On July 1, 2001, the European Commission was scheduled to complete a one-year review of how well non-European companies were complying with the European Union’s Directive on Data Protection. More important, that date was also supposed to mark the end of an informal standstill on enforcement of the directive’s restrictions on cross-border data flows. Both the report and the end of the enforcement moratorium have been postponed, but for how long is uncertain.
The EU directive is designed to regulate the transfer and use of personal data about European citizens. One facet of that regulation is a prohibition on the transmission of personal data to countries outside Europe that lack “adequate” data protection laws. If strictly enforced, that prohibition could harm businesses and consumers on both sides of the Atlantic.
The EU-U.S. Safe Harbor agreement seeks to bridge the gap between the top-down European data protection regime and the more decentralized U.S. approach. Although Safe Harbor is still in its infancy, its survival is already in doubt. Few companies have signed up. Meanwhile, the EU continues to develop model privacy contracts that may further undermine the usefulness of the Safe Harbor framework.
At best, Safe Harbor faces an uncertain future. The United States should recognize that Europe has the right to set its own privacy policies but not be pressured into copying the EU’s unwise data protection model. Relying on technology and market incentives, rather than regulation, to protect privacy empowers individual consumers to make their own choices, encourages new business and innovation, and protects free speech. The United States should stick to that course regardless of what Europe does. At the same time, however, if European law is enforced in such a way as to put U.S. companies at an unfair disadvantage—which is entirely possible—the United States should not hesitate to defend its interests through the dispute resolution mechanism of the World Trade Organization.