News Release

October 30, 2001

Safe Harbor Agreement Faces Uncertain Future
Few participants, limited enforcement, Cato study finds

The EU-U.S. Safe Harbor agreement seeks to bridge differences between the Europe Union's top-down approach to regulating personal data and the more decentralized system that prevails in the United States. Specifically, the agreement is intended to head off a potentially costly ban by the EU on the transfer of personal information—such as people's names, addresses, birthdays, and buying habits—to the United States, which, according to the EU, lacks "adequate" data protection. In a new trade policy analysis, "Safe Harbor or Stormy Waters? Living with the EU Data Protection Directive," Aaron Lukas, an analyst at the Cato Institute's Center for Trade Policy Studies, concludes that, "Although Safe Harbor is still in its infancy, its survival is already in doubt."

Only a handful of U.S. businesses have joined Safe Harbor—a list of companies maintained by the U.S. Department of Commerce that are assumed to provide adequate data protection, as defined by the EU Data Protection Directive. Lukas cites numerous reasons why this is true:

• Many of the businesses are simply unaware of the agreement
• European officials have made only limited efforts to enforce EU privacy law
• The Safe Harbor principles are more restrictive and expensive than accepted U.S. privacy practices
• Some firms believe that it may be easier for them to enter into privacy contracts with their European partners than to join Safe Harbor

Compounding its problems, Safe Harbor faces internal European disputes over the legitimacy of the agreement, as well as concern on the U.S. side that national sovereignty has been compromised by the agreement. In addition, Safe Harbor does not cover U.S. financial institutions.

Given the weakness of Safe Harbor, Lukas recommends that U.S. policymakers consider what they will do if the agreement collapses. While recognizing that Europe has the right to set its own privacy policies, he says, U.S. officials should be vigilant in holding Europe to its existing free trade commitments. Moreover, Congress should not give in to pressure—either international or domestic—to change U.S. privacy laws. "American policymakers should recognize the many advantages that flow from a market-based privacy regime and not be bullied into adopting EU-style privacy regulations, " Lukas concludes. "Safe Harbor should not be abandoned today, but neither should it be counted on as a secure port in future privacy storms."

"Safe Harbor or Stormy Waters? Living with the EU Data Protection Directive"