliament, which has been skeptical of American antiterrorism policies. The report says Europeans intended to wait until 2009 after the planned completion of the reforms to finish it. But the changes are now facing likely delay after Irish voters rejected them in a referendum this month.

In addition, businesses that operate on both sides of the Atlantic are pushing to make sure they are not caught between conflicting legal obligations.

This will require compromise, said Peter Fleischer, the global privacy counsel for Google. It will require people to agree on a framework that balances two conflicting issues: privacy and security. But the need to develop that kind of framework is becoming more important as more data moves onto the Internet and circles across the global architecture.