On July 1, 2001, the European Commission was scheduled tocomplete a one‐year review of how well non‐European companies werecomplying with the European Union’s Directive on Data Protection.More important, that date was also supposed to mark the end of aninformal standstill on enforcement of the directive’s restrictionson cross‐border data flows. Both the report and the end of theenforcement moratorium have been postponed, but for how long isuncertain.
The EU directive is designed to regulate the transfer and use ofpersonal data about European citizens. One facet of that regulationis a prohibition on the transmission of personal data to countriesoutside Europe that lack “adequate” data protection laws. Ifstrictly enforced, that prohibition could harm businesses andconsumers on both sides of the Atlantic.
The EU‑U.S. Safe Harbor agreement seeks to bridge the gapbetween the top‐down European data protection regime and the moredecentralized U.S. approach. Although Safe Harbor is still in itsinfancy, its survival is already in doubt. Few companies havesigned up. Meanwhile, the EU continues to develop model privacycontracts that may further undermine the usefulness of the SafeHarbor framework.
At best, Safe Harbor faces an uncertain future. The UnitedStates should recognize that Europe has the right to set its ownprivacy policies but not be pressured into copying the EU’s unwisedata protection model. Relying on technology and market incentives,rather than regulation, to protect privacy empowers individualconsumers to make their own choices, encourages new business andinnovation, and protects free speech. The United States shouldstick to that course regardless of what Europe does. At the sametime, however, if European law is enforced in such a way as to putU.S. companies at an unfair disadvantage – which is entirelypossible – the United States should not hesitate to defend itsinterests through the dispute resolution mechanism of the WorldTrade Organization.