I.

I. INTRODUCTION

Information is a marketable commodity in the recent economy.1 Financial institutions, in particular, have firm incentives to transfer consumer information to affiliates and others to engage in cross-marketing and cross-branding activities.2 Data transfers may oftentimes take place across international borders, with enormous benefits for international trade.3 However, level as modern technology increases the utility of information, it creates greater opportunities for intrusions into individual privacy.4 recent York Attorney-General Eliot Spitzer has stated, "New technology has brought extraordinary benefits to society, still it also has placed all of us in an electronic fishbowl in which our habits, tastes and activities are watched and recorded."5

In 1995 the European Union (EU) promulgated a Directive requiring EU member states to implement stringent privacy protections and prohibiting the transfer of data from the European Union to any rural parts that does not provide an "adequate" flat of privacy protection.6 In Part II, this Note will discuss the EU Directive and compare it to U privacy regulation, particularly to the privacy protections for financial information embodied in the Gramm-Leach-Bliley Act. The Note will then address the Safe Harbor Agreement go intoed into by the United States and the European Union, below which data transfers from the European Union can take place to U companies that agree to confront certain intermediate privacy protection standards. However, the financial services industry is exclud from the Safe Harbor agreement. Although the non-transferability provisions of the Data Protection Directive have still to be rigorously enforced, financial institutions publicly have no acceptable Safe Harbor alternatives that guarantee the transferability of personal data for the in extent term. In the absence of a viable alternative to the Safe Harbor, financial institutions will be unable to free from danger the uninterrupted ability to transfer data from the European Union to the United States.

If cross-border data runs are interrupted, financial services firms can look for to experience serious difficulties. Consider ABC Bank, a hypothetical multinational financial conglomerate that operates in Europe if it were not that has branches and affiliates in the United States. There may be situations in which ABC will want to share information regarding its European customers with its U affiliates to enable its affiliates to market financial services to those customers.7 Direct marketing of associated services to consumer particularly attractive to many financial institutions in the aftermath of the Gramm-Leach-Bliley Act's consolidation of the financial services industry,8 could be impeded by means of restrictions on cross-border data transfer.9 In addition, ABC will certainly muster large amounts of personal information for its internal databases in the course of its operations. ABC may be able to contract for data processing and analysis principally cheaply with an unaffiliated American company. Taking advantage of this market efficiency would require cross-border data transfer. Perhaps in the greatest degree importantly, a centralized human resources order may require ABC to transfer employee data internationally in order to pay salaries and to provide employee benefit programs.10

Additionally, a number of transactions vital to the international financial theory rely on cross-border data liquefys Payment systems that require the transfer of personal information, in the same state [i]or[/i] condition as credit card transactions, could be hindered through strict application of the Directive's non-transferability rules11 Investment bankers frequently rely on market analysis, takeover maneuvers, and appropriate diligence activities, in which transferring personal data is of significant importance.12 The credit reporting scheme also relies on the exempt transfer of information about consumer credit, equal across national boundaries.13

Part III of this Note will discuss the options generally available to the financial services industry if it wishes to legally transfer data from the European Union to the United States. For example, companies may submit individual data transfer contracts for review and approval by means of European data protection authorities or they may use pre-approved "model contracts" promulgated by way of the European Union. However, these options raise serious issues of business confidentiality and liability and are unlikely to be acceptable to greatest in quantity firms. Even arguing for inclusion in the Safe Harbor Agreement cannot guarantee cross-border financial data comes because EU dissatisfaction with the even and quality of participation calls into question the stability of the Safe Harbor itself.

In Part IV, this Note will argue that financial services firms have an additional option. The upcoming reconsideration of federal preemption provisions of the Fair Credit Reporting Act is likely to alert lawmakers to revisit the Gramm-Leach-Bliley Act's privacy protections. The financial services industry may be willing to accept virtuous increases in domestic financial privacy legislation in exchange for federal privacy preemption. However, accepting so legislation would bring the industry a significant additional benefit. The greatest in quantity probable changes in American financial privacy law are highly likely to liken the privacy protections currently embodied in the Safe Harbor Agreement. As a deduction the financial industry will be in a position to argue for a sectoral adequacy determination from the European Union. beneath the Safe Harbor Agreement as it generally stands, firms must certify compliance upon an individual basis. By arguing for a sectoral exemption from the Data Protection Directive's non-transferability provisions, the financial services industry would be onward the forefront of safe harbor reform. Not simply would financial institutions be able to assure their continued ability to transfer personal financial data from the European Union, yet a sectoral adequacy determination would be a significant degree towards creating a safe harbor more suited to the nature of U privacy regulation.