American Consortium on European Union Studies (ACES)
                  Cases on Transatlantic Relations, No. 3




       ...
Editor’s Note

This case is one of a series on transatlantic relations developed by the American
Consortium on European Un...
1



Introduction

The regulation of data privacy, or the ways in which governmental agencies, firms, and
other organizati...
2

private sector, but which meets EU requirements by embedding private sector
enforcement within a larger regulatory fram...
3



Domestic Regulation and International Trade and Investment

Governments regulate the activities of firms and other or...
4




Figure 1: Methods of Bridging Domestic Regulations
Harmonization        Creation of identical regulations across bor...
5

appropriate but in no way requires them to change their domestic regulations as a result.
The details of the agreement ...
6

         Nothing in this Agreement shall be construed to prevent the adoption or
         enforcement by any Member of ...
7

Historically the EU and US have followed very different paths to the regulation of data
privacy. Whereas the US has rel...
8



The European Commission was initially reluctant to take on the issue of data protection,
but mounting pressure from d...
9

safeguards in the form of approved contractual provisions between the customer and the
company (also known as the “mode...
10



Depending on the sector, a number of federal agencies are responsible for enforcing these
different privacy laws. Th...
11



This plan centered on bilateral negotiations with the EU to bridge the different regulatory
frameworks. Negotiations...
12

European Parliament rejected Safe Harbor in a 279-259 vote, claiming that it “does not
go far enough to protect Europe...
13

       sensitive information, affirmative or explicit (opt in) choice must be given
       if the information is to be...
14

ways in which a company can certify their compliance: 1) by joining a private-sector
privacy seal program such as TRUS...
15

Implementation of the Safe Harbor Arrangement

In the first years of Safe Harbor, US companies have been somewhat slow...
16

that the FTC has not yet pursued any company for making false claims in its self-
certification under the Safe Harbor ...
17

privacy policies, only 20% are implementing the four information practice principles of
Notice, Choice, Access, and Se...
18



The Directive itself has substantial implications for US financial services firms, with or
without transatlantic ope...
19

Passport program allows individuals registering with Microsoft to enter a single password
and find their information a...
20

Questions for Discussion

   1. Discuss the meaning and dynamics of “regulatory conflict.” In what ways can
      dome...
21

Bibliography

Aaron, David L. 2001. “The EU Data Protection Directive: Implications for the US
       Privacy Debate,”...
22

Heisenberg, Dorothee, and Marie-Helene Fandel. 2003. “Exporting EU Regimes
      Abroad: The EU Privacy Directive as G...
23

ShawPittman LLP. 2003. “New California Privacy Law Affects Business Nationwide,”
      Technology and Business Alert, ...
Upcoming SlideShare
Loading in...5
×

Editor's Note

494

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
494
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Editor's Note

  1. 1. American Consortium on European Union Studies (ACES) Cases on Transatlantic Relations, No. 3 Regulatory Conflict over Data Privacy: Can the US-EU Safe Harbor Arrangement Be Sustained? by Sarah Cleeland Knight This case was written for Prof. C. Randall Henning of the School of International Service at American University and Editor of ACES Cases on Transatlantic Relations Nos. 1-3. Sarah Cleeland Knight is a doctoral candidate in the Department of Government at Georgetown University, one of the institutional members of the ACES consortium. They wish to acknowledge Henry Farrell, Dorothee Heisenberg, Matthew King, and Dale Murphy for very helpful comments on earlier drafts and Sacha Wunsch for constructive insights. Any remaining errors are the responsibility of the author. Copies of this case can be downloaded free of charge from, and information on other cases in this series can be found at, the ACES website: www.american.edu/aces/pages/publications.html. Copyright © 2003 American Consortium on European Union Studies
  2. 2. Editor’s Note This case is one of a series on transatlantic relations developed by the American Consortium on European Union Studies (ACES), a center organized by five universities in the Washington D.C. area. Teaching essential concepts and principles concerning the politics and economics of transatlantic relations is the central purpose of the case series. Each case explores its particular topic as a specific instance of more general patterns of conflict and cooperation between the European Union and the United States. European integration, EU and U.S. policymaking, and their consequences for transatlantic conflict and negotiation are thus basic themes in the series. The multiplicity of layers of policy authority on each side of the Atlantic, and shifts in the location of that authority, also feature prominently in these cases. Each case thus conveys information on specific problems in order to provide a factual foundation for students to discuss broader principles as well as the particular policy dispute. These cases are written to assist instructors of upper-level undergraduate and graduate courses in government, business and economics in general and are configured for courses in International Relations, Foreign Economic Policy and European studies in particular. We welcome your feedback on the individual cases and the series as a whole. C. Randall Henning Copyright Policy Permission to use, copy, and distribute this case or excerpts from this case is granted provided that (1) this copyright and permission notice appears in all reproductions (excerpts of up to two paragraphs need only reference the case in full); (2) use is for noncommercial educational purposes only; (3) the manual or excerpts are not modified in any way; and (4) no figures or graphic images are used, copied, or distributed separate from accompanying text. Requests beyond that scope should be directed to the Executive Director of the American Consortium on European Union Studies (ACES).
  3. 3. 1 Introduction The regulation of data privacy, or the ways in which governmental agencies, firms, and other organizations are permitted to collect and use personal information, has emerged as a key source of transatlantic tension in recent years. Historically the US and the European Union (EU) have followed very different paths to the regulation of this information. The US regulates governmental use of personal information more heavily than that by the private sector, which is largely self-regulated, although certain sensitive sectors such as health care and financial services are more stringently regulated. The EU, in contrast, regulates data privacy more comprehensively, with equal treatment given to public and private uses of personal information and with significant enforcement capabilities at the member-state level. These differing regulatory frameworks came into conflict in the late 1990s, when member states began implementing the EU Directive on Data Protection, which prohibits the transfer of personal information to countries lacking “adequate” data protection laws. Because the US approach of self-regulation by the private sector was expected to fail the EU’s adequacy test, the Directive was projected to cause significant harm to the $350 billion transatlantic trading relationship.1 One study estimated that it would initially cost US companies with transatlantic operations as much as $36 billion to comply with the Directive.2 US companies without a physical presence in Europe but with European customers, such as Internet companies, faced greater potential threats. Even companies that had high standards for data privacy, the White House and some firms believed, might have been blocked from selling their goods and services to individuals in Europe if the EU deemed US law to be inadequate.3 After several years of often-fractious negotiations, the US and EU agreed in 2000 to an innovative solution to this conflict. The “Safe Harbor” arrangement guarantees that US companies abiding by a series of requirements are considered in compliance with the Directive, even as the Working Party has found the US to have inadequate data protection laws.4 Safe Harbor thus can be conceived as a bridge between two very different regulatory frameworks, one that adheres to the US commitment to self-regulation by the 1 1999 estimate (see http://www.useu.be/SUMMIT/daley0500.html). In 2003, transatlantic trade measures over $500 billion. 2 Hahn (2001). This estimate is considered inflated by Swire (2001) and Heisenberg (2003). Swire (2001) argues that it is difficult to create a “useful estimate” of the costs of compliance with the Directive, and he asserts that the Hahn study is flawed for a number of reasons, including: 1) it does not create an adequate baseline of companies’ privacy initiatives in the absence of legislation; and 2) it assumes similar compliance costs for large and small companies. Heisenberg (2003) finds few costs to businesses in her telephone interviews with 30 US companies. 3 EU authorities, however, saw the Directive as having a much less dramatic impact, and they emphasized that US companies could remain in compliance with the Directive if they abided by certain privacy requirements. See Rodota (2001). 4 On January 26, 1999, the Article 29 Working Party found that, “the current patchwork of narrowly- focussed sectoral laws and voluntary self-regulation [in the US] cannot at present be relied upon to provide adequate protection in all cases for personal data transferred from the European Union.” See European Commission (1999). 1
  4. 4. 2 private sector, but which meets EU requirements by embedding private sector enforcement within a larger regulatory framework.5 Despite this arrangement, however, key concerns linger on both sides of the Atlantic. The EU’s concerns center on Safe Harbor’s enforcement. Only 384 US companies have signed up for Safe Harbor as of August, 2003, far fewer than the thousands of US companies engaging in transatlantic trade.6 Also, many of the companies that have signed up are not meeting all of Safe Harbor’s requirements, and the US government to date has not prosecuted any of these companies for their failure to comply.7 For the US, concerns lie primarily with those sectors not covered by Safe Harbor, such as financial services, telecommunications, and not-for-profit organizations. The US wants European data protection authorities to hold off on enforcing the Directive on these companies until a bilateral agreement regarding their fate can be reached. Safe Harbor is not a treaty or legally binding agreement, so it is possible for the parties to renegotiate or withdraw from the arrangement at any time. The institutional structure for establishing data privacy regulation differs across the Atlantic. For the EU, the supervisory authorities that are responsible the enforcement of the Directive in the member states are represented in the Article 29 Working Party. The Working Party meets regularly to recommend to the European Commission any changes to Safe Harbor, including potentially outright withdrawal from the arrangement. For the US, the decision-making power over the future of Safe Harbor is scattered among a number of governmental agencies, including the Department of Commerce and the Federal Trade Commission, which together are largely responsible for the enforcement of Safe Harbor, and those agencies responsible for companies in the excluded sectors, such as the Treasury Department, which oversees substantial parts of the financial services sector. But these US agencies and the EU data protection authorities must also work to satisfy the divergent interests of different domestic groups within the US and Europe, including firms that tend to favor less stringent privacy regulation and non-governmental organizations (NGOs) that for the most part press for strict enforcement of such regulation. This case considers the sustainability of the Safe Harbor arrangement. The first section discusses the relevance of domestic regulations for international trade and investment. The second section connects general concepts regarding domestic regulation and trade with the EU Directive. The third section provides a more detailed discussion of the differences in how the EU and US regulate personal information, with particular attention paid to the Directive and its potential impact on US companies. The fourth and fifth sections offer a chronology of the events leading up to the Safe Harbor arrangement and an analysis of the arrangement itself, including the concerns about Safe Harbor on both sides of the Atlantic. Finally, some concrete examples and questions for discussion are offered. 5 See discussion in Farrell (2003). 6 Figure taken from the US Department of Commerce’s Safe Harbor site at www.export.gov/safeharbor 7 European Commission (2002). 2
  5. 5. 3 Domestic Regulation and International Trade and Investment Governments regulate the activities of firms and other organizations within their borders so as to satisfy the demands of their domestic constituencies. The scope and breadth of such regulations have increased substantially in recent decades, particularly in developed countries where groups that press for such regulations are better organized and able to influence policy. Regulations can vary both in terms of issue area, from environmental protection to labor standards to food safety, and in terms of the stringency of the regulation. Because they respond to different economic circumstances and different constituencies, regulatory regimes often differ substantially from country to country. Differences in national regulatory regimes cause relatively few problems in the absence of significant trade and investment. But when goods, services, labor and investment cross borders, differences in domestic regulation can cause conflict between governments. One government might block the importation of an automobile or food item owing to failure to meet a health or safety requirement that does not apply abroad, for example, raising the objections of trading partners. While usually serving legitimate health and safety needs, such requirements have sometimes been used as pretexts for protecting domestic firms and industries. “Regulatory conflict” refers to such clashes between governments over domestic regulations. Differences in regulation can also affect the choices and strategies of multinational corporations and the flow of foreign direct investment. Generally preferring weaker to stronger regulatory regimes, firms might well choose to locate in countries where the cost of adhering to regulations is low. The process of selecting the more favorable jurisdiction, and playing one government off against another in the process, is labeled “regulatory arbitrage.” In a desire to retain or attract foreign direct investment, governments might ease regulatory requirements. When this process causes a general easing of regulations, it is sometimes referred to as a “race to the bottom.” In principle, there are at least three ways in which countries can ease regulatory conflict and reduce associated barriers to trade and investment: harmonization, mutual recognition, and national treatment (see Figure 1).8 Harmonization involves the adoption of identical regulations within different countries. Under mutual recognition, countries maintain different regulatory frameworks for products and services produced domestically but agree to recognize the other country’s regulations for products and services imported from that country. The EU Single Market, for example, is founded on harmonization of minimum standards and the principle of mutual recognition. National treatment is where each country maintains its own domestic regulatory framework but refrains from imposing more stringent regulations on imported products and services. Each of these paths to bridging regulatory frameworks, particularly that of harmonization, involves substantial bargaining, with each government generally preferring that others make the greater adjustment in frameworks. 8 This paragraph draws extensively from Shaffer (2002), pp. 5-8. There is also some precedence for partial delegation of decision-making authority to private entities. 3
  6. 6. 4 Figure 1: Methods of Bridging Domestic Regulations Harmonization Creation of identical regulations across borders Mutual Recognition Agreement to recognize another country’s regulations as valid National Treatment Agreement not to impose more stringent regulations on firms from other countries But bridging domestic regulatory frameworks can prove difficult in that governments must first respond to domestic pressures on regulation – pressures that are often rooted within a country’s unique historical experience and culture. This difficulty is compounded by the fact that domestic pressures are heterogeneous, with NGOs typically pressing for more stringent regulations and the private sector advocating leniency. On the one hand, NGOs worry principally about a “race to the bottom.” On the other hand, firms are generally concerned with a “Balkanization” of domestic regulatory frameworks that conflict with one another and may not be readily transparent. These companies tend to favor harmonization to reduce the costs of compliance, but they worry about a “race to the top,” where the pressures from trade unions, advocacy groups and NGOs push countries to raise their domestic regulations to the highest common denominator.9 Companies are particularly resistant to new regulation in areas such as data processing, the technology for which is developing so rapidly that policymakers are unlikely to be able to conceive fully the impact of the regulation.10 In the case of the transatlantic relationship, many regulatory differences have been bridged through a policy of mutual recognition. A key example of such efforts is the 1997 US-EU Mutual Recognition Agreement (MRA). The MRA covers six separate areas: telecommunications equipment, electromagnetic compatibility, electrical safety, recreational craft, medical devices, and pharmaceutical goods manufacturing. A distinct agreement exists for each of these sectors, with defined categories and lists of products, and significant conditions under which each country recognize the other’s domestic regulations.11 Where bilateral agreement is not possible, countries may turn to the WTO’s Agreement on Technical Barriers to Trade, first negotiated during the Tokyo Round in the 1970s.12 This agreement recognizes that countries have the right to set and enforce their own domestic regulations, particularly those pertaining to health or protection of the environment or to meet other consumer interests. Nonetheless, domestic regulations, especially those enforced arbitrarily, can also be used as an excuse for protectionism. The agreement encourages countries to rely on “international standards” where 9 See a discussion of this debate on the race to the bottom in Kahler (nd). Also see Murphy (2004). 10 See discussion in Mann, Eckert, and Knight (2000). 11 See Shaffer (2002). 12 See a description of the Agreement on Technical Barriers to Trade at http://www.wto.org/english/tratop_e/tbt_e/tbt_e.htm 4
  7. 7. 5 appropriate but in no way requires them to change their domestic regulations as a result. The details of the agreement center on a “code of good practice” to adopt and enforce domestic regulations, including the discouragement of any methods that give domestically produced goods and services an unfair advantage. Data Protection as an International Trade Issue The EU Directive on data privacy seeks to regulate an area of business that has grown exponentially in size and importance in recent years: information management. With the advent of increasingly efficient and powerful computer and telephone networks, companies now collect and process billions of bits of data in order to maintain their inventories, manage their customer accounts, market their goods and services, attract corporate investors, and administer their workforce’s human resources needs. Much of this data crosses borders, as companies today often outsource key elements of the value- added chain, such as production and telemarketing and customer relations. But these transfers of information raise concerns as to the protection of personal privacy with respect, for example, to name, social security number, date of birth, marital status, ethnicity, religion, purchasing history, and Web sites visited.13 The EU Directive on data privacy seeks to control which entities receive such information and what they do with it. Whether the Directive constitutes a violation of WTO rules, however, is somewhat vague. On the one hand, the Directive more directly impacts international trade and investment than other kinds of domestic regulations because, in addition to regulating the privacy practices of companies operating in Europe, it also affects companies with customers but not physical operations in Europe. Moreover, the Directive has the potential to limit the ability of European companies to outsource those aspects of their operations having to do with the processing of personal data to companies in non-EU countries. This can put non-EU companies that specialize in offering such services at a competitive disadvantage, not just in the US but also in other countries deemed by the EU to have inadequate data protection laws. Following this rationale, the US could bring a dispute before the WTO, arguing that the most-favored-nation principle in Article II of the General Agreement on Trade in Services (GATS) prohibits the EU from discriminating against third countries. Here the US would need to offer evidence that the EU was treating the US differently than other countries in terms of the regulation of personal information flows.14 But on the other hand, the Directive does not appear to violate the second general principle of the GATS, that of national treatment, located in Article XVII of the agreement, since companies within the EU are also required to comply with the Directive. Also, importantly, there exists in the GATS a specific exception for data protection. Article XIV of the GATS states: 13 Swire and Litan (1998), p. 1. 14 See discussion in Swire and Litan (1998) and Lukas (2001). 5
  8. 8. 6 Nothing in this Agreement shall be construed to prevent the adoption or enforcement by any Member of measures…c) necessary to secure compliance with laws or regulations which are not inconsistent with the provisions of this Agreement including those relating to…ii) the protection of the privacy of individuals in relation to the processing and dissemination of personal data and the protection of confidentiality of individual records and accounts.15 This exception for data protection would seem to suggest the Directive does not constitute a violation of WTO rules. But the exception is subject “to the requirement that such measures are not applied in a manner which would constitute a means of arbitrary or unjustifiable discrimination between countries where like conditions prevail, or a disguised restriction on trade in services.”16 Thus in the enforcement of the Directive if the EU treats US companies differently from its own companies, it could indeed be in violation of the national treatment principle under Article XVII of the GATS. Without specific case law on data protection, it is unclear whether the Directive constitutes a violation of WTO rules. Given this lack of clarity, and also the political costs of taking such a high-profile case before the WTO, the US and EU have worked bilaterally to forge a compromise between two very different data protection regimes. The resulting Safe Harbor arrangement is similar to the US-EU Mutual Recognition Agreement in that it involves recognizing the privacy practices of US firms as providing adequate data protection. Importantly, though, it is the firms themselves, rather than the US as a whole, that are covered by the adequacy finding. Those firms wanting to join Safe Harbor must first agree to abide by a series of requirements negotiated jointly by the US and EU in order to comply with the Directive. Safe Harbor thus can be conceived as a compromise between the US’s resistance to implement the Directive in its domestic regulation and the EU’s desire to ensure that companies cannot circumvent the Directive by transferring personal data to countries outside the EC’s jurisdiction. But the arrangement is not without its critics, foremost among them industry trade associations and conservative research groups such as the Cato Institute, which claim that the EU is engaging in an extraterritorial application of domestic law.17 On the other side are numerous privacy and consumer protection groups, such as Electronic Privacy Information Center and the Public Interest Research Group, that would prefer to see more stringent protection of privacy in US law.18 Privacy Regulation in the EU and US 15 Quoted from Swire and Litan (1998), p. 191. 16 Quoted in Swire and Litan (1998), p. 191. 17 Lukas (2001). It is interesting to note than many industry associations that were quite vocal against the Directive, such as the US Chamber of Commerce, have remained relatively quiet about Safe Harbor, perhaps because these associations recognize the political difficulty in negotiating a better deal than Safe Harbor. 18 Shaffer (2002), p. 26. 6
  9. 9. 7 Historically the EU and US have followed very different paths to the regulation of data privacy. Whereas the US has relied predominantly on self-regulation by the private sector, the EU has moved toward greater and more centralized privacy regulation and enforcement. These differing approaches to privacy regulation can be seen as a reflection of unique historical experiences and cultural preferences. The US has embraced a much narrower definition of privacy, so that personal-level marketing by US companies is now commonplace and for the most part accepted.19 In Europe, by contrast, privacy is conceived of much more expansively. 20 EU Regulatory Framework Initially regulation of data privacy in the EU was quite decentralized. The first data protection statute was implemented in the German state of Hesse in 1970, and the first law at the national level was in Sweden in 1973. This decentralization of data protection led to a patchwork of differing and sometimes conflicting legal frameworks among the EU member states. For example, Germany and France by the 1990s had some of the most stringent data protection laws in Europe, but these laws functioned very differently from one another. In France, a national-level data protection agency was established, which had significant authority to monitor French companies for compliance with national regulation. In Germany, in contrast, enforcement responsibilities on data protection were more disaggregated, divided among local and national officials.21 These differing data protection regulations soon became the source for a number of trade disputes among the EU member states. One example was when the French subsidiary of Fiat was prohibited from transferring customer and employee data to the company’s headquarters in Italy, because Italy at the time lacked any data privacy laws. Such transfers were permitted only when Fiat Italy agreed to sign a data protection contract in which Fiat Italy promised to handle the personal information from Fiat France in accordance with French data protection laws.22 Starting at the European Parliament, and with the leadership of French, German, and Swedish officials, momentum began to build in the late 1980s to harmonize European data protection laws upward to the more stringent levels set by these three states.23 Such an initiative was seen as natural corollary to the EU’s central mission to extend and deepen economic integration among the member states. 19 There is some evidence of a change in attitude within the US about the extent to which private companies should be allowed to market their goods and services to individuals, with the recent legislation surrounding the federal “do-not-call” lists that prohibit telemarketers from contacting individuals if they have previously indicated they do not wish to receive such calls. 20 It is interesting to note that certain countries, like Canada, are embracing the EC’s model of centralized regulation of data privacy. See the Web site of the Privacy Commissioner of Canada at http://www.privcom.gc.ca/legislation/index_e.asp. 21 Swire and Litan (1998), pp. 22-3. 22 See discussion in Newman (2003). 23 Despite the fact that the Directive centralizes the protection of data privacy within the EU, some disagree as to whether true harmonization of domestic data protection regulations among EU member states has indeed taken place. See Newman (2003). 7
  10. 10. 8 The European Commission was initially reluctant to take on the issue of data protection, but mounting pressure from data protection authorities within the member states and also European firms that objected to the “Balkanization” of data protection laws across Europe persuaded Commission officials that data privacy was indeed an important issue to be addressed.24 On the basis of a Commission proposal, the EU adopted in 1995 Directive 1995/46/EC: “on the protection of individuals with regard to the processing of personal data and on the free movement of such data.”25 Article 1 of the Directive treats privacy as a basic human right. Articles 2-4 states that the Directive covers all processing of all personal data except for matters related to public security and criminal law. It prohibits the processing of personal information unless the individual has been informed and “unambiguously” gives their consent. Article 8 specifies that information subject to the most stringent controls are “personal data revealing race or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and processing of data concerning health or sex life.” Enforcement of the Directive exists on multiple levels. Articles 12 and 28 of the Directive stipulate that individuals be granted the right to obtain copies of data collected about them and have that data corrected or their use enjoined. It also obliges EU member states to provide a judicial remedy when infringement of privacy has taken place; this remedy includes the right to receive damages. Article 28 further stipulates that each member state designate an independent public authority to monitor application of the Directive. These authorities have the power to block, erase, or destroy data, to impose a temporary or permanent ban on data processing, and to engage in legal proceedings against violators. These authorities are represented in the Working Party, an independent advisory body established by Article 29 of the Directive. Whereas the majority of the Directive is aimed at companies operating within the EU, Articles 25 and 26 concern the transfer of personal data outside of the EU. At the time the Directive was being drafted, the Commission was concerned that European companies could circumvent the Directive by transferring personal information on their customers outside of Europe. The Directive could also give an advantage to non-EU companies in the provision of data processing services, such as the mining of customer data for marketing purposes, as non-EU companies were not subject to the Directive’s requirements. Article 25 of the Directive addresses this concern. It prohibits the transfer of personal information collected in the EU to countries without “adequate” data protection laws. If the EU finds that a third country does not ensure adequate protection, member states are required to take those measures necessary to prevent any transfer of personal data to the country in question.26 Article 26 lists some exceptions to the Article 25 adequacy requirement. For example, it allows data transfers to non-EU states if the individual has given his or her “unambiguous consent.” Transfers are also possible if the company has implemented “appropriate” 24 See discussion in Newman (2003). 25 The next two paragraphs draw extensively on the analysis of the Directive by Shaffer (2002), pp. 28-9. 26 Swire and Litan (1998), pp. 31-2. 8
  11. 11. 9 safeguards in the form of approved contractual provisions between the customer and the company (also known as the “model contract” provisions).27 The legislation set a 1998 deadline for member states to integrate the Directive in their national laws. But 11 of the 15 EU members missed that deadline, and as of fall 2002, two member states – France and Ireland – still had not yet adopted legislation to implement the Directive, and the Commission began enforcement proceedings against them.28 Nonetheless, the Commission recognizes that France and Ireland already have in place national laws that for the most part conform with the Directive, although these laws need to be amended to address questions of transborder data flows and other specific aspects of the Directive.29 The protection of personal information in Europe is further stressed in the Charter of Fundamental Rights, signed in December 2000 by the European Parliament, the Council, and the Commission. Articles 7-8 of the Charter reaffirm privacy as a basic human right. Article 7 states that, “Everyone has the right to respect for his or her private and family life, home and communications.” Article 8 states that, “Everyone has the right to the protection of personal data concerning him or her,” and that, “Compliance with these rules shall be subject to control of an independent authority.”30 US Regulatory Framework The US regulation of data privacy is fundamentally different from that of the EU, in that there is no single, comprehensive privacy law, nor does there exist a single government agency charged with administering privacy law.31 Many of the original privacy laws in the US were aimed at regulating governmental use of personal information, as opposed to use by the private sector. For example, the Privacy Act of 1974 stipulates that personal information cannot be shared between governmental agencies. And the Freedom of Information Act allows citizens to learn what information the government has collected on them.32 Private use of personal information, by contrast, was largely unregulated. More recently the national government has started to regulate private sector use of personal information in those sectors deemed to handle the most sensitive information. Among these sectors more heavily regulated include health care, with the Health Insurance Portability and Accountability (HIPPA) Act of 1996, and financial services, with the Financial Modernization Act of 1999 (also known as the Gramm-Leach-Bliley Act). There are also more stringent regulations on the use of personal information on children, particularly that collected over the Internet. The Children’s Online Privacy Protection Act (COPPA) of 2000 strictly controls the information that can be collected over the Internet from children under the age of 13. 27 Rodota (2001). 28 Korff (2002), p. 1; and Wiley, Rein, and Fielding LLP (2003). 29 Korff (2002), pp. 1-2. 30 See discussion in Rodota (2001). 31 Swire and Litan (1998), p. 2. 32 See discussion in Swire and Litan (1998), p. 7. 9
  12. 12. 10 Depending on the sector, a number of federal agencies are responsible for enforcing these different privacy laws. The Department of Health and Human Services is charged with enforcing HIPPA, the Department of Treasury with Gramm-Leach-Bliley, and the Federal Trade Commission with COPPA. The Federal Trade Commission is also responsible for enforcing the promises private sector companies make to their customers regarding the use of their personal data (under Section 5 of the Federal Trade Commission Act), and it oversees the multiple Consumer Reporting Agencies, which gather and sell personal credit information, under the Fair Credit Reporting Act.33 In this sense, the FTC has the broadest enforcement powers on US privacy laws, but – like the privacy laws themselves – these powers are limited to particular sectors, segments of the population, or types of personal information. The Road to Safe Harbor The US government began raising objections to Article 25 of the Directive when EU member states began to implement the Directive in the mid- to late-1990s. Because of the marked differences in approach to the regulation of privacy on the two sides of the Atlantic, it was widely anticipated that the US would not meet the EU’s adequacy test. This was confirmed by the Article 29 Working Party in January of 1999: “the current patchwork of narrowly-focussed sectoral laws and voluntary self-regulation [in the US] cannot at present be relied upon to provide adequate protection in all cases for personal data transferred from the European Union.”34 The significance of the Directive, as understood by the US business community, was that US companies could be barred from selling goods and services to their European customers. Lending credence to this understanding was a widely cited study from the Brookings Institution that argued the impact from the Directive on transatlantic trade could be substantial.35 One senior Clinton administration official, Ira Magaziner, who was in charge of US electronic commerce policy, threatened to take the case before the WTO: “In general, we in the US don’t recognize an extra-territorial attempt to shut down the electronic flow of data between countries. According to principles of international trade, I think that’s a violation of WTO rules.”36 But the exception for the processing of personal data in the WTO’s General Agreement on Trade in Services (GATS), as described above, created uncertainty as to whether the US could indeed argue such a case successfully before the WTO. As a result, and also as a consequence of the policy fragmentation on privacy protection within the US, it took a number of years after the Directive was passed in 1995 for the Clinton administration to devise a coherent plan of action.37 33 Federal Trade Commission (2003). 34 European Commission (1999). 35 Swire and Litan (1998). For more on the lobbying efforts of US companies on the Directive, see Regan (1999). 36 Shaffer (2002), footnote #171, p. 35. 37 The author thanks Henry Farrell for this insight. 10
  13. 13. 11 This plan centered on bilateral negotiations with the EU to bridge the different regulatory frameworks. Negotiations took place over the course of two years, and initially there appeared no chance of an agreement. The EU wanted the US to introduce domestic legislation to protect the privacy of personal information collected in Europe and transferred to the US. The US was unwilling to do so and wanted the EU to instead recognize its existing regulatory framework as meeting the EU’s adequacy test.38 As one EU official described the resulting tension: There was a lot of angst around that this could spin out of control. There weren’t any obvious solutions here; it was very black and white in the beginning, the [EU] comprehensive legislative approach and the piecemeal self-regulatory approach in the US.39 A breakthrough in the impasse came in January 2000, when US Undersecretary for Commerce David Aaron suggested a “safe harbor” arrangement, whereby US companies meeting a set of previously-agreed requirements could be found in compliance of the Directive, even if the US did not meet the EU’s adequacy test. Inspiration for such an arrangement came from US tax law, under which companies complying with certain requirements can sometimes qualify for tax exemptions. According to Aaron: I thought…well if we couldn’t get the country to be considered “adequate,” maybe what we could get considered adequate are the companies. And that if we could set up some kind of a regime that could have an adequacy finding for a system, not for a whole country’s law and regimes, and so the word just popped into my head, as describing Safe Harbor.40 The resulting Safe Harbor arrangement, announced just a few months later, was based largely on the OECD’s non-binding privacy principles, signed by both the US and EU in 1998. Safe Harbor also involved major concessions on the part of both the US and EU. The EU agreed that private-sector privacy seal programs such as TRUSTe and BBBonline, widely used in the US as a means of self-enforcement, could play a major role in monitoring compliance with Safe Harbor. It also agreed to a moratorium on enforcement of the Directive until Safe Harbor was in operation for at least one year, so that US companies had time to come into compliance with the Safe Harbor requirements. The US agreed to embed the activities of these private-sector privacy groups within a larger regulatory framework, with signatory companies subject to enforcement action by the US Federal Trade Commission (FTC) and, in certain cases such as the use of human resources information, even by EU data protection authorities directly.41 The European Commission officially approved the Safe Harbor arrangement as meeting the adequacy test laid out in Article 25 of the Directive. Then, in July 2000, the 38 See Farrell (2003), pp. 290-2. 39 Ibid, p. 292. 40 Ibid, p. 292. 41 Ibid, p. 296. 11
  14. 14. 12 European Parliament rejected Safe Harbor in a 279-259 vote, claiming that it “does not go far enough to protect Europeans’ personal privacy because the US regulatory regime is fundamentally weak.”42 But the Commission argued that the Parliament had no statutory authority to veto the terms of the deal, and held that the Safe Harbor provisions represented “adequate” data protection.43 As Commission spokesman Gerard de Graaf commented: “We don’t think going back to the United States and trying to negotiate improvements is achievable. The European Commission will take the Parliament seriously, but at the same time, it will be careful to see its powers maintained.”44 The Safe Harbor Arrangement The Safe Harbor arrangement, approved by the Commission in July of 2000, allows US companies to comply with the Directive, even though the Commission has found that US data protection laws do not meet the Directive’s adequacy requirement. Essentially, the arrangement encompasses the US framework of self-regulation by the private sector and embeds it within the EU framework of regulation.45 In the words of former Undersecretary Aaron, who led negotiations on Safe Harbor for the US: “The essence of the deal was that we accepted high standards and they accepted self-regulation.”46 Importantly, Safe Harbor is not a treaty or executive arrangement that applies the EU Directive in the US. Rather, it is an arrangement that US companies are invited to join on a voluntary basis so that they can avoid possible enforcement action by the EU data protection authorities when handling the personal information of their European customers.47 To join Safe Harbor, a US company must agree to abide by seven privacy principles: 48 1. Notice: Organizations must notify individuals about the purposes for which they collect and use information about them. They must provide information about how individuals can contact the organization with any inquiries or complaints, the types of third parties to which it discloses the information and the choices and means the organization offers for limiting its use and disclosure. 2. Choice: Organizations must give individuals the opportunity to choose (opt out) whether their personal information will be disclosed to a third party or used for a purpose incompatible with the purpose for which it was originally collected or subsequently authorized by the individual. For 42 “US-EU Data Privacy Deal Panned,” The Industry Standard (July 6, 2000), online edition (downloaded July 8, 2003). 43 Aaron (2001). 44 “US-EU Data Privacy Deal Panned,” The Industry Standard, 6 July 2000. 45 Farrell (2003), p. 296. 46 Aaron (2001). 47 Aaron (2001). 48 The seven principles are quoted from US Department of Commerce (2003). 12
  15. 15. 13 sensitive information, affirmative or explicit (opt in) choice must be given if the information is to be disclosed to a third party or used for a purpose other than its original purpose or the purpose authorized subsequently by the individual. 3. Onward Transfer (Transfers to Third Parties): To disclose information to a third party, organizations must apply the notice and choice principles. Where an organization wishes to transfer information to a third party that is acting as an agent, it may do so if it makes sure that the third party subscribes to the safe harbor principles or is subject to the Directive or another adequacy finding. As an alternative, the organization can enter into a written agreement with such third party requiring that the third party provide at least the same level of privacy protection as is required by the relevant principles. 4. Access: Individuals must have access to personal information about them that an organization holds and be able to correct, amend, or delete that information where it is inaccurate, except where the burden or expense of providing access would be disproportionate to the risks to the individual's privacy in the case in question, or where the rights of persons other than the individual would be violated. 5. Security: Organizations must take reasonable precautions to protect personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction. 6. Data integrity: Personal information must be relevant for the purposes for which it is to be used. An organization should take reasonable steps to ensure that data is reliable for its intended use, accurate, complete, and current. 7. Enforcement: In order to ensure compliance with the safe harbor principles, there must be (a) readily available and affordable independent recourse mechanisms so that each individual's complaints and disputes can be investigated and resolved and damages awarded where the applicable law or private sector initiatives so provide; (b) procedures for verifying that the commitments companies make adhere to the safe harbor principles have been implemented; and (c) obligations to remedy problems arising out of a failure to comply with the principles. Sanctions must be sufficiently rigorous to ensure compliance by the organization. Organizations that fail to provide annual self-certification letters will no longer appear in the list of participants and safe harbor benefits will no longer be assured. US companies joining Safe Harbor must certify their compliance annually with these seven privacy principles in writing to the US Department of Commerce. There are two 13
  16. 16. 14 ways in which a company can certify their compliance: 1) by joining a private-sector privacy seal program such as TRUSTe or BBBonline that enforces compliance with the privacy principles; or 2) by developing its own self-regulatory privacy policy that conforms to the seven Safe Harbor principles.49 As part of the self-certification process, companies must also declare whether or not they are willing to be subject to investigation by EU data protection authorities.50 The Department of Commerce maintains a list of all companies filing self-certification letters and publishes that list on its Web site.51 A central component of the Safe Harbor arrangement is public declaration by US companies that they are in compliance with the Safe Harbor requirements. Companies must state in their privacy policy statements that they adhere to Safe Harbor. Public declaration of compliance with Safe Harbor allows for the US Federal Trade Commission to take enforcement action against companies that join Safe Harbor but are not in compliance, as the FTC can prosecute companies for giving false information to their customers under Section 5 of the FTC Act. As explained by the FTC: A key part of the Commission's privacy program is making sure companies keep the promises they make to consumers about privacy and, in particular, the precautions they take to secure consumers' personal information. To respond to consumers' concerns about privacy, many Web sites post privacy policies that describe how consumers’ personal information is collected, used, shared, and secured. Using its authority under Section 5 of the FTC Act, which prohibits unfair or deceptive practices, the Commission has brought a number of cases to enforce the promises in privacy statements, including promises about the security of consumers’ personal information.52 By joining Safe Harbor, US companies can ensure their compliance with the EU Directive. All 15 member-states of the European Union are bound by the Commission’s decision that Safe Harbor meets the adequacy test set forth in Article 25 of the Directive. As such, member states cannot block data transfers to US companies that have joined Safe Harbor. Furthermore, claims brought against US companies will, except for certain limited exceptions, be heard in US court. For these reasons, the US Department of Commerce maintains that Safe Harbor represents a “simpler and cheaper” means of complying with the Directive than parallel means of compliance, such as the model contract provisions.53 49 US Department of Commerce (2003). 50 An informal review of the Safe Harbor certifications, as posted on the Department of Commerce’s Web site, reveals that most companies answer in the affirmative to the question: “Do you agree to cooperate with the EU Data Protection Authorities?” However, some large companies, including Amazon.com, answered that they do not agree to cooperate. Cooperation with EU data protection authorities is a requirement to join Safe Harbor if the company handles human resources data. See www.export.gov/safeharbor/FAQ5-DPAFINAL.htm. 51 See www.export.gov/safeharbor. 52 See http://www.ftc.gov/privacy/privacyinitiatives/promises.html. 53 See US Department of Commerce (2003). 14
  17. 17. 15 Implementation of the Safe Harbor Arrangement In the first years of Safe Harbor, US companies have been somewhat slow to certify their compliance with the arrangement. As of July 2001, fewer that 50 companies had joined Safe Harbor, and this number has increased to only 384 companies as of August 2003. The slow sign up rate among US companies has not gone unnoticed by EU authorities. As Stefano Rodota, Chairman of the Article 29 Working Party has commented, “It is to be hoped that the number [of US companies joining Safe Harbor] will increase, after all the commendable efforts that were deployed on both sides to secure the deal.”54 There are a number of possible explanations for the slow uptake among US companies.55 First, companies can only certify with Safe Harbor once their data collection and dissemination procedures are in compliance with the seven privacy principles. This can involve considerable reengineering of information systems, the creation of new internal policies, and the training of personnel. Second, many companies had been waiting until the Article 29 Working Party developed the “model contract” provisions, which are a parallel means for US companies to comply with the Directive. Once it became clear that the model contract provisions were in fact more stringent than the Safe Harbor principles, it increased the likelihood that US companies would join Safe Harbor. Finally, the US and EU had agreed to a one-year moratorium on enforcement of the Directive, so there was perhaps less of an incentive to join Safe Harbor in the early months of the arrangement. But the Article 29 Working Party has concerns beyond the slow sign up rate.56 Indeed, the Working Party has found that a “substantial number” of the Safe Harbor companies are failing to provide transparency in their privacy policies, one of the basic Safe Harbor principles. And fewer than 50% of the Safe Harbor companies are complying with all seven required principles.57 The Working Party is also concerned with the willingness of the FTC to enforce the accuracy of US companies’ privacy policies, one of the central components of the Safe Harbor arrangement. The FTC has launched formal inquiries into a number of online companies for their domestic privacy practices, including Amazon and RealNetworks, on allegations they were secretly collecting personal data from their customers and transmitting that data to third parties. But despite finding that some of these companies were engaging in deceptive data collection practices, the FTC has decided not to recommend any penalties for these companies.58 Moreover, the Working Party has noted 54 Rodota (2001). 55 This paragraph draws extensively from Shaffer (2002), pp. 33-4. 56 See European Commission (2002). 57 Reidenberg (2002). 58 “Amazon, Subsidiary Face Privacy Lawsuits, FTC Inquiry,” ComputerWorld (February 14, 2000), online edition; “RealNetworks Faced With Second Privacy Suit,” CNET News (November 10, 1999), online edition; “FTC Staff Slaps Amazon’s Wrist in Second Data Privacy Dispute,” ComputerWorld (May 30, 2001), online edition. 15
  18. 18. 16 that the FTC has not yet pursued any company for making false claims in its self- certification under the Safe Harbor program.59 The US has a number of concerns of its own, namely the fate of US companies in those sectors not included in the original Safe Harbor arrangement, such as financial services, telecommunications, and not-for-profit organizations. The decision to exclude these sectors came about largely because the FTC lacks enforcement authority over them. The Treasury Department, for example, is responsible for enforcing federal regulation on large parts of the financial services sector. For the telecommunications sector, it is thought that additional rulemaking may be required for the Federal Communications Commission to enforce an arrangement like Safe Harbor. And the not-for-profit sector in the US is largely regulated at the state level, with little federal enforcement capacity. A second reason why the financial services sector was excluded from Safe Harbor was because, during the Safe Harbor negotiations, the US Congress was in the process of adopting the Gramm-Leach-Bliley Act, which imposes privacy obligations on financial services companies. US and EU negotiators decided to wait on the outcome of this legislation, with US negotiators reserving the possibility that it could meet the Article 25 adequacy test.60 Now that Gramm-Leach-Bliley is in place, the US wants to resolve the fate of US financial services companies under the Directive. It also wants data protection authorities from the member states to hold off on enforcing the Directive on companies in the excluded sectors until bilateral agreement on the fate of these companies can be reached. Also, there is some difference of opinion between the US and EU as to whether the Safe Harbor arrangement applies to Internet transactions, such as digitally delivered music, with the US arguing that it does, and the EU arguing that it does not. Attitudes within both the European Union and United States toward data protection are evolving. The United Kingdom, Sweden, Finland, and Austria have filed complaints with the European Commission, for example, arguing that the Directive imposes one- size-fits-all data protection requirements despite varying degrees of privacy risk.61 These complaints suggest that certain EU member states might want to move more toward the US model of privacy regulation, which imposes more stringent standards on those sectors deemed to handle the most sensitive information. Within the US, public opinion is growing in favor of more stringent data protection. For example, in July 2003, a new privacy law – Senate Bill 1386 – went into effect in California; this law requires firms and other organizations to notify California residents when it is believed that personal information stored on computer systems has been disclosed without authorization as a result of a security breach.62 Also, the FTC has found that the self-regulation model employed in the US may not be working as well as expected. In a May 2000 report, the FTC has found that, while 88% of Web sites post 59 European Commission (2002) and Reidenberg (2002). 60 Wiley, Rein, and Fielding LLP (2002). 61 Wiley, Rein, and Fielding LLP (2003). 62 ShawPittman LLP (2003). 16
  19. 19. 17 privacy policies, only 20% are implementing the four information practice principles of Notice, Choice, Access, and Security. And only 41% of sites meet the basic Notice and Choice standards.63 But, even as public opinion and the FTC might be willing to move more in the direction of the EU regulatory model, some US companies and trade associations like the US Chamber of Commerce are actively lobbying against the Directive, claiming that it is an extraterritorial application of European law.64 Impact of the Directive and Safe Harbor: Focus on the Financial Services Sector The US Department of Treasury started negotiations with the Commission on a Safe Harbor arrangement for financial services firms, although these negotiations are now on hold pending changes to regulation of privacy protection in the financial services sector. Financial services companies may not join Safe Harbor as it is currently negotiated, but they may choose one of several parallel means of complying with the Directive, such as through the “model contract” provisions or by obtaining the “unambiguous consent” for the use of personal information. But these parallel means are generally considered more onerous for US firms than what other companies have to do to join Safe Harbor, and so it is perceived to be within the interests of the US financial services sector to have some alternative method to comply with the Directive. The most appealing option for financial services firms is to have the Working Party recognize US domestic regulation – particularly that set forward by the Gramm-Leach- Bliley Act, as described above – as providing adequate data protection. This option would require no further steps for US financial services firms other than to come into compliance with US regulations. A second option is for the Treasury Department to negotiate a separate Safe Harbor arrangement for financial services firms. But such firms would likely resist any further regulation beyond that needed to comply with the Gramm- Leach-Bliley Act. Officially, there exists no moratorium on enforcement of the Directive on the financial services sector. But data protection authorities from the EU member states had indicated that they would be willing to be flexible on issues of enforcement related to the Directive more generally: During the course of our discussions, Member States have demonstrated their willingness to use the flexibility offered by Article 26 of the Directive to avoid interruptions in data flows. The Commission and the Member States have confirmed their willingness to continue to use this flexibility to provide US organisations with an opportunity to decide whether to participate in the "safe harbor" and (if necessary) to update their information processing policies and practices accordingly.65 63 Federal Trade Commission (2000). 64 See Lukas (2001). 65 Letter from John Mogg transmitting the decision regarding the adequacy of data protection under Safe Harbor (15 November 1999). Available at http://www.export.gov/safeharbor/EULetter1199.html. It is interesting to note that this letter is available on the US Department of Commerce’s Web site but not on the 17
  20. 20. 18 The Directive itself has substantial implications for US financial services firms, with or without transatlantic operations. One study by Ernst and Young LLP calculated in 2001 that it would cost the financial services sector at least $16 billion to comply with the Directive; moreover, bank and insurance customers would have to spend an additional 305 million hours annually on managing their personal finances if the Directive was applied to all US customers.66 From the EU perspective, an important issue to be negotiated is that of enforcement, as the FTC has primary responsibility to enforce Safe Harbor, whereas the Treasury Department has enforcement responsibilities for the financial services sector. Possible Scenarios for the Future of Safe Harbor As the EU and the US have key concerns regarding Safe Harbor, it is not likely that the arrangement will persist in its current form over the long term. Nonetheless, given that the concerns on each side of the Atlantic are substantially different from one another – with the EU wanting to strengthen the enforcement of Safe Harbor as it is currently negotiated, whereas the US is interested in expanding Safe Harbor to include previously excluded sectors – a number of scenarios are possible for Safe Harbor’s future. With each scenario, negotiators from the EU and US must work to satisfy the divergent interests of their own domestic constituencies, including firms and NGOs, while at the same time keeping in mind the other side’s political and economic constraints. The first and most extreme scenario, more likely to be initiated by the EU than the US, is to back out of Safe Harbor in its entirety. Safe Harbor is not a formal treaty, so that withdrawal from the arrangement is possible at any time and without prior notice. Such a maneuver would likely satisfy the demands of privacy groups in Europe, which claim that Safe Harbor is a loophole for US companies to circumvent the intent of the Directive to protect personal information collected in Europe. Nonetheless, such a withdrawal does carry significant political ramifications. In particular, it risks the US taking Safe Harbor before the WTO’s dispute settlement panel. Such a move would also likely escalate current transatlantic tensions over issues ranging from Iraq to the International Criminal Court to the Kyoto Protocol, precisely at a time when both the EU and US seem interested in improving transatlantic relations. A second, less drastic, scenario on the part of the EU would be to bolster enforcement of the Directive by working directly with US companies, whether or not they are signatories to Safe Harbor. There is some precedence for such a scenario, as in July, 2002 the Article 29 Working Party initiated a “dialogue” with Microsoft on “legal issues” surrounding the privacy practices related to the company’s Passport program.67 The European Union’s Web site on data protection. Matthew King from the European Commission writes in response to a draft of this case study: “No rights have been abrogated in this regard.” 66 As cited in “EU Privacy Directive Would Cost US Consumers,” Itworld.com, 1 May 2001. Note that the study found similar costs involved in complying with the Gramm-Leach-Bliley Act. 67 This paragraph, including quotes, is drawn from Wiley, Rein, and Fielding (2003b). 18
  21. 21. 19 Passport program allows individuals registering with Microsoft to enter a single password and find their information automatically entered when they browse Web sites participating in the Passport program. The Working Party had found that they “were not convinced that the consent given by [Passport] users was sufficiently informed, freely given and specific” to justify the program’s gathering and sharing of personal information, and they were concerned at the prospect of a “centralized system of personal data storage” located outside the EU. After several months of negotiations, Microsoft agreed to meet the Working Party’s demands and began implementing several changes to its privacy policy and the Passport program. Of concern for the US is that the EU may find it more politically feasible to enforce the Directive on US companies than those located within Europe. A third possibility, originating from the US, would be to bolster its own enforcement of US companies belonging to Safe Harbor, in order to appease the Article 29 Working Party and to facilitate negotiations surrounding Safe Harbor’s expansion. Taking the lead on enforcement likely would be the Federal Trade Commission, as the FTC can prosecute companies for giving false information to their customers, including in their privacy policies, under Section 5 of the FTC Act. Nonetheless, such enforcement would be politically difficult for the US and could be expected to weaken industry’s claims that the Directive and Safe Harbor are an extraterritorial application of EU law on US firms. A more drastic scenario for the United States would be to ignore the complaints of the Article 29 Working Party over the enforcement of Safe Harbor and instead to reserve the possibility of taking the Directive before the WTO’s dispute settlement body. This maneuver, however, would likely forestall any ability on the part of the Department of Treasury to negotiate expansion of the arrangement to financial services firms. It would also create uncertainty for the several hundred firms that have already gone through the requirements to join Safe Harbor, in that the future of the arrangement itself would likely be in doubt. 19
  22. 22. 20 Questions for Discussion 1. Discuss the meaning and dynamics of “regulatory conflict.” In what ways can domestic regulatory regimes differ and how can those differences cause international conflict? What is “regulatory arbitrage” and what drives the “race to the bottom”? When regulatory regimes are in conflict, what might generate a “race to the top”? 2. How do the data privacy regimes of the European Union and United States differ? What is the origin of these differences? 3. How might domestic interests, including firms, non-governmental organizations, and the data protection authorities themselves, have molded EU and US data privacy regimes? What role did European integration play? 4. How well has the Safe Harbor agreement bridged the differences in the two regimes? Has this been a good solution to the conflicts? 5. As the CEO a US company with transatlantic operations, including a physical presence in Europe, what would be your strategy in terms of complying with the EU Directive and the Safe Harbor agreement? How might your strategy be different if you led a company without a physical presence in Europe but with European customers, such as an Internet company? 6. As a European company, do you support more stringent enforcement of Safe Harbor on US companies? Why or why not? How does Safe Harbor improve or injure your competitiveness vis-à-vis firms from other countries? 7. What are the potential ramifications, both politically and economically, if the EU decides to withdraw from Safe Harbor? If the United States ignores certain demands from within the EU for better enforcement of the arrangement? 8. Consider the positions of the EU and US about the future of the Safe Harbor agreement. What are the main concerns of each? What sectors are most affected? Is the Safe Harbor agreement sustainable? What is the most likely scenario for the future and why? 9. Does Safe Harbor represent a good model for bridging domestic regulatory frameworks between countries in other areas, such as protection of the environment or workers rights? What might be the limitations of its applicability? 20
  23. 23. 21 Bibliography Aaron, David L. 2001. “The EU Data Protection Directive: Implications for the US Privacy Debate,” testimony before the House Subcommittee on Commerce, Trade, and Consumer Protection (March 8). European Commission and the United States. 2003. “Joint Statement on Passenger Name Record Transmission Requirements,” available at http://europa.eu.int/comm/external_relations/us/intro/pnr.htm (downloaded July 8, 2003). European Commission. 2002. Staff working paper SEC (2002) 196 on the application of Commission Decision 520/2000/EC…on the adequate protection of personal data provided by the Safe Harbour Privacy Principles (February 13, 2002), available at http://europa.eu.int/comm/internal_market/privacy/docs/adequacy/sec-2002-196/s ec-2002-196_en.pdf (downloaded October 6, 2003). _____. 1999. Opinion 1/99 of the Article 29 Working Party on the Protection of Individuals with Regard to the Processing of Personal Data concerning “the level of data protection in the United States,” adopted January 26, 1999, available at http://europa.eu.int/comm/internal_market/privacy/docs/wpdocs/1999/wp15en.pd f (downloaded October 6, 2003). European Parliament and Council. 1995. Directive 1995/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data. European Union and the United States. 1997. “Joint EU-US Statement on Electronic Commerce,” available at http://www.qlinks.net/comdocs/eu-us.htm (downloaded July 9, 2003). Farrell, Henry. 2003. “Constructing the International Foundations of E-Commerce: The EU-US Safe Harbor Arrangement,” International Organization, vol. 57, no. 2 (Spring): pp. 277-306. Georgetown University. 2000. “Georgetown Internet Privacy Policy Survey,” available at http://www.msb.edu/faculty/culnanm/gippshome.html (downloaded July 8, 2003). Hahn, Robert W. 2001. “An Assessment of the Costs of Proposed Online Privacy Legislation,” American Enterprise Institute working paper. Heisenberg, Dorothee. 2004. The European Union, the United States, and Data Privacy. Boulder: Lynne Rienner Publishers. 21
  24. 24. 22 Heisenberg, Dorothee, and Marie-Helene Fandel. 2003. “Exporting EU Regimes Abroad: The EU Privacy Directive as Global Standard,” in Sandra Braman, ed., The Emergent Global Information Policy Regime. New York: Palgrave. Kahler, Miles. Date unknown. “Modeling Races to the Bottom,” draft book review. Korff, Douwe. 2002. “Study on Implementation of Data Protection Direction: A Comparative Summary of National Laws,” prepared in consultancy for the European Commission (September). Lukas, Aaron. 2001. “Safe Harbor or Stormy Waters? Living With the EU Data Protection Directive,” Cato Institute’s Center for Trade Policy Studies Trade Policy Analysis (October 30). Mann, Catherine L., Sue E. Eckert, and Sarah Cleeland Knight. 2000. Global Electronic Commerce: A Policy Primer. Washington, DC: Institute for International Economics. Mann, Catherine L. and Sarah Cleeland Knight. 2000. “Electronic Commerce in the World Trade Organization,” in The WTO After Seattle, edited by Jeffrey Schott. Washington, DC: Institute for International Economics. Mann, Catherine L. 2000. “Transatlantic Issues in Electronic Commerce,” Institute for International Economics working paper no. 00-3 (October). Murphy, Dale. 2004. The Structure of Regulatory Competition: Corporations and Public Policies in a Global Economy. Oxford: Oxford University Press. Newman, Abraham. 2003. “Ratcheted-up: The Politics of Personal Information in Europe,” paper prepared for delivery at the Annual Meeting of the American Political Science Association (August 28-31), Philadelphia, PA. Reidenberg, Joel R. 2002. “European Commission Avoids Privacy Dispute with United States,” Privacy Law and Business, vol. 26 (February), available at http:reidenberg.home.sprynet.com/Safe_Harbor.htm (downloaded July 8, 2003). Rodota, Stefano. 2001. “The EU Data Protection Directive: Implications for the US Privacy Debate,” testimony before the House Subcommittee on Commerce, Trade, and Consumer Protection (March 8). Shaffer, Gregory. 2002. “Managing US-EU Trade Relations Through Mutual Recognition and Safe Harbor Agreements: “New” and “Global” Approaches to Transatlantic Electronic Commerce,” European University Institute working paper, RSC no. 2002/28. 22
  25. 25. 23 ShawPittman LLP. 2003. “New California Privacy Law Affects Business Nationwide,” Technology and Business Alert, no. 1 (June). Singleton, Solveig. 2002. “Privacy as a Trade Issue: Guidelines for US Trade Negotiators,” Heritage Foundation’s Economic Freedom Project paper, EFP02-02 (March 18). Swire, Peter P. 2001. “New Study Substantially Overstates Costs of Internet Privacy Protections,” available at http://www.peterswire.net/hahn.html (downloaded October 6, 2003). Swire, Peter P. and Robert E. Litan. 1998. None of Your Business: World Data Flows, Electronic Commerce, and the European Privacy Directive. Washington, DC: Brookings Institution. US Department of Commerce. 2003. Web site on the Safe Harbor agreement, available at http://www.export.gov/safeharbor/ (downloaded April 18, 2003). _____. 1998. Letter to US industry representatives from Undersecretary David Aaron on the Safe Harbor negotiations. Available at http://www.ita.doc.gov/td/ecom/aaron114.html (downloaded July 9, 2003). US Federal Trade Commission. 2003. Web site on privacy initiatives and enforcement. Available at http://www.ftc.gov/privacy/index.html (downloaded July 9, 2003). _____. 2000. Privacy Online: Fair Information Practices in the Electronic Marketplace: A Report to Congress. Washington, DC: Federal Trade Commission. White House. 1997. “A Framework for Global Electronic Commerce,” available at http://clinton4.nara.gov/WH/New/Commerce (downloaded July 9, 2003). Wiley, Rein, and Fielding LLP. 2003a. “EU Stays the Course on Data Protection,” Privacy in Focus (June), available at http://www.wrf.com/publications/publication.asp?id=1417196272003 (downloaded July 9, 2003). _____. 2003b. “EU Demands Substantial Changes in Microsoft Passport Data Flows,” Privacy in Focus (February), available at http://www.wrf.com/publications/publication.asp?id=919242262003 (downloaded July 9, 2003). _____. 2002. “Negotiations Begin for US-EU Financial Data ‘Safe Harbor’,” Privacy in Focus (July), available at http://www.wrf.com/publications/publication.asp? id=91612812002 (downloaded July 9, 2003). 23

×