This case is one of a series on transatlantic relations developed by the American
Consortium on European Union Studies (ACES), a center organized by five universities
in the Washington D.C. area. Teaching essential concepts and principles concerning the
politics and economics of transatlantic relations is the central purpose of the case series.
Each case explores its particular topic as a specific instance of more general patterns of
conflict and cooperation between the European Union and the United States. European
integration, EU and U.S. policymaking, and their consequences for transatlantic conflict
and negotiation are thus basic themes in the series. The multiplicity of layers of policy
authority on each side of the Atlantic, and shifts in the location of that authority, also
feature prominently in these cases. Each case thus conveys information on specific
problems in order to provide a factual foundation for students to discuss broader
principles as well as the particular policy dispute. These cases are written to assist
instructors of upper-level undergraduate and graduate courses in government, business
and economics in general and are configured for courses in International Relations,
Foreign Economic Policy and European studies in particular. We welcome your
feedback on the individual cases and the series as a whole.
C. Randall Henning
Permission to use, copy, and distribute this case or excerpts from this case is granted
provided that (1) this copyright and permission notice appears in all reproductions
(excerpts of up to two paragraphs need only reference the case in full); (2) use is for
noncommercial educational purposes only; (3) the manual or excerpts are not modified in
any way; and (4) no figures or graphic images are used, copied, or distributed separate
from accompanying text. Requests beyond that scope should be directed to the Executive
Director of the American Consortium on European Union Studies (ACES).
The regulation of data privacy, or the ways in which governmental agencies, firms, and
other organizations are permitted to collect and use personal information, has emerged as
a key source of transatlantic tension in recent years. Historically the US and the
European Union (EU) have followed very different paths to the regulation of this
information. The US regulates governmental use of personal information more heavily
than that by the private sector, which is largely self-regulated, although certain sensitive
sectors such as health care and financial services are more stringently regulated. The EU,
in contrast, regulates data privacy more comprehensively, with equal treatment given to
public and private uses of personal information and with significant enforcement
capabilities at the member-state level.
These differing regulatory frameworks came into conflict in the late 1990s, when
member states began implementing the EU Directive on Data Protection, which prohibits
the transfer of personal information to countries lacking “adequate” data protection laws.
Because the US approach of self-regulation by the private sector was expected to fail the
EU’s adequacy test, the Directive was projected to cause significant harm to the $350
billion transatlantic trading relationship.1 One study estimated that it would initially cost
US companies with transatlantic operations as much as $36 billion to comply with the
Directive.2 US companies without a physical presence in Europe but with European
customers, such as Internet companies, faced greater potential threats. Even companies
that had high standards for data privacy, the White House and some firms believed, might
have been blocked from selling their goods and services to individuals in Europe if the
EU deemed US law to be inadequate.3
After several years of often-fractious negotiations, the US and EU agreed in 2000 to an
innovative solution to this conflict. The “Safe Harbor” arrangement guarantees that US
companies abiding by a series of requirements are considered in compliance with the
Directive, even as the Working Party has found the US to have inadequate data protection
laws.4 Safe Harbor thus can be conceived as a bridge between two very different
regulatory frameworks, one that adheres to the US commitment to self-regulation by the
1999 estimate (see http://www.useu.be/SUMMIT/daley0500.html). In 2003, transatlantic trade measures
over $500 billion.
Hahn (2001). This estimate is considered inflated by Swire (2001) and Heisenberg (2003). Swire (2001)
argues that it is difficult to create a “useful estimate” of the costs of compliance with the Directive, and he
asserts that the Hahn study is flawed for a number of reasons, including: 1) it does not create an adequate
baseline of companies’ privacy initiatives in the absence of legislation; and 2) it assumes similar
compliance costs for large and small companies. Heisenberg (2003) finds few costs to businesses in her
telephone interviews with 30 US companies.
EU authorities, however, saw the Directive as having a much less dramatic impact, and they emphasized
that US companies could remain in compliance with the Directive if they abided by certain privacy
requirements. See Rodota (2001).
On January 26, 1999, the Article 29 Working Party found that, “the current patchwork of narrowly-
focussed sectoral laws and voluntary self-regulation [in the US] cannot at present be relied upon to provide
adequate protection in all cases for personal data transferred from the European Union.” See European
private sector, but which meets EU requirements by embedding private sector
enforcement within a larger regulatory framework.5
Despite this arrangement, however, key concerns linger on both sides of the Atlantic.
The EU’s concerns center on Safe Harbor’s enforcement. Only 384 US companies have
signed up for Safe Harbor as of August, 2003, far fewer than the thousands of US
companies engaging in transatlantic trade.6 Also, many of the companies that have
signed up are not meeting all of Safe Harbor’s requirements, and the US government to
date has not prosecuted any of these companies for their failure to comply.7 For the US,
concerns lie primarily with those sectors not covered by Safe Harbor, such as financial
services, telecommunications, and not-for-profit organizations. The US wants European
data protection authorities to hold off on enforcing the Directive on these companies until
a bilateral agreement regarding their fate can be reached. Safe Harbor is not a treaty or
legally binding agreement, so it is possible for the parties to renegotiate or withdraw from
the arrangement at any time.
The institutional structure for establishing data privacy regulation differs across the
Atlantic. For the EU, the supervisory authorities that are responsible the enforcement of
the Directive in the member states are represented in the Article 29 Working Party. The
Working Party meets regularly to recommend to the European Commission any changes
to Safe Harbor, including potentially outright withdrawal from the arrangement. For the
US, the decision-making power over the future of Safe Harbor is scattered among a
number of governmental agencies, including the Department of Commerce and the
Federal Trade Commission, which together are largely responsible for the enforcement of
Safe Harbor, and those agencies responsible for companies in the excluded sectors, such
as the Treasury Department, which oversees substantial parts of the financial services
sector. But these US agencies and the EU data protection authorities must also work to
satisfy the divergent interests of different domestic groups within the US and Europe,
including firms that tend to favor less stringent privacy regulation and non-governmental
organizations (NGOs) that for the most part press for strict enforcement of such
This case considers the sustainability of the Safe Harbor arrangement. The first section
discusses the relevance of domestic regulations for international trade and investment.
The second section connects general concepts regarding domestic regulation and trade
with the EU Directive. The third section provides a more detailed discussion of the
differences in how the EU and US regulate personal information, with particular attention
paid to the Directive and its potential impact on US companies. The fourth and fifth
sections offer a chronology of the events leading up to the Safe Harbor arrangement and
an analysis of the arrangement itself, including the concerns about Safe Harbor on both
sides of the Atlantic. Finally, some concrete examples and questions for discussion are
See discussion in Farrell (2003).
Figure taken from the US Department of Commerce’s Safe Harbor site at www.export.gov/safeharbor
European Commission (2002).
Domestic Regulation and International Trade and Investment
Governments regulate the activities of firms and other organizations within their borders
so as to satisfy the demands of their domestic constituencies. The scope and breadth of
such regulations have increased substantially in recent decades, particularly in developed
countries where groups that press for such regulations are better organized and able to
influence policy. Regulations can vary both in terms of issue area, from environmental
protection to labor standards to food safety, and in terms of the stringency of the
regulation. Because they respond to different economic circumstances and different
constituencies, regulatory regimes often differ substantially from country to country.
Differences in national regulatory regimes cause relatively few problems in the absence
of significant trade and investment. But when goods, services, labor and investment
cross borders, differences in domestic regulation can cause conflict between
governments. One government might block the importation of an automobile or food
item owing to failure to meet a health or safety requirement that does not apply abroad,
for example, raising the objections of trading partners. While usually serving legitimate
health and safety needs, such requirements have sometimes been used as pretexts for
protecting domestic firms and industries. “Regulatory conflict” refers to such clashes
between governments over domestic regulations.
Differences in regulation can also affect the choices and strategies of multinational
corporations and the flow of foreign direct investment. Generally preferring weaker to
stronger regulatory regimes, firms might well choose to locate in countries where the cost
of adhering to regulations is low. The process of selecting the more favorable
jurisdiction, and playing one government off against another in the process, is labeled
“regulatory arbitrage.” In a desire to retain or attract foreign direct investment,
governments might ease regulatory requirements. When this process causes a general
easing of regulations, it is sometimes referred to as a “race to the bottom.”
In principle, there are at least three ways in which countries can ease regulatory conflict
and reduce associated barriers to trade and investment: harmonization, mutual
recognition, and national treatment (see Figure 1).8 Harmonization involves the adoption
of identical regulations within different countries. Under mutual recognition, countries
maintain different regulatory frameworks for products and services produced
domestically but agree to recognize the other country’s regulations for products and
services imported from that country. The EU Single Market, for example, is founded on
harmonization of minimum standards and the principle of mutual recognition. National
treatment is where each country maintains its own domestic regulatory framework but
refrains from imposing more stringent regulations on imported products and services.
Each of these paths to bridging regulatory frameworks, particularly that of
harmonization, involves substantial bargaining, with each government generally
preferring that others make the greater adjustment in frameworks.
This paragraph draws extensively from Shaffer (2002), pp. 5-8. There is also some precedence for partial
delegation of decision-making authority to private entities.
Figure 1: Methods of Bridging Domestic Regulations
Harmonization Creation of identical regulations across borders
Mutual Recognition Agreement to recognize another country’s regulations as
National Treatment Agreement not to impose more stringent regulations on
firms from other countries
But bridging domestic regulatory frameworks can prove difficult in that governments
must first respond to domestic pressures on regulation – pressures that are often rooted
within a country’s unique historical experience and culture. This difficulty is
compounded by the fact that domestic pressures are heterogeneous, with NGOs typically
pressing for more stringent regulations and the private sector advocating leniency. On
the one hand, NGOs worry principally about a “race to the bottom.” On the other hand,
firms are generally concerned with a “Balkanization” of domestic regulatory frameworks
that conflict with one another and may not be readily transparent. These companies tend
to favor harmonization to reduce the costs of compliance, but they worry about a “race to
the top,” where the pressures from trade unions, advocacy groups and NGOs push
countries to raise their domestic regulations to the highest common denominator.9
Companies are particularly resistant to new regulation in areas such as data processing,
the technology for which is developing so rapidly that policymakers are unlikely to be
able to conceive fully the impact of the regulation.10
In the case of the transatlantic relationship, many regulatory differences have been
bridged through a policy of mutual recognition. A key example of such efforts is the
1997 US-EU Mutual Recognition Agreement (MRA). The MRA covers six separate
areas: telecommunications equipment, electromagnetic compatibility, electrical safety,
recreational craft, medical devices, and pharmaceutical goods manufacturing. A distinct
agreement exists for each of these sectors, with defined categories and lists of products,
and significant conditions under which each country recognize the other’s domestic
Where bilateral agreement is not possible, countries may turn to the WTO’s Agreement
on Technical Barriers to Trade, first negotiated during the Tokyo Round in the 1970s.12
This agreement recognizes that countries have the right to set and enforce their own
domestic regulations, particularly those pertaining to health or protection of the
environment or to meet other consumer interests. Nonetheless, domestic regulations,
especially those enforced arbitrarily, can also be used as an excuse for protectionism.
The agreement encourages countries to rely on “international standards” where
See a discussion of this debate on the race to the bottom in Kahler (nd). Also see Murphy (2004).
See discussion in Mann, Eckert, and Knight (2000).
See Shaffer (2002).
See a description of the Agreement on Technical Barriers to Trade at
appropriate but in no way requires them to change their domestic regulations as a result.
The details of the agreement center on a “code of good practice” to adopt and enforce
domestic regulations, including the discouragement of any methods that give
domestically produced goods and services an unfair advantage.
Data Protection as an International Trade Issue
The EU Directive on data privacy seeks to regulate an area of business that has grown
exponentially in size and importance in recent years: information management. With the
advent of increasingly efficient and powerful computer and telephone networks,
companies now collect and process billions of bits of data in order to maintain their
inventories, manage their customer accounts, market their goods and services, attract
corporate investors, and administer their workforce’s human resources needs. Much of
this data crosses borders, as companies today often outsource key elements of the value-
added chain, such as production and telemarketing and customer relations. But these
transfers of information raise concerns as to the protection of personal privacy with
respect, for example, to name, social security number, date of birth, marital status,
ethnicity, religion, purchasing history, and Web sites visited.13 The EU Directive on data
privacy seeks to control which entities receive such information and what they do with it.
Whether the Directive constitutes a violation of WTO rules, however, is somewhat
vague. On the one hand, the Directive more directly impacts international trade and
investment than other kinds of domestic regulations because, in addition to regulating the
privacy practices of companies operating in Europe, it also affects companies with
customers but not physical operations in Europe. Moreover, the Directive has the
potential to limit the ability of European companies to outsource those aspects of their
operations having to do with the processing of personal data to companies in non-EU
countries. This can put non-EU companies that specialize in offering such services at a
competitive disadvantage, not just in the US but also in other countries deemed by the EU
to have inadequate data protection laws. Following this rationale, the US could bring a
dispute before the WTO, arguing that the most-favored-nation principle in Article II of
the General Agreement on Trade in Services (GATS) prohibits the EU from
discriminating against third countries. Here the US would need to offer evidence that the
EU was treating the US differently than other countries in terms of the regulation of
personal information flows.14
But on the other hand, the Directive does not appear to violate the second general
principle of the GATS, that of national treatment, located in Article XVII of the
agreement, since companies within the EU are also required to comply with the
Directive. Also, importantly, there exists in the GATS a specific exception for data
protection. Article XIV of the GATS states:
Swire and Litan (1998), p. 1.
See discussion in Swire and Litan (1998) and Lukas (2001).
Nothing in this Agreement shall be construed to prevent the adoption or
enforcement by any Member of measures…c) necessary to secure
compliance with laws or regulations which are not inconsistent with the
provisions of this Agreement including those relating to…ii) the
protection of the privacy of individuals in relation to the processing and
dissemination of personal data and the protection of confidentiality of
individual records and accounts.15
This exception for data protection would seem to suggest the Directive does not
constitute a violation of WTO rules. But the exception is subject “to the requirement that
such measures are not applied in a manner which would constitute a means of arbitrary or
unjustifiable discrimination between countries where like conditions prevail, or a
disguised restriction on trade in services.”16 Thus in the enforcement of the Directive if
the EU treats US companies differently from its own companies, it could indeed be in
violation of the national treatment principle under Article XVII of the GATS.
Without specific case law on data protection, it is unclear whether the Directive
constitutes a violation of WTO rules. Given this lack of clarity, and also the political
costs of taking such a high-profile case before the WTO, the US and EU have worked
bilaterally to forge a compromise between two very different data protection regimes.
The resulting Safe Harbor arrangement is similar to the US-EU Mutual Recognition
Agreement in that it involves recognizing the privacy practices of US firms as providing
adequate data protection. Importantly, though, it is the firms themselves, rather than the
US as a whole, that are covered by the adequacy finding. Those firms wanting to join
Safe Harbor must first agree to abide by a series of requirements negotiated jointly by the
US and EU in order to comply with the Directive.
Safe Harbor thus can be conceived as a compromise between the US’s resistance to
implement the Directive in its domestic regulation and the EU’s desire to ensure that
companies cannot circumvent the Directive by transferring personal data to countries
outside the EC’s jurisdiction. But the arrangement is not without its critics, foremost
among them industry trade associations and conservative research groups such as the
Cato Institute, which claim that the EU is engaging in an extraterritorial application of
domestic law.17 On the other side are numerous privacy and consumer protection groups,
such as Electronic Privacy Information Center and the Public Interest Research Group,
that would prefer to see more stringent protection of privacy in US law.18
Privacy Regulation in the EU and US
Quoted from Swire and Litan (1998), p. 191.
Quoted in Swire and Litan (1998), p. 191.
Lukas (2001). It is interesting to note than many industry associations that were quite vocal against the
Directive, such as the US Chamber of Commerce, have remained relatively quiet about Safe Harbor,
perhaps because these associations recognize the political difficulty in negotiating a better deal than Safe
Shaffer (2002), p. 26.
Historically the EU and US have followed very different paths to the regulation of data
privacy. Whereas the US has relied predominantly on self-regulation by the private
sector, the EU has moved toward greater and more centralized privacy regulation and
enforcement. These differing approaches to privacy regulation can be seen as a reflection
of unique historical experiences and cultural preferences. The US has embraced a much
narrower definition of privacy, so that personal-level marketing by US companies is now
commonplace and for the most part accepted.19 In Europe, by contrast, privacy is
conceived of much more expansively. 20
EU Regulatory Framework
Initially regulation of data privacy in the EU was quite decentralized. The first data
protection statute was implemented in the German state of Hesse in 1970, and the first
law at the national level was in Sweden in 1973. This decentralization of data protection
led to a patchwork of differing and sometimes conflicting legal frameworks among the
EU member states. For example, Germany and France by the 1990s had some of the
most stringent data protection laws in Europe, but these laws functioned very differently
from one another. In France, a national-level data protection agency was established,
which had significant authority to monitor French companies for compliance with
national regulation. In Germany, in contrast, enforcement responsibilities on data
protection were more disaggregated, divided among local and national officials.21
These differing data protection regulations soon became the source for a number of trade
disputes among the EU member states. One example was when the French subsidiary of
Fiat was prohibited from transferring customer and employee data to the company’s
headquarters in Italy, because Italy at the time lacked any data privacy laws. Such
transfers were permitted only when Fiat Italy agreed to sign a data protection contract in
which Fiat Italy promised to handle the personal information from Fiat France in
accordance with French data protection laws.22
Starting at the European Parliament, and with the leadership of French, German, and
Swedish officials, momentum began to build in the late 1980s to harmonize European
data protection laws upward to the more stringent levels set by these three states.23 Such
an initiative was seen as natural corollary to the EU’s central mission to extend and
deepen economic integration among the member states.
There is some evidence of a change in attitude within the US about the extent to which private companies
should be allowed to market their goods and services to individuals, with the recent legislation surrounding
the federal “do-not-call” lists that prohibit telemarketers from contacting individuals if they have previously
indicated they do not wish to receive such calls.
It is interesting to note that certain countries, like Canada, are embracing the EC’s model of centralized
regulation of data privacy. See the Web site of the Privacy Commissioner of Canada at
Swire and Litan (1998), pp. 22-3.
See discussion in Newman (2003).
Despite the fact that the Directive centralizes the protection of data privacy within the EU, some disagree
as to whether true harmonization of domestic data protection regulations among EU member states has
indeed taken place. See Newman (2003).
The European Commission was initially reluctant to take on the issue of data protection,
but mounting pressure from data protection authorities within the member states and also
European firms that objected to the “Balkanization” of data protection laws across
Europe persuaded Commission officials that data privacy was indeed an important issue
to be addressed.24 On the basis of a Commission proposal, the EU adopted in 1995
Directive 1995/46/EC: “on the protection of individuals with regard to the processing of
personal data and on the free movement of such data.”25 Article 1 of the Directive treats
privacy as a basic human right. Articles 2-4 states that the Directive covers all processing
of all personal data except for matters related to public security and criminal law. It
prohibits the processing of personal information unless the individual has been informed
and “unambiguously” gives their consent. Article 8 specifies that information subject to
the most stringent controls are “personal data revealing race or ethnic origin, political
opinions, religious or philosophical beliefs, trade-union membership, and processing of
data concerning health or sex life.”
Enforcement of the Directive exists on multiple levels. Articles 12 and 28 of the
Directive stipulate that individuals be granted the right to obtain copies of data collected
about them and have that data corrected or their use enjoined. It also obliges EU member
states to provide a judicial remedy when infringement of privacy has taken place; this
remedy includes the right to receive damages. Article 28 further stipulates that each
member state designate an independent public authority to monitor application of the
Directive. These authorities have the power to block, erase, or destroy data, to impose a
temporary or permanent ban on data processing, and to engage in legal proceedings
against violators. These authorities are represented in the Working Party, an independent
advisory body established by Article 29 of the Directive.
Whereas the majority of the Directive is aimed at companies operating within the EU,
Articles 25 and 26 concern the transfer of personal data outside of the EU. At the time
the Directive was being drafted, the Commission was concerned that European
companies could circumvent the Directive by transferring personal information on their
customers outside of Europe. The Directive could also give an advantage to non-EU
companies in the provision of data processing services, such as the mining of customer
data for marketing purposes, as non-EU companies were not subject to the Directive’s
requirements. Article 25 of the Directive addresses this concern. It prohibits the transfer
of personal information collected in the EU to countries without “adequate” data
protection laws. If the EU finds that a third country does not ensure adequate protection,
member states are required to take those measures necessary to prevent any transfer of
personal data to the country in question.26
Article 26 lists some exceptions to the Article 25 adequacy requirement. For example, it
allows data transfers to non-EU states if the individual has given his or her “unambiguous
consent.” Transfers are also possible if the company has implemented “appropriate”
See discussion in Newman (2003).
The next two paragraphs draw extensively on the analysis of the Directive by Shaffer (2002), pp. 28-9.
Swire and Litan (1998), pp. 31-2.
safeguards in the form of approved contractual provisions between the customer and the
company (also known as the “model contract” provisions).27
The legislation set a 1998 deadline for member states to integrate the Directive in their
national laws. But 11 of the 15 EU members missed that deadline, and as of fall 2002,
two member states – France and Ireland – still had not yet adopted legislation to
implement the Directive, and the Commission began enforcement proceedings against
them.28 Nonetheless, the Commission recognizes that France and Ireland already have in
place national laws that for the most part conform with the Directive, although these laws
need to be amended to address questions of transborder data flows and other specific
aspects of the Directive.29
The protection of personal information in Europe is further stressed in the Charter of
Fundamental Rights, signed in December 2000 by the European Parliament, the Council,
and the Commission. Articles 7-8 of the Charter reaffirm privacy as a basic human right.
Article 7 states that, “Everyone has the right to respect for his or her private and family
life, home and communications.” Article 8 states that, “Everyone has the right to the
protection of personal data concerning him or her,” and that, “Compliance with these
rules shall be subject to control of an independent authority.”30
US Regulatory Framework
The US regulation of data privacy is fundamentally different from that of the EU, in that
there is no single, comprehensive privacy law, nor does there exist a single government
agency charged with administering privacy law.31 Many of the original privacy laws in
the US were aimed at regulating governmental use of personal information, as opposed to
use by the private sector. For example, the Privacy Act of 1974 stipulates that personal
information cannot be shared between governmental agencies. And the Freedom of
Information Act allows citizens to learn what information the government has collected
on them.32 Private use of personal information, by contrast, was largely unregulated.
More recently the national government has started to regulate private sector use of
personal information in those sectors deemed to handle the most sensitive information.
Among these sectors more heavily regulated include health care, with the Health
Insurance Portability and Accountability (HIPPA) Act of 1996, and financial services,
with the Financial Modernization Act of 1999 (also known as the Gramm-Leach-Bliley
Act). There are also more stringent regulations on the use of personal information on
children, particularly that collected over the Internet. The Children’s Online Privacy
Protection Act (COPPA) of 2000 strictly controls the information that can be collected
over the Internet from children under the age of 13.
Korff (2002), p. 1; and Wiley, Rein, and Fielding LLP (2003).
Korff (2002), pp. 1-2.
See discussion in Rodota (2001).
Swire and Litan (1998), p. 2.
See discussion in Swire and Litan (1998), p. 7.
Depending on the sector, a number of federal agencies are responsible for enforcing these
different privacy laws. The Department of Health and Human Services is charged with
enforcing HIPPA, the Department of Treasury with Gramm-Leach-Bliley, and the
Federal Trade Commission with COPPA. The Federal Trade Commission is also
responsible for enforcing the promises private sector companies make to their customers
regarding the use of their personal data (under Section 5 of the Federal Trade
Commission Act), and it oversees the multiple Consumer Reporting Agencies, which
gather and sell personal credit information, under the Fair Credit Reporting Act.33 In this
sense, the FTC has the broadest enforcement powers on US privacy laws, but – like the
privacy laws themselves – these powers are limited to particular sectors, segments of the
population, or types of personal information.
The Road to Safe Harbor
The US government began raising objections to Article 25 of the Directive when EU
member states began to implement the Directive in the mid- to late-1990s. Because of
the marked differences in approach to the regulation of privacy on the two sides of the
Atlantic, it was widely anticipated that the US would not meet the EU’s adequacy test.
This was confirmed by the Article 29 Working Party in January of 1999: “the current
patchwork of narrowly-focussed sectoral laws and voluntary self-regulation [in the US]
cannot at present be relied upon to provide adequate protection in all cases for personal
data transferred from the European Union.”34
The significance of the Directive, as understood by the US business community, was that
US companies could be barred from selling goods and services to their European
customers. Lending credence to this understanding was a widely cited study from the
Brookings Institution that argued the impact from the Directive on transatlantic trade
could be substantial.35
One senior Clinton administration official, Ira Magaziner, who was in charge of US
electronic commerce policy, threatened to take the case before the WTO: “In general, we
in the US don’t recognize an extra-territorial attempt to shut down the electronic flow of
data between countries. According to principles of international trade, I think that’s a
violation of WTO rules.”36 But the exception for the processing of personal data in the
WTO’s General Agreement on Trade in Services (GATS), as described above, created
uncertainty as to whether the US could indeed argue such a case successfully before the
WTO. As a result, and also as a consequence of the policy fragmentation on privacy
protection within the US, it took a number of years after the Directive was passed in 1995
for the Clinton administration to devise a coherent plan of action.37
Federal Trade Commission (2003).
European Commission (1999).
Swire and Litan (1998). For more on the lobbying efforts of US companies on the Directive, see Regan
Shaffer (2002), footnote #171, p. 35.
The author thanks Henry Farrell for this insight.
This plan centered on bilateral negotiations with the EU to bridge the different regulatory
frameworks. Negotiations took place over the course of two years, and initially there
appeared no chance of an agreement. The EU wanted the US to introduce domestic
legislation to protect the privacy of personal information collected in Europe and
transferred to the US. The US was unwilling to do so and wanted the EU to instead
recognize its existing regulatory framework as meeting the EU’s adequacy test.38 As one
EU official described the resulting tension:
There was a lot of angst around that this could spin out of control. There
weren’t any obvious solutions here; it was very black and white in the
beginning, the [EU] comprehensive legislative approach and the
piecemeal self-regulatory approach in the US.39
A breakthrough in the impasse came in January 2000, when US Undersecretary for
Commerce David Aaron suggested a “safe harbor” arrangement, whereby US companies
meeting a set of previously-agreed requirements could be found in compliance of the
Directive, even if the US did not meet the EU’s adequacy test. Inspiration for such an
arrangement came from US tax law, under which companies complying with certain
requirements can sometimes qualify for tax exemptions. According to Aaron:
I thought…well if we couldn’t get the country to be considered
“adequate,” maybe what we could get considered adequate are the
companies. And that if we could set up some kind of a regime that could
have an adequacy finding for a system, not for a whole country’s law and
regimes, and so the word just popped into my head, as describing Safe
The resulting Safe Harbor arrangement, announced just a few months later, was based
largely on the OECD’s non-binding privacy principles, signed by both the US and EU in
1998. Safe Harbor also involved major concessions on the part of both the US and EU.
The EU agreed that private-sector privacy seal programs such as TRUSTe and
BBBonline, widely used in the US as a means of self-enforcement, could play a major
role in monitoring compliance with Safe Harbor. It also agreed to a moratorium on
enforcement of the Directive until Safe Harbor was in operation for at least one year, so
that US companies had time to come into compliance with the Safe Harbor requirements.
The US agreed to embed the activities of these private-sector privacy groups within a
larger regulatory framework, with signatory companies subject to enforcement action by
the US Federal Trade Commission (FTC) and, in certain cases such as the use of human
resources information, even by EU data protection authorities directly.41
The European Commission officially approved the Safe Harbor arrangement as meeting
the adequacy test laid out in Article 25 of the Directive. Then, in July 2000, the
See Farrell (2003), pp. 290-2.
Ibid, p. 292.
Ibid, p. 292.
Ibid, p. 296.
European Parliament rejected Safe Harbor in a 279-259 vote, claiming that it “does not
go far enough to protect Europeans’ personal privacy because the US regulatory regime
is fundamentally weak.”42 But the Commission argued that the Parliament had no
statutory authority to veto the terms of the deal, and held that the Safe Harbor provisions
represented “adequate” data protection.43 As Commission spokesman Gerard de Graaf
commented: “We don’t think going back to the United States and trying to negotiate
improvements is achievable. The European Commission will take the Parliament
seriously, but at the same time, it will be careful to see its powers maintained.”44
The Safe Harbor Arrangement
The Safe Harbor arrangement, approved by the Commission in July of 2000, allows US
companies to comply with the Directive, even though the Commission has found that US
data protection laws do not meet the Directive’s adequacy requirement. Essentially, the
arrangement encompasses the US framework of self-regulation by the private sector and
embeds it within the EU framework of regulation.45 In the words of former
Undersecretary Aaron, who led negotiations on Safe Harbor for the US: “The essence of
the deal was that we accepted high standards and they accepted self-regulation.”46
Importantly, Safe Harbor is not a treaty or executive arrangement that applies the EU
Directive in the US. Rather, it is an arrangement that US companies are invited to join on
a voluntary basis so that they can avoid possible enforcement action by the EU data
protection authorities when handling the personal information of their European
To join Safe Harbor, a US company must agree to abide by seven privacy principles: 48
1. Notice: Organizations must notify individuals about the purposes for
which they collect and use information about them. They must provide
information about how individuals can contact the organization with any
inquiries or complaints, the types of third parties to which it discloses the
information and the choices and means the organization offers for limiting
its use and disclosure.
2. Choice: Organizations must give individuals the opportunity to choose
(opt out) whether their personal information will be disclosed to a third
party or used for a purpose incompatible with the purpose for which it was
originally collected or subsequently authorized by the individual. For
“US-EU Data Privacy Deal Panned,” The Industry Standard (July 6, 2000), online edition (downloaded
July 8, 2003).
“US-EU Data Privacy Deal Panned,” The Industry Standard, 6 July 2000.
Farrell (2003), p. 296.
The seven principles are quoted from US Department of Commerce (2003).
sensitive information, affirmative or explicit (opt in) choice must be given
if the information is to be disclosed to a third party or used for a purpose
other than its original purpose or the purpose authorized subsequently by
3. Onward Transfer (Transfers to Third Parties): To disclose
information to a third party, organizations must apply the notice and
choice principles. Where an organization wishes to transfer information to
a third party that is acting as an agent, it may do so if it makes sure that the
third party subscribes to the safe harbor principles or is subject to the
Directive or another adequacy finding. As an alternative, the organization
can enter into a written agreement with such third party requiring that the
third party provide at least the same level of privacy protection as is
required by the relevant principles.
4. Access: Individuals must have access to personal information about
them that an organization holds and be able to correct, amend, or delete
that information where it is inaccurate, except where the burden or
expense of providing access would be disproportionate to the risks to the
individual's privacy in the case in question, or where the rights of persons
other than the individual would be violated.
5. Security: Organizations must take reasonable precautions to protect
personal information from loss, misuse and unauthorized access,
disclosure, alteration and destruction.
6. Data integrity: Personal information must be relevant for the purposes
for which it is to be used. An organization should take reasonable steps to
ensure that data is reliable for its intended use, accurate, complete, and
7. Enforcement: In order to ensure compliance with the safe harbor
principles, there must be (a) readily available and affordable independent
recourse mechanisms so that each individual's complaints and disputes can
be investigated and resolved and damages awarded where the applicable
law or private sector initiatives so provide; (b) procedures for verifying
that the commitments companies make adhere to the safe harbor principles
have been implemented; and (c) obligations to remedy problems arising
out of a failure to comply with the principles. Sanctions must be
sufficiently rigorous to ensure compliance by the organization.
Organizations that fail to provide annual self-certification letters will no
longer appear in the list of participants and safe harbor benefits will no
longer be assured.
US companies joining Safe Harbor must certify their compliance annually with these
seven privacy principles in writing to the US Department of Commerce. There are two
ways in which a company can certify their compliance: 1) by joining a private-sector
privacy seal program such as TRUSTe or BBBonline that enforces compliance with the
conforms to the seven Safe Harbor principles.49 As part of the self-certification process,
companies must also declare whether or not they are willing to be subject to investigation
by EU data protection authorities.50 The Department of Commerce maintains a list of all
companies filing self-certification letters and publishes that list on its Web site.51
A central component of the Safe Harbor arrangement is public declaration by US
companies that they are in compliance with the Safe Harbor requirements. Companies
declaration of compliance with Safe Harbor allows for the US Federal Trade Commission
to take enforcement action against companies that join Safe Harbor but are not in
compliance, as the FTC can prosecute companies for giving false information to their
customers under Section 5 of the FTC Act. As explained by the FTC:
A key part of the Commission's privacy program is making sure
companies keep the promises they make to consumers about privacy and,
in particular, the precautions they take to secure consumers' personal
information. To respond to consumers' concerns about privacy, many
Web sites post privacy policies that describe how consumers’ personal
information is collected, used, shared, and secured. Using its authority
under Section 5 of the FTC Act, which prohibits unfair or deceptive
practices, the Commission has brought a number of cases to enforce the
promises in privacy statements, including promises about the security of
consumers’ personal information.52
By joining Safe Harbor, US companies can ensure their compliance with the EU
Directive. All 15 member-states of the European Union are bound by the Commission’s
decision that Safe Harbor meets the adequacy test set forth in Article 25 of the Directive.
As such, member states cannot block data transfers to US companies that have joined
Safe Harbor. Furthermore, claims brought against US companies will, except for certain
limited exceptions, be heard in US court. For these reasons, the US Department of
Commerce maintains that Safe Harbor represents a “simpler and cheaper” means of
complying with the Directive than parallel means of compliance, such as the model
US Department of Commerce (2003).
An informal review of the Safe Harbor certifications, as posted on the Department of Commerce’s Web
site, reveals that most companies answer in the affirmative to the question: “Do you agree to cooperate
with the EU Data Protection Authorities?” However, some large companies, including Amazon.com,
answered that they do not agree to cooperate. Cooperation with EU data protection authorities is a
requirement to join Safe Harbor if the company handles human resources data. See
See US Department of Commerce (2003).
Implementation of the Safe Harbor Arrangement
In the first years of Safe Harbor, US companies have been somewhat slow to certify their
compliance with the arrangement. As of July 2001, fewer that 50 companies had joined
Safe Harbor, and this number has increased to only 384 companies as of August 2003.
The slow sign up rate among US companies has not gone unnoticed by EU authorities.
As Stefano Rodota, Chairman of the Article 29 Working Party has commented, “It is to
be hoped that the number [of US companies joining Safe Harbor] will increase, after all
the commendable efforts that were deployed on both sides to secure the deal.”54
There are a number of possible explanations for the slow uptake among US companies.55
First, companies can only certify with Safe Harbor once their data collection and
dissemination procedures are in compliance with the seven privacy principles. This can
involve considerable reengineering of information systems, the creation of new internal
policies, and the training of personnel. Second, many companies had been waiting until
the Article 29 Working Party developed the “model contract” provisions, which are a
parallel means for US companies to comply with the Directive. Once it became clear that
the model contract provisions were in fact more stringent than the Safe Harbor principles,
it increased the likelihood that US companies would join Safe Harbor. Finally, the US
and EU had agreed to a one-year moratorium on enforcement of the Directive, so there
was perhaps less of an incentive to join Safe Harbor in the early months of the
But the Article 29 Working Party has concerns beyond the slow sign up rate.56 Indeed,
the Working Party has found that a “substantial number” of the Safe Harbor companies
are failing to provide transparency in their privacy policies, one of the basic Safe Harbor
principles. And fewer than 50% of the Safe Harbor companies are complying with all
seven required principles.57
The Working Party is also concerned with the willingness of the FTC to enforce the
accuracy of US companies’ privacy policies, one of the central components of the Safe
Harbor arrangement. The FTC has launched formal inquiries into a number of online
companies for their domestic privacy practices, including Amazon and RealNetworks, on
allegations they were secretly collecting personal data from their customers and
transmitting that data to third parties. But despite finding that some of these companies
were engaging in deceptive data collection practices, the FTC has decided not to
recommend any penalties for these companies.58 Moreover, the Working Party has noted
This paragraph draws extensively from Shaffer (2002), pp. 33-4.
See European Commission (2002).
“Amazon, Subsidiary Face Privacy Lawsuits, FTC Inquiry,” ComputerWorld (February 14, 2000), online
edition; “RealNetworks Faced With Second Privacy Suit,” CNET News (November 10, 1999), online
edition; “FTC Staff Slaps Amazon’s Wrist in Second Data Privacy Dispute,” ComputerWorld (May 30,
2001), online edition.
that the FTC has not yet pursued any company for making false claims in its self-
certification under the Safe Harbor program.59
The US has a number of concerns of its own, namely the fate of US companies in those
sectors not included in the original Safe Harbor arrangement, such as financial services,
telecommunications, and not-for-profit organizations. The decision to exclude these
sectors came about largely because the FTC lacks enforcement authority over them. The
Treasury Department, for example, is responsible for enforcing federal regulation on
large parts of the financial services sector. For the telecommunications sector, it is
thought that additional rulemaking may be required for the Federal Communications
Commission to enforce an arrangement like Safe Harbor. And the not-for-profit sector in
the US is largely regulated at the state level, with little federal enforcement capacity.
A second reason why the financial services sector was excluded from Safe Harbor was
because, during the Safe Harbor negotiations, the US Congress was in the process of
adopting the Gramm-Leach-Bliley Act, which imposes privacy obligations on financial
services companies. US and EU negotiators decided to wait on the outcome of this
legislation, with US negotiators reserving the possibility that it could meet the Article 25
adequacy test.60 Now that Gramm-Leach-Bliley is in place, the US wants to resolve the
fate of US financial services companies under the Directive. It also wants data protection
authorities from the member states to hold off on enforcing the Directive on companies in
the excluded sectors until bilateral agreement on the fate of these companies can be
Also, there is some difference of opinion between the US and EU as to whether the Safe
Harbor arrangement applies to Internet transactions, such as digitally delivered music,
with the US arguing that it does, and the EU arguing that it does not.
Attitudes within both the European Union and United States toward data protection are
evolving. The United Kingdom, Sweden, Finland, and Austria have filed complaints
with the European Commission, for example, arguing that the Directive imposes one-
size-fits-all data protection requirements despite varying degrees of privacy risk.61 These
complaints suggest that certain EU member states might want to move more toward the
US model of privacy regulation, which imposes more stringent standards on those sectors
deemed to handle the most sensitive information.
Within the US, public opinion is growing in favor of more stringent data protection. For
example, in July 2003, a new privacy law – Senate Bill 1386 – went into effect in
California; this law requires firms and other organizations to notify California residents
when it is believed that personal information stored on computer systems has been
disclosed without authorization as a result of a security breach.62 Also, the FTC has
found that the self-regulation model employed in the US may not be working as well as
expected. In a May 2000 report, the FTC has found that, while 88% of Web sites post
European Commission (2002) and Reidenberg (2002).
Wiley, Rein, and Fielding LLP (2002).
Wiley, Rein, and Fielding LLP (2003).
ShawPittman LLP (2003).
privacy policies, only 20% are implementing the four information practice principles of
Notice, Choice, Access, and Security. And only 41% of sites meet the basic Notice and
Choice standards.63 But, even as public opinion and the FTC might be willing to move
more in the direction of the EU regulatory model, some US companies and trade
associations like the US Chamber of Commerce are actively lobbying against the
Directive, claiming that it is an extraterritorial application of European law.64
Impact of the Directive and Safe Harbor: Focus on the Financial Services Sector
The US Department of Treasury started negotiations with the Commission on a Safe
Harbor arrangement for financial services firms, although these negotiations are now on
hold pending changes to regulation of privacy protection in the financial services sector.
Financial services companies may not join Safe Harbor as it is currently negotiated, but
they may choose one of several parallel means of complying with the Directive, such as
through the “model contract” provisions or by obtaining the “unambiguous consent” for
the use of personal information. But these parallel means are generally considered more
onerous for US firms than what other companies have to do to join Safe Harbor, and so it
is perceived to be within the interests of the US financial services sector to have some
alternative method to comply with the Directive.
The most appealing option for financial services firms is to have the Working Party
recognize US domestic regulation – particularly that set forward by the Gramm-Leach-
Bliley Act, as described above – as providing adequate data protection. This option
would require no further steps for US financial services firms other than to come into
compliance with US regulations. A second option is for the Treasury Department to
negotiate a separate Safe Harbor arrangement for financial services firms. But such firms
would likely resist any further regulation beyond that needed to comply with the Gramm-
Officially, there exists no moratorium on enforcement of the Directive on the financial
services sector. But data protection authorities from the EU member states had indicated
that they would be willing to be flexible on issues of enforcement related to the Directive
During the course of our discussions, Member States have demonstrated
their willingness to use the flexibility offered by Article 26 of the
Directive to avoid interruptions in data flows. The Commission and the
Member States have confirmed their willingness to continue to use this
flexibility to provide US organisations with an opportunity to decide
whether to participate in the "safe harbor" and (if necessary) to update
their information processing policies and practices accordingly.65
Federal Trade Commission (2000).
See Lukas (2001).
Letter from John Mogg transmitting the decision regarding the adequacy of data protection under Safe
Harbor (15 November 1999). Available at http://www.export.gov/safeharbor/EULetter1199.html. It is
interesting to note that this letter is available on the US Department of Commerce’s Web site but not on the
The Directive itself has substantial implications for US financial services firms, with or
without transatlantic operations. One study by Ernst and Young LLP calculated in 2001
that it would cost the financial services sector at least $16 billion to comply with the
Directive; moreover, bank and insurance customers would have to spend an additional
305 million hours annually on managing their personal finances if the Directive was
applied to all US customers.66
From the EU perspective, an important issue to be negotiated is that of enforcement, as
the FTC has primary responsibility to enforce Safe Harbor, whereas the Treasury
Department has enforcement responsibilities for the financial services sector.
Possible Scenarios for the Future of Safe Harbor
As the EU and the US have key concerns regarding Safe Harbor, it is not likely that the
arrangement will persist in its current form over the long term. Nonetheless, given that
the concerns on each side of the Atlantic are substantially different from one another –
with the EU wanting to strengthen the enforcement of Safe Harbor as it is currently
negotiated, whereas the US is interested in expanding Safe Harbor to include previously
excluded sectors – a number of scenarios are possible for Safe Harbor’s future. With
each scenario, negotiators from the EU and US must work to satisfy the divergent
interests of their own domestic constituencies, including firms and NGOs, while at the
same time keeping in mind the other side’s political and economic constraints.
The first and most extreme scenario, more likely to be initiated by the EU than the US, is
to back out of Safe Harbor in its entirety. Safe Harbor is not a formal treaty, so that
withdrawal from the arrangement is possible at any time and without prior notice. Such a
maneuver would likely satisfy the demands of privacy groups in Europe, which claim that
Safe Harbor is a loophole for US companies to circumvent the intent of the Directive to
protect personal information collected in Europe. Nonetheless, such a withdrawal does
carry significant political ramifications. In particular, it risks the US taking Safe Harbor
before the WTO’s dispute settlement panel. Such a move would also likely escalate
current transatlantic tensions over issues ranging from Iraq to the International Criminal
Court to the Kyoto Protocol, precisely at a time when both the EU and US seem
interested in improving transatlantic relations.
A second, less drastic, scenario on the part of the EU would be to bolster enforcement of
the Directive by working directly with US companies, whether or not they are signatories
to Safe Harbor. There is some precedence for such a scenario, as in July, 2002 the
Article 29 Working Party initiated a “dialogue” with Microsoft on “legal issues”
surrounding the privacy practices related to the company’s Passport program.67 The
European Union’s Web site on data protection. Matthew King from the European Commission writes in
response to a draft of this case study: “No rights have been abrogated in this regard.”
As cited in “EU Privacy Directive Would Cost US Consumers,” Itworld.com, 1 May 2001. Note that the
study found similar costs involved in complying with the Gramm-Leach-Bliley Act.
This paragraph, including quotes, is drawn from Wiley, Rein, and Fielding (2003b).
Passport program allows individuals registering with Microsoft to enter a single password
and find their information automatically entered when they browse Web sites
participating in the Passport program. The Working Party had found that they “were not
convinced that the consent given by [Passport] users was sufficiently informed, freely
given and specific” to justify the program’s gathering and sharing of personal
information, and they were concerned at the prospect of a “centralized system of personal
data storage” located outside the EU. After several months of negotiations, Microsoft
agreed to meet the Working Party’s demands and began implementing several changes to
find it more politically feasible to enforce the Directive on US companies than those
located within Europe.
A third possibility, originating from the US, would be to bolster its own enforcement of
US companies belonging to Safe Harbor, in order to appease the Article 29 Working
Party and to facilitate negotiations surrounding Safe Harbor’s expansion. Taking the lead
on enforcement likely would be the Federal Trade Commission, as the FTC can prosecute
companies for giving false information to their customers, including in their privacy
policies, under Section 5 of the FTC Act. Nonetheless, such enforcement would be
politically difficult for the US and could be expected to weaken industry’s claims that the
Directive and Safe Harbor are an extraterritorial application of EU law on US firms.
A more drastic scenario for the United States would be to ignore the complaints of the
Article 29 Working Party over the enforcement of Safe Harbor and instead to reserve the
possibility of taking the Directive before the WTO’s dispute settlement body. This
maneuver, however, would likely forestall any ability on the part of the Department of
Treasury to negotiate expansion of the arrangement to financial services firms. It would
also create uncertainty for the several hundred firms that have already gone through the
requirements to join Safe Harbor, in that the future of the arrangement itself would likely
be in doubt.
Questions for Discussion
1. Discuss the meaning and dynamics of “regulatory conflict.” In what ways can
domestic regulatory regimes differ and how can those differences cause
international conflict? What is “regulatory arbitrage” and what drives the “race to
the bottom”? When regulatory regimes are in conflict, what might generate a
“race to the top”?
2. How do the data privacy regimes of the European Union and United States differ?
What is the origin of these differences?
3. How might domestic interests, including firms, non-governmental organizations,
and the data protection authorities themselves, have molded EU and US data
privacy regimes? What role did European integration play?
4. How well has the Safe Harbor agreement bridged the differences in the two
regimes? Has this been a good solution to the conflicts?
5. As the CEO a US company with transatlantic operations, including a physical
presence in Europe, what would be your strategy in terms of complying with the
EU Directive and the Safe Harbor agreement? How might your strategy be
different if you led a company without a physical presence in Europe but with
European customers, such as an Internet company?
6. As a European company, do you support more stringent enforcement of Safe
Harbor on US companies? Why or why not? How does Safe Harbor improve or
injure your competitiveness vis-à-vis firms from other countries?
7. What are the potential ramifications, both politically and economically, if the EU
decides to withdraw from Safe Harbor? If the United States ignores certain
demands from within the EU for better enforcement of the arrangement?
8. Consider the positions of the EU and US about the future of the Safe Harbor
agreement. What are the main concerns of each? What sectors are most affected?
Is the Safe Harbor agreement sustainable? What is the most likely scenario for
the future and why?
9. Does Safe Harbor represent a good model for bridging domestic regulatory
frameworks between countries in other areas, such as protection of the
environment or workers rights? What might be the limitations of its applicability?
Aaron, David L. 2001. “The EU Data Protection Directive: Implications for the US
Privacy Debate,” testimony before the House Subcommittee on Commerce,
Trade, and Consumer Protection (March 8).
European Commission and the United States. 2003. “Joint Statement on Passenger
Name Record Transmission Requirements,” available at
http://europa.eu.int/comm/external_relations/us/intro/pnr.htm (downloaded July 8,
European Commission. 2002. Staff working paper SEC (2002) 196 on the application of
Commission Decision 520/2000/EC…on the adequate protection of personal data
provided by the Safe Harbour Privacy Principles (February 13, 2002), available at
ec-2002-196_en.pdf (downloaded October 6, 2003).
_____. 1999. Opinion 1/99 of the Article 29 Working Party on the Protection of
Individuals with Regard to the Processing of Personal Data concerning “the level
of data protection in the United States,” adopted January 26, 1999, available at
f (downloaded October 6, 2003).
European Parliament and Council. 1995. Directive 1995/46/EC on the protection of
individuals with regard to the processing of personal data and on the free
movement of such data.
European Union and the United States. 1997. “Joint EU-US Statement on Electronic
Commerce,” available at http://www.qlinks.net/comdocs/eu-us.htm (downloaded
July 9, 2003).
Farrell, Henry. 2003. “Constructing the International Foundations of E-Commerce: The
EU-US Safe Harbor Arrangement,” International Organization, vol. 57, no. 2
(Spring): pp. 277-306.
at http://www.msb.edu/faculty/culnanm/gippshome.html (downloaded July 8,
Hahn, Robert W. 2001. “An Assessment of the Costs of Proposed Online Privacy
Legislation,” American Enterprise Institute working paper.
Heisenberg, Dorothee. 2004. The European Union, the United States, and Data Privacy.
Boulder: Lynne Rienner Publishers.
Heisenberg, Dorothee, and Marie-Helene Fandel. 2003. “Exporting EU Regimes
Abroad: The EU Privacy Directive as Global Standard,” in Sandra Braman, ed.,
The Emergent Global Information Policy Regime. New York: Palgrave.
Kahler, Miles. Date unknown. “Modeling Races to the Bottom,” draft book review.
Korff, Douwe. 2002. “Study on Implementation of Data Protection Direction: A
Comparative Summary of National Laws,” prepared in consultancy for the
European Commission (September).
Lukas, Aaron. 2001. “Safe Harbor or Stormy Waters? Living With the EU Data
Protection Directive,” Cato Institute’s Center for Trade Policy Studies Trade
Policy Analysis (October 30).
Mann, Catherine L., Sue E. Eckert, and Sarah Cleeland Knight. 2000. Global Electronic
Commerce: A Policy Primer. Washington, DC: Institute for International
Mann, Catherine L. and Sarah Cleeland Knight. 2000. “Electronic Commerce in the
World Trade Organization,” in The WTO After Seattle, edited by Jeffrey Schott.
Washington, DC: Institute for International Economics.
Mann, Catherine L. 2000. “Transatlantic Issues in Electronic Commerce,” Institute for
International Economics working paper no. 00-3 (October).
Murphy, Dale. 2004. The Structure of Regulatory Competition: Corporations and
Public Policies in a Global Economy. Oxford: Oxford University Press.
Newman, Abraham. 2003. “Ratcheted-up: The Politics of Personal Information in
Europe,” paper prepared for delivery at the Annual Meeting of the American
Political Science Association (August 28-31), Philadelphia, PA.
Reidenberg, Joel R. 2002. “European Commission Avoids Privacy Dispute with United
States,” Privacy Law and Business, vol. 26 (February), available at
http:reidenberg.home.sprynet.com/Safe_Harbor.htm (downloaded July 8, 2003).
Rodota, Stefano. 2001. “The EU Data Protection Directive: Implications for the US
Privacy Debate,” testimony before the House Subcommittee on Commerce,
Trade, and Consumer Protection (March 8).
Shaffer, Gregory. 2002. “Managing US-EU Trade Relations Through Mutual
Recognition and Safe Harbor Agreements: “New” and “Global” Approaches to
Transatlantic Electronic Commerce,” European University Institute working
paper, RSC no. 2002/28.
ShawPittman LLP. 2003. “New California Privacy Law Affects Business Nationwide,”
Technology and Business Alert, no. 1 (June).
Singleton, Solveig. 2002. “Privacy as a Trade Issue: Guidelines for US Trade
Negotiators,” Heritage Foundation’s Economic Freedom Project paper, EFP02-02
Swire, Peter P. 2001. “New Study Substantially Overstates Costs of Internet Privacy
Protections,” available at http://www.peterswire.net/hahn.html (downloaded
October 6, 2003).
Swire, Peter P. and Robert E. Litan. 1998. None of Your Business: World Data Flows,
Electronic Commerce, and the European Privacy Directive. Washington, DC:
US Department of Commerce. 2003. Web site on the Safe Harbor agreement, available
at http://www.export.gov/safeharbor/ (downloaded April 18, 2003).
_____. 1998. Letter to US industry representatives from Undersecretary David Aaron on
the Safe Harbor negotiations. Available at
http://www.ita.doc.gov/td/ecom/aaron114.html (downloaded July 9, 2003).
US Federal Trade Commission. 2003. Web site on privacy initiatives and enforcement.
Available at http://www.ftc.gov/privacy/index.html (downloaded July 9, 2003).
_____. 2000. Privacy Online: Fair Information Practices in the Electronic
Marketplace: A Report to Congress. Washington, DC: Federal Trade
White House. 1997. “A Framework for Global Electronic Commerce,” available at
http://clinton4.nara.gov/WH/New/Commerce (downloaded July 9, 2003).
Wiley, Rein, and Fielding LLP. 2003a. “EU Stays the Course on Data Protection,”
Privacy in Focus (June), available at
(downloaded July 9, 2003).
_____. 2003b. “EU Demands Substantial Changes in Microsoft Passport Data Flows,”
Privacy in Focus (February), available at
(downloaded July 9, 2003).
_____. 2002. “Negotiations Begin for US-EU Financial Data ‘Safe Harbor’,” Privacy in
Focus (July), available at http://www.wrf.com/publications/publication.asp?
id=91612812002 (downloaded July 9, 2003).