U.S. and EU near deal on sharing data...

WASHINGTON: The United States and the European Union are nearing completion of an agreement that would allow law enforcement and security agencies to obtain private information - including credit card transactions, travel histories and Internet browsing habits - about people on the other side of the Atlantic Ocean.

Seeking to improve information-sharing to fight crime and terrorism, government officials have been meeting since February 2007 to reach a pact. Europe generally has more-stringent laws restricting how governments and businesses can collect and transfer personal data, which have led to high-profile disputes over American demands for such information.

Negotiators have largely agreed on draft language for 12 major issues that are central to a "binding international agreement" making clear that it is lawful for European governments and companies to transfer personal information to the United States, and vice-versa, according to an internal report obtained by The New York Times.

But the two sides are still at odds on several other matters, including whether European citizens should be able to sue the United States government over its handling of their personal data, the report said.

The talks grew out of two conflicts over information-sharing after the September 2001 terrorist attacks. The U.S. government demanded access to customer data held by airlines and a consortium, known as Swift, that tracks global bank transfers.

American investigators wanted the data to look for suspicious activity. But several European countries objected, citing violations of their privacy laws. Each dispute frayed diplomatic relations and required difficult negotiations to resolve.

American and European Union officials are trying to head off future confrontations "by finding common ground on privacy and by agreeing not to impose conflicting obligations on private companies," said Stewart Baker, the assistant secretary for policy at the Department of Homeland Security, who is involved in the talks. "Globalization means that more and more companies are going to get caught between U.S. and European law."

Paul Schwartz, a law professor at the University of California, Berkeley, said such a blanket agreement could transform international privacy law by eliminating a problem that has led to negotiations of "staggering" complexity between Europe and the United States.

"The reason it's a big deal is that it is going to lower the whole transaction cost for the U.S. government to get information from Europe," Schwartz said. "Most of the negotiations will already be completed. They will just be able to say, 'Look, we provide adequate protection, so you're required to turn it over."'

But the prospect that the agreement might lower barriers to sending personal information to the U.S. government has alarmed privacy-rights advocates in Europe.

While some praised the principles laid out in the draft text, they warned that it was difficult to tell whether the agreement would allow broad exceptions to such limits.

For example, the two sides have agreed that information that reveals race, religion, political opinion, health or "sexual life" may not be used by a government "unless domestic law provides appropriate safeguards."

But the agreement does not spell out what would be considered an appropriate safeguard, suggesting that each government may decide for itself whether it is complying with the rule.

"I am very worried that once this will be adopted, it will serve as a pretext to freely share our personal data with anyone, so I want it to be very clear about exactly what it means and how it will work," said Sophia in 't Veld, a member of the European Parliament from the Netherlands who is an outspoken advocate of privacy rights.

The Bush administration and the European Commission, the EU's executive body, have not publicized the talks. But in a little-noticed paragraph deep in a joint statement following a summit meeting between President George W. Bush and European leaders in Slovenia this month, the leaders hailed their progress.

Issued June 10, the statement declared that "the fight against transnational crime and terrorism requires the ability to share personal data for law enforcement," and it called for the creation of a "binding international agreement" to facilitate such transfers while also ensuring that citizens' privacy is "fully" protected.

The negotiators are trying to reach accord on minimum standards for the protection of privacy rights, like limiting access to the information to "authorized individuals with an identified purpose" for looking at it. If a government's policies are "effective" in meeting all the standards, any transfer of personal data to that government would be presumed lawful.

For example, European law sets up independent government agencies to police whether personal data is being used lawfully and to help citizens who are concerned about any invasions of their privacy. The United States has no such independent agency. But in a concession, the Europeans have agreed that the American government's internal oversight system may be good enough to provide accountability for how Europeans' data are being used.

About half a dozen issues remain unresolved, the report said. One sticking point is what rights European citizens would have if the U.S. government violates data privacy rules or takes an adverse action against them - like denying them entry into the country or placing them on a no-flight list-based on incorrect personal information.

European law generally allows those who think the government has mishandled their personal information to file a lawsuit to seek damages and to get the data corrected or expunged. American citizens and permanent residents can also generally file similar lawsuits under the Privacy Act of 1974, but that statute does not extend to foreigners.

The Bush administration is trying to persuade the Europeans that other options for correcting problems - including asking an agency to correct any misinformation through administrative procedures - are satisfactory. For now, the EU is holding to the position that its citizens "require the ability to bring suit in U.S. courts specifically under the Privacy Act for an agreement to be reached on redress," the report said.

But the Bush administration does not want to make such a concession, in part because it would require new legislation. The administration does not want to have to request congressional approval of the final agreement, several officials said.

David Sobel, a senior counsel with the Electronic Frontier Foundation, a nonprofit organization dedicated to data-privacy rights, predicted that it would be difficult to persuade the Europeans to drop their demand. He said that the administration's depiction of the process of correcting mishandled data through agency procedures sounded "very rosy," but the reality is that it is often impossible, even for American citizens, to win such a fight.

Officials said it remained unclear when the agreement could be completed. But there are several pressures encouraging negotiators to sprint to a finish. Bush administration officials would like to resolve the problem before they leave office next January.

And European Commission officials who support the agreement may have an easier time getting it approved now, legal analysts said, before Europe completes internal reforms that would give the European Parliament - which has been skeptical about security measures that could infringe on civil liberties - greater authority to block it.

In addition, businesses that operate on both sides of the Atlantic are pushing to eliminate the prospect of getting caught between conflicting legal obligations.

"This will require compromise," said Peter Fleischer, the global privacy counsel for Google. "It will require people to agree on a framework that balances two conflicting issues - privacy and security.

"But the need to develop that kind of framework is becoming more important as more data moves onto the Internet and circles across the global architecture."