Safe harbours are hard to find: The trans-Atlantic data privacy dispute, territorial jurisdiction and global governance

Review of International Studies

Volumn 30, Issue 1, 2004, Pages

  Kobrin, Stephen J ^a  

^a UNIVERSITY OF PENNSYLVANIA   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

EID: 0742285262     PISSN: 02602105     EISSN: None     Source Type: Journal    
DOI: 10.1017/S0260210504005856     Document Type: Review

References (128)

1. John A. Agnew. Timeless Space and State-Centrism: The Geographical Assumptions of International Relations Theory. In S. J. Rostow, N. Inayatullah and M. Rupert (eds.), The Global Economy as Political Space (Boulder, CO: Lynne Reinner, 1994).
2. Brandon Mitchener, 'Rules, Regulations of the Global Economy are Increasingly Being Set in Brussels', Wall Street Journal On Line, 23 April, 2002, p. 1.
3. Jerry Kang, 'Information Privacy in Cyberspace Transactions', Stanford Law Review, 50 (1998), pp. 1193-294.
4. John Gerard Ruggie, 'Territorially and Beyond: Problematizing Modernity in International Relations', International Organization, 47:1 (1993), pp. 139-74.
5. Hendrik Spruyt, The Sovereign State and Its Competitors (Princeton, NJ: Princeton University Press, 1994).
6. Paul Schiff Berman, 'The Globalization of Jurisdiction', The University of Pennsylvania Law Review, 151 (2002).
7. Berman, 'The Globalization of Jurisdiction', p. 318.
8. Privacy Working Group, Privacy and the National Information Infrastructure: Principles for Providing and Using Personal Information, Information Infrastructure Task Force (11 January, 1995 [cited 2002]). Available from 〈http://www.iitf.nist.gov/ipc/ipc-pubs/niiprivprin_final.html〉. 'Identifiable to an individual' has been defined in terms of an authorship relation, descriptive relation, or an instrumental relation. Kang, 'Information Privacy in Cyberspace Transactions'. The EU Data Directive defines an identifiable person is one who can be identified directly or indirectly, by reference either to an identification number or 'one or more', factors specific to his physical, physiological, mental, economic, cultural or social identity'. The Council: Common Position (EC) no. 95. Adopted by the Council with a View to Adopting Directive 94/EC of the European Parliament and of the Council on the Protection of Individuals With Regard to the Processing of Personal Data and on the Free Movement of Such Data, Directive 95/EC of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (Brussels: European Union, 1995).
9. Privacy Working Group, Privacy and the National Information Infrastructure: Principles for Providing and Using Personal Information, Information Infrastructure Task Force (11 January, 1995 [cited 2002]). Available from 〈http://www.iitf.nist.gov/ipc/ipc-pubs/niiprivprin_final.html〉. 'Identifiable to an individual' has been defined in terms of an authorship relation, descriptive relation, or an instrumental relation. Kang, 'Information Privacy in Cyberspace Transactions'. The EU Data Directive defines an identifiable person is one who can be identified directly or indirectly, by reference either to an identification number or 'one or more', factors specific to his physical, physiological, mental, economic, cultural or social identity'. The Council: Common Position (EC) no. 95. Adopted by the Council with a View to Adopting Directive 94/EC of the European Parliament and of the Council on the Protection of Individuals With Regard to the Processing of Personal Data and on the Free Movement of Such Data, Directive 95/EC of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (Brussels: European Union, 1995).
10. Eli M. Noam, 'Privacy and Self-Regulation: Markets for Electronic Privacy'. In Privacy and Self-Regulation in the Information Age, edited by National Telecommunications and Information Adminstration (Washington, DC: US Department of Commerce, 1997).
11. Privacy Working Group, Privacy and the National Information Infrastructure.
12. Joel R. Reidenberg, 'Resolving Conflicting International Data Privacy Rules in Cyberspace'. Stanford Law Review, 52 (2000), pp. 1315-71.
13. The FTC concludes that 'Most of the sites surveyed, therefore, are capable of creating personal profiles of online consumers by tying any demographic, interest, purchasing behavior, or surfing behavior information they collect to personal identifying information'. Bureau of Consumer Protection, Privacy Online: Fair Information Practices in the Electronic Marketplace (Washington, DC: Federal Trade Commission, 2000).
14. 'The End of Privacy', The Economist, 1 May 1999, pp. 15-16.
15. Julia M. Frumholz, 'The European Data Privacy Directive', Berkeley Technology Law Journal, 15 (2000), pp. 461-84.
16. Sandra J.Milberg, H. Jeff Smith, and Sandra J. Burke, 'Information Privacy: Corporate Management and National Regulation', Organization Science, 11: 1 (2000), pp. 35-57.
17. Agnew, 'Timeless Space and State-Centrism'.
18. Reidenberg, 'Resolving Data Privacy Rules'.
19. This tends not to be the case in Europe. I owe this point to David Post.
20. Barbara Crutchfield George, Patricia Lynch, and Susan J. Marsnik, 'US Multinational Employers: Navigating Throught the "Safe Harbor" Principles to Comply with the EU Data Privacy Directive'. American Business Law Journal, 38 (2001), pp. 735-83; Reidenberg, 'Resolving Data Privacy Rules'.
21. Barbara Crutchfield George, Patricia Lynch, and Susan J. Marsnik, 'US Multinational Employers: Navigating Throught the "Safe Harbor" Principles to Comply with the EU Data Privacy Directive'. American Business Law Journal, 38 (2001), pp. 735-83; Reidenberg, 'Resolving Data Privacy Rules'.
22. Kang, 'Information Privacy in Cyberspace'; David Banisar and Simon Davies, 'Global Trends in Privacy Protection: An International Survey of Privacy, Data Protection, and Surveillance Laws and Developments', John Marshall Journal of Computer and Information Law, 18 (1999), pp. 1-111; Frumholz, 'The European Data Privacy Directive'; Reidenberg, 'Resolving Data Privacy Rules'; Michael P. Roch, 'Filling the Void of Data Protection in the United States: Following the European Example', Santa Clara Computer and High Technology Law Journal, 12 (1996), pp. 71-96; Peter P. Swire and Robert E. Litan, None of Your Business (Washington, DC: Brookings Institution Press, 1998).
23. Kang, 'Information Privacy in Cyberspace'; David Banisar and Simon Davies, 'Global Trends in Privacy Protection: An International Survey of Privacy, Data Protection, and Surveillance Laws and Developments', John Marshall Journal of Computer and Information Law, 18 (1999), pp. 1-111; Frumholz, 'The European Data Privacy Directive'; Reidenberg, 'Resolving Data Privacy Rules'; Michael P. Roch, 'Filling the Void of Data Protection in the United States: Following the European Example', Santa Clara Computer and High Technology Law Journal, 12 (1996), pp. 71-96; Peter P. Swire and Robert E. Litan, None of Your Business (Washington, DC: Brookings Institution Press, 1998).
24. Kang, 'Information Privacy in Cyberspace'; David Banisar and Simon Davies, 'Global Trends in Privacy Protection: An International Survey of Privacy, Data Protection, and Surveillance Laws and Developments', John Marshall Journal of Computer and Information Law, 18 (1999), pp. 1-111; Frumholz, 'The European Data Privacy Directive'; Reidenberg, 'Resolving Data Privacy Rules'; Michael P. Roch, 'Filling the Void of Data Protection in the United States: Following the European Example', Santa Clara Computer and High Technology Law Journal, 12 (1996), pp. 71-96; Peter P. Swire and Robert E. Litan, None of Your Business (Washington, DC: Brookings Institution Press, 1998).
25. Kang, 'Information Privacy in Cyberspace'; David Banisar and Simon Davies, 'Global Trends in Privacy Protection: An International Survey of Privacy, Data Protection, and Surveillance Laws and Developments', John Marshall Journal of Computer and Information Law, 18 (1999), pp. 1-111; Frumholz, 'The European Data Privacy Directive'; Reidenberg, 'Resolving Data Privacy Rules'; Michael P. Roch, 'Filling the Void of Data Protection in the United States: Following the European Example', Santa Clara Computer and High Technology Law Journal, 12 (1996), pp. 71-96; Peter P. Swire and Robert E. Litan, None of Your Business (Washington, DC: Brookings Institution Press, 1998).
26. Kang, 'Information Privacy in Cyberspace'; David Banisar and Simon Davies, 'Global Trends in Privacy Protection: An International Survey of Privacy, Data Protection, and Surveillance Laws and Developments', John Marshall Journal of Computer and Information Law, 18 (1999), pp. 1-111; Frumholz, 'The European Data Privacy Directive'; Reidenberg, 'Resolving Data Privacy Rules'; Michael P. Roch, 'Filling the Void of Data Protection in the United States: Following the European Example', Santa Clara Computer and High Technology Law Journal, 12 (1996), pp. 71-96; Peter P. Swire and Robert E. Litan, None of Your Business (Washington, DC: Brookings Institution Press, 1998).
27. Kang, 'Information Privacy in Cyberspace'; David Banisar and Simon Davies, 'Global Trends in Privacy Protection: An International Survey of Privacy, Data Protection, and Surveillance Laws and Developments', John Marshall Journal of Computer and Information Law, 18 (1999), pp. 1-111; Frumholz, 'The European Data Privacy Directive'; Reidenberg, 'Resolving Data Privacy Rules'; Michael P. Roch, 'Filling the Void of Data Protection in the United States: Following the European Example', Santa Clara Computer and High Technology Law Journal, 12 (1996), pp. 71-96; Peter P. Swire and Robert E. Litan, None of Your Business (Washington, DC: Brookings Institution Press, 1998).
28. See Robert W Hahn and Anne Layne-Farrar, The Benefits and Costs of Privacy Regulation. (Washington, DC, AEI-Brookings Joint Center for Regulatory Studies, 2001); Lessig, Lawrence, 'Internet: The Architecture of Privacy', Vanderbilt Journal of Entertainment Law and Practice, 1 (1999), pp. 55-65; Jessica Litman, 'Information Privacy/Information Property', Stanford Law Review, 52 (2000), pp. 1283-304; James Rule and Lawrence Hunter, 'Towards Property Rights in Personal Data', in C. J. Bennett and R. Grant (eds.), Visions of Privacy: Policy Choices for the Digital Age (Toronto: University of Toronto Press, 1999); Paul Sholtz, 'Transaction Costs and the Social Costs of Online Privacy', First Monday, 6:5 (2001), for examples.
29. See Robert W Hahn and Anne Layne-Farrar, The Benefits and Costs of Privacy Regulation. (Washington, DC, AEI-Brookings Joint Center for Regulatory Studies, 2001); Lessig, Lawrence, 'Internet: The Architecture of Privacy', Vanderbilt Journal of Entertainment Law and Practice, 1 (1999), pp. 55-65; Jessica Litman, 'Information Privacy/Information Property', Stanford Law Review, 52 (2000), pp. 1283-304; James Rule and Lawrence Hunter, 'Towards Property Rights in Personal Data', in C. J. Bennett and R. Grant (eds.), Visions of Privacy: Policy Choices for the Digital Age (Toronto: University of Toronto Press, 1999); Paul Sholtz, 'Transaction Costs and the Social Costs of Online Privacy', First Monday, 6:5 (2001), for examples.
30. See Robert W Hahn and Anne Layne-Farrar, The Benefits and Costs of Privacy Regulation. (Washington, DC, AEI-Brookings Joint Center for Regulatory Studies, 2001); Lessig, Lawrence, 'Internet: The Architecture of Privacy', Vanderbilt Journal of Entertainment Law and Practice, 1 (1999), pp. 55-65; Jessica Litman, 'Information Privacy/Information Property', Stanford Law Review, 52 (2000), pp. 1283-304; James Rule and Lawrence Hunter, 'Towards Property Rights in Personal Data', in C. J. Bennett and R. Grant (eds.), Visions of Privacy: Policy Choices for the Digital Age (Toronto: University of Toronto Press, 1999); Paul Sholtz, 'Transaction Costs and the Social Costs of Online Privacy', First Monday, 6:5 (2001), for examples.
31. See Robert W Hahn and Anne Layne-Farrar, The Benefits and Costs of Privacy Regulation. (Washington, DC, AEI-Brookings Joint Center for Regulatory Studies, 2001); Lessig, Lawrence, 'Internet: The Architecture of Privacy', Vanderbilt Journal of Entertainment Law and Practice, 1 (1999), pp. 55-65; Jessica Litman, 'Information Privacy/Information Property', Stanford Law Review, 52 (2000), pp. 1283-304; James Rule and Lawrence Hunter, 'Towards Property Rights in Personal Data', in C. J. Bennett and R. Grant (eds.), Visions of Privacy: Policy Choices for the Digital Age (Toronto: University of Toronto Press, 1999); Paul Sholtz, 'Transaction Costs and the Social Costs of Online Privacy', First Monday, 6:5 (2001), for examples.
32. See Robert W Hahn and Anne Layne-Farrar, The Benefits and Costs of Privacy Regulation. (Washington, DC, AEI-Brookings Joint Center for Regulatory Studies, 2001); Lessig, Lawrence, 'Internet: The Architecture of Privacy', Vanderbilt Journal of Entertainment Law and Practice, 1 (1999), pp. 55-65; Jessica Litman, 'Information Privacy/Information Property', Stanford Law Review, 52 (2000), pp. 1283-304; James Rule and Lawrence Hunter, 'Towards Property Rights in Personal Data', in C. J. Bennett and R. Grant (eds.), Visions of Privacy: Policy Choices for the Digital Age (Toronto: University of Toronto Press, 1999); Paul Sholtz, 'Transaction Costs and the Social Costs of Online Privacy', First Monday, 6:5 (2001), for examples.
33. US Senate Committee on Commerce, Science, and Transportation, 2002. Statement by Senator Ernest F. Hollings. The Online Personal Privacy Act is an attempt to regulate the collection, use or disclosure or personally identifiable information by Internet service providers, website operators, and certain third parties that use these entities to collect information. Tech. Law Journal at 〈http://www.techlawjournal.com/cong107/privacy/hollings/20020418summary. asp〉 Accessed 5 May, 2003.
34. Frumholz, 'The European Data Privacy Directive'; George, Lynch, and Marsnik, 'US Multinational Employers and "Safe Harbor" Principles': Directive; Reidenberg, 'Resolving Data Privacy Rules'. European concern about data privacy may be, to some extent, historically driven. The Third Reich's use of private data (and the thought of what that regime might have accomplished with access to modern data bases) and more recent experience with repressive regimes to the East have made Europeans all too aware of the consequences of the accumulation and transfer of personal information for an individual's safety, integrity and privacy. As detailed in Edwin Black, IBM and the Holocaust (New York: Crown Publishers, 2001), the Third Reich made full use of punch-card sorting machines, primitive technology by today's standards.
35. Frumholz, 'The European Data Privacy Directive'; George, Lynch, and Marsnik, 'US Multinational Employers and "Safe Harbor" Principles': Directive; Reidenberg, 'Resolving Data Privacy Rules'. European concern about data privacy may be, to some extent, historically driven. The Third Reich's use of private data (and the thought of what that regime might have accomplished with access to modern data bases) and more recent experience with repressive regimes to the East have made Europeans all too aware of the consequences of the accumulation and transfer of personal information for an individual's safety, integrity and privacy. As detailed in Edwin Black, IBM and the Holocaust (New York: Crown Publishers, 2001), the Third Reich made full use of punch-card sorting machines, primitive technology by today's standards.
36. Frumholz, 'The European Data Privacy Directive'; George, Lynch, and Marsnik, 'US Multinational Employers and "Safe Harbor" Principles': Directive; Reidenberg, 'Resolving Data Privacy Rules'. European concern about data privacy may be, to some extent, historically driven. The Third Reich's use of private data (and the thought of what that regime might have accomplished with access to modern data bases) and more recent experience with repressive regimes to the East have made Europeans all too aware of the consequences of the accumulation and transfer of personal information for an individual's safety, integrity and privacy. As detailed in Edwin Black, IBM and the Holocaust (New York: Crown Publishers, 2001), the Third Reich made full use of punch-card sorting machines, primitive technology by today's standards.
37. Frumholz, 'The European Data Privacy Directive'; George, Lynch, and Marsnik, 'US Multinational Employers and "Safe Harbor" Principles': Directive; Reidenberg, 'Resolving Data Privacy Rules'. European concern about data privacy may be, to some extent, historically driven. The Third Reich's use of private data (and the thought of what that regime might have accomplished with access to modern data bases) and more recent experience with repressive regimes to the East have made Europeans all too aware of the consequences of the accumulation and transfer of personal information for an individual's safety, integrity and privacy. As detailed in Edwin Black, IBM and the Holocaust (New York: Crown Publishers, 2001), the Third Reich made full use of punch-card sorting machines, primitive technology by today's standards.
38. The Council: Common Position (EC) no. 95. See n. 8 above.
39. David L.Aaron, Testimony - European Union and Electronic Privacy (Washington, DC: House Committee on Energy and Commerce, 2001).
40. Robert Gellman, 'Does Privacy Law Work?' In P. E. Agree and M. Rotenberg (eds.), Technology and Privacy: The New Landscape (Cambridge, MA: The MIT Press, 1997); George, Lynch, and Marsnik. 'US Multinational Employers and 'Safe Harbor' Principles; Roch, 'Filling the Void of Data Protection'; Joel R. Reidenberg, 'Setting Standards for Fair Information Practice in the US Private Sector', Iowa Law Review, 80: 3 (1995), pp. 497-551.
41. Robert Gellman, 'Does Privacy Law Work?' In P. E. Agree and M. Rotenberg (eds.), Technology and Privacy: The New Landscape (Cambridge, MA: The MIT Press, 1997); George, Lynch, and Marsnik. 'US Multinational Employers and 'Safe Harbor' Principles; Roch, 'Filling the Void of Data Protection'; Joel R. Reidenberg, 'Setting Standards for Fair Information Practice in the US Private Sector', Iowa Law Review, 80: 3 (1995), pp. 497-551.
42. Robert Gellman, 'Does Privacy Law Work?' In P. E. Agree and M. Rotenberg (eds.), Technology and Privacy: The New Landscape (Cambridge, MA: The MIT Press, 1997); George, Lynch, and Marsnik. 'US Multinational Employers and 'Safe Harbor' Principles; Roch, 'Filling the Void of Data Protection'; Joel R. Reidenberg, 'Setting Standards for Fair Information Practice in the US Private Sector', Iowa Law Review, 80: 3 (1995), pp. 497-551.
43. Robert Gellman, 'Does Privacy Law Work?' In P. E. Agree and M. Rotenberg (eds.), Technology and Privacy: The New Landscape (Cambridge, MA: The MIT Press, 1997); George, Lynch, and Marsnik. 'US Multinational Employers and 'Safe Harbor' Principles; Roch, 'Filling the Void of Data Protection'; Joel R. Reidenberg, 'Setting Standards for Fair Information Practice in the US Private Sector', Iowa Law Review, 80: 3 (1995), pp. 497-551.
44. Ken Gormley, 'One Hundred Years of Privacy', Wisconsin Law Review (1992), pp. 1335-441. It is of interest that Gromley ascribes Warren and Brandeis' motivation to the rise of 'yellow journalism' in the Boston tabloids, which was itself a function of technological changes which allowed the production of cheap mass circulation newspapers. Also see Reidenberg, 'Setting Standards'.
45. Ken Gormley, 'One Hundred Years of Privacy', Wisconsin Law Review (1992), pp. 1335-441. It is of interest that Gromley ascribes Warren and Brandeis' motivation to the rise of 'yellow journalism' in the Boston tabloids, which was itself a function of technological changes which allowed the production of cheap mass circulation newspapers. Also see Reidenberg, 'Setting Standards'.
46. Gellman, 'Does Privacy Law Work?'; Gormley, 'One Hundred Years of Privacy'; Reidenberg, 'Setting Standards'.
47. Gellman, 'Does Privacy Law Work?'; Gormley, 'One Hundred Years of Privacy'; Reidenberg, 'Setting Standards'.
48. Gellman, 'Does Privacy Law Work?'; Gormley, 'One Hundred Years of Privacy'; Reidenberg, 'Setting Standards'.
49. Eve M.Caudill and Patrick E. Murphy, 'Consumer Online Privacy: Legal and Ethical Issues'. Journal of Public Policy and Marketing, 19: 1 (2000), p. 7.
50. Frumholz, 'The European Data Privacy Directive'.
51. Bureau of Consumer Protection, Privacy Online: Fair Information Practices.
52. Roch, 'Filling the Void of Data Protection'.
53. Swire and Litan, None of Your Business.
54. George, Lynch, and Marsnik, 'US Multinational Employers and "Safe Harbor" Principles'; Roch, 'Filling the Void of Data Protection'.
55. George, Lynch, and Marsnik, 'US Multinational Employers and "Safe Harbor" Principles'; Roch, 'Filling the Void of Data Protection'.
56. George, Lynch, and Marsnik, 'US Multinational Employers and "Safe Harbor" Principles'; Joel R. Reidenberg, Testimony before Subcommittee on Commerce, Trade, and Consumer Protection (Washington, DC: Federal Document Clearing House, 2001b); Roch, 'Filling the Void of Data Protection'; Swire and Litan, None of Your Business.
57. George, Lynch, and Marsnik, 'US Multinational Employers and "Safe Harbor" Principles'; Joel R. Reidenberg, Testimony before Subcommittee on Commerce, Trade, and Consumer Protection (Washington, DC: Federal Document Clearing House, 2001b); Roch, 'Filling the Void of Data Protection'; Swire and Litan, None of Your Business.
58. George, Lynch, and Marsnik, 'US Multinational Employers and "Safe Harbor" Principles'; Joel R. Reidenberg, Testimony before Subcommittee on Commerce, Trade, and Consumer Protection (Washington, DC: Federal Document Clearing House, 2001b); Roch, 'Filling the Void of Data Protection'; Swire and Litan, None of Your Business.
59. George, Lynch, and Marsnik, 'US Multinational Employers and "Safe Harbor" Principles'; Joel R. Reidenberg, Testimony before Subcommittee on Commerce, Trade, and Consumer Protection (Washington, DC: Federal Document Clearing House, 2001b); Roch, 'Filling the Void of Data Protection'; Swire and Litan, None of Your Business.
60. Spiros Smitis, 'Foreword', in P. M. Schwartz and J. R. Reidenberg (eds.), Data Privacy Law (Charlottesville, VA: Michie, 1996).
61. The Council: Common Position (EC) no. 95. See n. 8 above.
62. Smitis, 'Foreword'.
63. The Council, 1995. Common Position (EC) no. 95. See n. 8 above.
64. William J. Long, and Mark Pang Quek, Personal Data Privacy Protection in an Age of Globalization: The US - EU Safe Harbor Compromise (Atlanta, GA: Sam Nunn School of International Affairs, Georgia Institute of Technology, 2001). Writing in 1995, Simitis argued that 'most transfer cases are, in fact, covered by the long list of exceptions found in Article 26...', Smitis, 'Foreword'. See Henry Farrell, 'Constructing the International Foundations of E-Commerce - The EU-US Safe Harbor Arrangement,' International Organization, 57 (Spring 2003); and Henry Farrell, 'Negotiating Privacy Across Arenas - The EU-US Safe Harbor Discussions', in A. Heritier (ed.), Common Goods: Reinventing European and International Governance (Rowman and Littlefield, forthcoming) for a detailed discussion of the Safe Harbor negotiations.
65. William J. Long, and Mark Pang Quek, Personal Data Privacy Protection in an Age of Globalization: The US - EU Safe Harbor Compromise (Atlanta, GA: Sam Nunn School of International Affairs, Georgia Institute of Technology, 2001). Writing in 1995, Simitis argued that 'most transfer cases are, in fact, covered by the long list of exceptions found in Article 26...', Smitis, 'Foreword'. See Henry Farrell, 'Constructing the International Foundations of E-Commerce - The EU-US Safe Harbor Arrangement,' International Organization, 57 (Spring 2003); and Henry Farrell, 'Negotiating Privacy Across Arenas - The EU-US Safe Harbor Discussions', in A. Heritier (ed.), Common Goods: Reinventing European and International Governance (Rowman and Littlefield, forthcoming) for a detailed discussion of the Safe Harbor negotiations.
66. William J. Long, and Mark Pang Quek, Personal Data Privacy Protection in an Age of Globalization: The US - EU Safe Harbor Compromise (Atlanta, GA: Sam Nunn School of International Affairs, Georgia Institute of Technology, 2001). Writing in 1995, Simitis argued that 'most transfer cases are, in fact, covered by the long list of exceptions found in Article 26...', Smitis, 'Foreword'. See Henry Farrell, 'Constructing the International Foundations of E-Commerce - The EU-US Safe Harbor Arrangement,' International Organization, 57 (Spring 2003); and Henry Farrell, 'Negotiating Privacy Across Arenas - The EU-US Safe Harbor Discussions', in A. Heritier (ed.), Common Goods: Reinventing European and International Governance (Rowman and Littlefield, forthcoming) for a detailed discussion of the Safe Harbor negotiations.
67. Farrell, 'Negotiating Privacy Across Arenas'.
68. I b i d.
69. David L. Aaron, 'Remarks before the Information Technology Session of America, Fourth Annual IT Policy Summit' (1999), p. 4.
70. Farrell, 'Constructing the International Foundations of E-Commerce'. Long and Quek, 'Personal Data Privacy Protection'; Anna E. Shimanek, 'Do You Want Milk with Those Cookies? Complying with the Safe Harbor Privacy Principles'. The Journal of Corporation Law (Winter 2001), pp. 456-77.
71. Farrell, 'Constructing the International Foundations of E-Commerce'. Long and Quek, 'Personal Data Privacy Protection'; Anna E. Shimanek, 'Do You Want Milk with Those Cookies? Complying with the Safe Harbor Privacy Principles'. The Journal of Corporation Law (Winter 2001), pp. 456-77.
72. Farrell, 'Constructing the International Foundations of E-Commerce'. Long and Quek, 'Personal Data Privacy Protection'; Anna E. Shimanek, 'Do You Want Milk with Those Cookies? Complying with the Safe Harbor Privacy Principles'. The Journal of Corporation Law (Winter 2001), pp. 456-77.
73. The FTC's legal authority comes from Section 5 of the Federal Trade Commission Act which prohibits unfair or deceptive practices. Joel R. Reidenberg, 'E-Commerce and Trans-Atlantic Privacy', Houston Law Review, 38 (2001a), pp. 717-49, argues that the Constitutional basis for FTC oversight here is questionable. At present, only companies which fall under the jurisdiction of the Federal Trade Commission or the Department of Transportation (air carriers and ticket agents) are eligible for Safe Harbor. Thus, major sectors of the economy, such as financial services and telecommunications, must rely on the Data Directive's Article 26 provisions for exemptions from the requirement of adequate protection.
74. A more complete description of Safe Harbor can be found at 〈www.export.gov/safeharbor/sh_overview.html〉
75. David L. Aaron, 'Testimony - European Union and Electronic Privacy'. The EU agreed to Safe Harbor on the understanding that the arrangement would be reviewed the following year. It is important to note that given that Safe Harbor represents a unilateral determination of adequacy from the EU's point of view rather than a treaty, that determination can revoked if it becomes apparent that the agreement is not working as intended.
76. A complete description of Safe Harbor and its provisions can be found on the Department of Commerce's Website at 〈http://www.export.gov/safeharbor/sh_overview.html〉
77. Farrell, 'Constructing the International Foundations of E-Commerce'.
78. The list of organisations enrolled in Safe Harbor can be accessed from 〈www.export.gov/safeharbor/〉
79. Juliana Gruenwald, 'Safe Harbor, Stormy Waters', Interactive Week (30 October 2000 [cited 5 May 2001]). Available from 〈http://www.zdnet.com/zdnn〉. A lawyer in a major international firm noted that most American companies find it difficult to enter into the contracts called for under the Safe Harbor agreement and would not do so on their own. Bob Sherwood, 'Inside Track Law & Business', The Financial Times, 21 October 2002, p. 20.
80. Juliana Gruenwald, 'Safe Harbor, Stormy Waters', Interactive Week (30 October 2000 [cited 5 May 2001]). Available from 〈http://www.zdnet.com/zdnn〉. A lawyer in a major international firm noted that most American companies find it difficult to enter into the contracts called for under the Safe Harbor agreement and would not do so on their own. Bob Sherwood, 'Inside Track Law & Business', The Financial Times, 21 October 2002, p. 20.
81. Aaron: Remarks before the Information Technology Session of America, Fourth Annual IT Policy Summit.
82. Reidenberg. E-Commerce and Trans-Atlantic Privacy.
83. European Commission Staff. The Application of Commission Decision 520/2000/EC of 26 July 2000 Pursuant to Directive 95/46 of the European Parliament and the Council (Brussels: European Commission, 2002).
84. Swire and Litan, None of Your Business.
85. The European Data Directive descends from the data protection principles established in the OECD Guidelines of 1980 and the Council of Europe's Convention of 1981. Its immediate stimulus was the Single Market Initiative of the late 1980s; the initial data protection proposal was made by the Commission in 1990, a second draft was released in late 1992, and agreement was reached with the Member States in December 1994 prior to its adoption in February 1995 by the Council of Ministers. Priscilla M. Regan, American Business and the European Data Protection Directive: Lobbying Strategies and Tactics. In C. J. Bennett and R. Grant (eds.), Visions of Privacy: Policy Choices for the Digital Age (Toronto: University of Toronto Press, 1996); Swire and Litan, None of Your Business.
86. The European Data Directive descends from the data protection principles established in the OECD Guidelines of 1980 and the Council of Europe's Convention of 1981. Its immediate stimulus was the Single Market Initiative of the late 1980s; the initial data protection proposal was made by the Commission in 1990, a second draft was released in late 1992, and agreement was reached with the Member States in December 1994 prior to its adoption in February 1995 by the Council of Ministers. Priscilla M. Regan, American Business and the European Data Protection Directive: Lobbying Strategies and Tactics. In C. J. Bennett and R. Grant (eds.), Visions of Privacy: Policy Choices for the Digital Age (Toronto: University of Toronto Press, 1996); Swire and Litan, None of Your Business.
87. Schwartz and Reidenberg, Data Privacy Law.
88. Article 29 - Data Protection Working Party. Working Document on Determining the International Application of EU Data Protection Law to Personal Data Processing on the Internet by Non-EU Based Websites (Brussels: European Commission Internal Market DG, 2002).
89. The Council, 1995 (emphasis added). In fact, Reidenberg and Schwartz note that the French text of the Directive uses the term moyens or means rather than equipment which might well imply a greater applicability of the Directive to interactions in Cyberspace. Joel R. Reidenberg and Paul M Schwartz. Data Protection Law and On-line Services: Regulatory Responses (Brussels: European Commission, Directorate General XV, 1998).
90. Reidenberg, 'E-Commerce and Trans-Atlantic Privacy'; Swire and Litan, None of Your Business.
91. Reidenberg, 'E-Commerce and Trans-Atlantic Privacy'; Swire and Litan, None of Your Business.
92. Article 29 - Data Protection Working Party.
93. I b i d.
94. See Joel Reidenberg 'Yahoo! and Democracy on the Internet', Jurimetrics, 42 (Spring 2002) and 'An Aussie Can Sue Over Online Story', Wired News, 10 December 2002, at 〈www.wired.com/new/ business/0,1367,56793,00.html〉 Access 7 May, 2003.
95. See Joel Reidenberg 'Yahoo! and Democracy on the Internet', Jurimetrics, 42 (Spring 2002) and 'An Aussie Can Sue Over Online Story', Wired News, 10 December 2002, at 〈www.wired.com/new/ business/0,1367,56793,00.html〉 Access 7 May, 2003.
96. See Michael A Geist, 'Is There a There There? Toward Greater Certainty for Internet Jurisdiction'. Berkeley Technology Law Journal, 16 (2001), pp. 1345-407.
97. David Johnson and David Post, 'Law and Borders: The Rise of Law in Cyberspace'. Stanford Law Review, 48: 5 (1996), pp. 1367-402.
98. Jack L. Goldsmith, 'Against Cyberanarchy'. University of Chicago Law Review, 65 (1998), pp. 1199-250.
99. Austan Goolsbee,. 'In a World Without Borders: The Impact of Taxes on Internet Commerce'. The Quarterly Journal of Economics, 115 (2000), pp. 561-76.
100. Dan Hunter, Cyberspace as Place and the Tragedy of the Digital Anticommons (Philadelphia, PA: The Wharton School, 2002).
101. Stephen J. Kobrin, Territoriality and the Governance of Cyberspace. Journal of International Business Studies, 32: 4 (2001), pp. 687-704.
102. George, Lynch, and Marsnik, 'US Multinational Employers and "Safe Harbor" Principles'.
103. Article 29 - Data Protection Working Party. Working Document on Determining the International Application of EU Data Protection Law to Personal Data Processing on the Internet by Non-EU Based Websites.
104. Gegory J. Wrenn, 'Cyberspace is Real, Borders are Fiction: The Protection of Expressive Rights Online Through Recognition of National Borders in Cyberspace', Stanford Journal of International Law, 38 (2002), pp. 97-106. Goldsmith, 'Against Cyberanarchy', argues that given the unenforceability of most extra-territorial judgments, this possibility is not an issue in practice. While that may be true at present, the problem is still conceptually important and it is far from clear that the threat of hyper-regulation is merely ephemeral.
105. Gegory J. Wrenn, 'Cyberspace is Real, Borders are Fiction: The Protection of Expressive Rights Online Through Recognition of National Borders in Cyberspace', Stanford Journal of International Law, 38 (2002), pp. 97-106. Goldsmith, 'Against Cyberanarchy', argues that given the unenforceability of most extra-territorial judgments, this possibility is not an issue in practice. While that may be true at present, the problem is still conceptually important and it is far from clear that the threat of hyper-regulation is merely ephemeral.
106. Bennett, 'Convergence Revisited: Toward a Global Policy for the Protection of Personal Data?'
107. Anthony McGrew, Globalization and Territorial Democracy: An Introduction. In A. McGrew (ed.), The Transformation of Democracy (London: Polity Press, 1997).
108. The trans-Atlantic economy is deeply integrated. Sales of American firms' subsidiaries in the EU total over $117 bn (1998) and those of European firms in the US almost $107 bn (1999). The vast majority of those firms transfer financial, credit and marketing data and personnel records among subsidiaries and between subsidiaries and headquarters electronically: their viability depends on their electronic data networks.
109. More complete descriptions of the involvement of business and consumer groups in the process can be found in Farrell, 'Negotiating Privacy Across Arenas'; Regan, 'American Business and the European Data Protection Directive: Lobbying Strategies and Tactics'.
110. More complete descriptions of the involvement of business and consumer groups in the process can be found in Farrell, 'Negotiating Privacy Across Arenas'; Regan, 'American Business and the European Data Protection Directive: Lobbying Strategies and Tactics'.
111. Regan, 'American Business and the European Data Protection Directive'.
112. Farrell, 'Negotiating Privacy Across Arenas'.
113. Long and Quek, 'Personal Data Privacy Protection'.
114. Trans Atlantic Consumer Dialogue, Letter to David Aaron (3 December 1999 [cited 29 May 2002]). Available from 〈http://www.tacd.org〉
115. Farrell, 'Negotiating Privacy Across Arenas'. In a letter to Ambassador Aaron during the negotiations the TACD argued that the Safe Harbor proposal 'fails to provide adequate privacy protection for consumers in the United Sates and Europe' and that the lack of adequate protection in the US leaves the country increasingly isolated in the world marketplace. In comments attached to the letter they argued strongly that 'Rather than eroding the principles of the Directive, Safe Harbor should seek to reinforce data protection for all individuals'. Trans Atlantic Consumer Dialogue, Letter to David Aaron (3 December 1999 [cited 29 May 2002]). Available from 〈http://www.tacd.org〉
116. Farrell, 'Negotiating Privacy Across Arenas'. In a letter to Ambassador Aaron during the negotiations the TACD argued that the Safe Harbor proposal 'fails to provide adequate privacy protection for consumers in the United Sates and Europe' and that the lack of adequate protection in the US leaves the country increasingly isolated in the world marketplace. In comments attached to the letter they argued strongly that 'Rather than eroding the principles of the Directive, Safe Harbor should seek to reinforce data protection for all individuals'. Trans Atlantic Consumer Dialogue, Letter to David Aaron (3 December 1999 [cited 29 May 2002]). Available from 〈http://www.tacd.org〉
117. Jurgen Habermas, The Postnational Coalition: Political Essays (Cambridge, MA: MIT Press, 2001), p. 70.
118. Fritz W. Scharpf, 'Interdependence and Democratic Legitimation', in S. J. Pharr and R. D. Putnam (eds.), Disaffected Democracies: What's Troubling the Trilateral Countries (Princeton, NJ: Princeton University Press, 2000).
119. Jurgen Habermas, The Postnational Coalition: Political Essays (Cambridge, MA: MIT Press, 2001).
120. Berman, 'The Globalization of Jurisdiction', p. 319.
121. Ruggie, 'Territoriality and Beyond'; David Harvey, The Condition of Postmodernity (Cambridge, MA: Blackwell Publishers, 1990).
122. Ruggie, 'Territoriality and Beyond'; David Harvey, The Condition of Postmodernity (Cambridge, MA: Blackwell Publishers, 1990).
123. James Anderson, 'The Shifting Stage of Politics: New Medieval and Postmodern Territorialities'. Environment and Planning D : Society and Space, 14 (1996), pp. 133-53.
124. Manuel Castells, The Rise of the Network Society, in M. Castells (ed.), Information Age, vol. 1 (Malden, MA: Blackwell, 2000).
125. James N. Rosenau, Along the Domestic-Foreign Frontier Exploring Governance in a Turbulent World, Cambridge Studies in International Relations (Cambridge & New York: Cambridge University Press, 1997).
126. Berman, 'The Globalization of Jurisdiction', p. 321.
127. Michael Zurn, 'Democratic Governance Beyond the Nation-State: The EU and Other International Institutions', European Journal of International Relations, 6: 2 (2000), pp. 183-221.
128. It is important to note that even after extensive discussion at OECD, taxation of purely digital transactions - an exchange of an electronic book for electronic cash, for example - remains problematic. Thus, the analogy to some of the issues raised in this article, while relevant, is imperfect.