Encryption: Regulation Everywhere
E-finance, perhaps more than any other area of e-commerce, necessitates secure transactions and transmission of information. At the same time, government law-enforcement and national-security interests express grave concern over the potential for encryption to shield illegitimate and potentially dangerous activities. It is no surprise, then, that countries around the globe regulate the use and transmission of cryptographic technology, software and hardware.
The United States closely restricts the export of products with encryption or decryption capabilities, although it leaves use within the U.S. unregulated. Moreover, other countries -- notably, France and Singapore -- not only regulate export, but impose rigid restrictions on import and internal use as well. As a result, a company contemplating secure encrypted international services must consider both the U.S. and foreign regulatory implications of its activities.
The Clinton Administration late last year responded to the financial industry's entreaties for relaxation of encryption restrictions by exempting a narrow class of encryption items from its otherwise onerous licensing requirements. Now, unlimited-strength encryption is permitted for use by defined "financial institutions" in 45 designated countries. "Financial institutions" include, in addition to banks, brokers and dealers in securities, and insurance companies.
Items exported pursuant to this "financial services exception" may be used only for communications or transactions between the financial institution and its customers, not between customer and customer. Importantly, a financial institution wishing to take advantage of this exception still must submit its request with a description of the software or commodity in question to the government for a one-time "technical" review.
But, as noted above, a company is not "home free" once it clears the U.S. regulatory hurdle. The country of intended destination may impose its own controls which must be confronted and surmounted.
Personal-Data Privacy: A Growing Concern Abroad And At Home
Protection of personal data represents an issue to which many U.S. companies are not sensitized, but which will raise novel and difficult issues for consideration in this new electronic age. In this regard, financial institutions enjoy a bit of a head start for, although the U.S. does not regulate collection and use of personal data in most contexts, many types of financial institutions have been subject to government-imposed constraints for some time.
Nevertheless, the landscape is changing for internationally involved financial institutions. Most significantly, the European Union has declared a new Privacy Directive that, if implemented without change, may prevent U.S. companies from collecting and using the personal data of European nationals and others in Europe as they have done in the past. The Directive imposes a host of requirements, limiting the type of information that can be collected, requiring notice of the use and extent of disclosure of the information, and affording a virtually unlimited right of access and correction to the subject of the personal data.
Ominously, the E.U. Directive requires that member nations prohibit the transfer of personal data to entities located in countries that do not accord equivalent levels of protection. The U.S., with its generally laissez-faire attitude towards this issue, is such a country. Currently, senior U.S. and E.U. negotiators are attempting to reach a solution to this difficulty, but already one country -- Sweden -- has prohibited a U.S. (non-financial-services) company from transferring data about Swedish customers to its U.S. database.
Financial institutions should remain alert to developments in the U.S.-E.U. talks and begin considering their possible exposure under the Directive. In addition, financial companies should be sure to make the case with U.S. negotiators and E.U. privacy officials that they are already subject to a different degree of restriction than other U.S. companies and should be treated separately in any final resolution.