The safe-harbor agreement between the United States and Europe: a missed opportunity to balance the interests of e-commerce and privacy online?

Journal of Broadcasting & Electronic Media, Dec, 2002 by Duncan H. Brown, Jeffrey Layne Blevins

During the first half of 2000, two high-profile incidents heightened public concerns about the privacy of personal data on the Internet. These incidents involved the e-commerce toy retailer Toysmart.com and DoubleClick, the largest online advertising company in the United States. Coincidentally, the Commission of the European Communities issued a document in July 2000 outlining the main features of the safe-harbor agreement it had concluded with the U.S. to ensure the protection of personal data collected by U.S.-based companies about residents of the European Union (E.U.).

The Toysmart.com and DoubleClick cases were interpreted by many as examples of the failure of the U.S. reliance on industry self-regulation to protect personal data privacy, and at least some saw the main features of the safe harbor agreement as suggesting an attractive alternative approach. The safe harbor's existence, coupled with growing public concern about online privacy, had created an unusual opportunity for a fundamental policy shift in the U.S. approach to online data privacy.

This study traces the fate of attempts to shift from an approach based mostly on industry self-regulation to one more in harmony with those systems of legal protections being adopted in Europe and elsewhere. The study then demonstrates the value of the work of political scientist John W. Kingdon (1995), especially his concept of "policy windows," when analyzing such attempts at major policy change. It ends by suggesting why attempts to change to a new system of online data privacy protection have so far failed and what lessons can be learned from these events by those who study personal data privacy and the policy-formation process.

In June 2000 the e-commerce toy retailer Toysmart.com filed for Chapter 11 bankruptcy protection. Shortly afterwards, the company offered its customer database for sale in an advertisement in the Wall Street Journal (Simpson, 2000). The sale of this customer information violated the company's stated privacy policy, which was reported to have included the statement: "You can rest assured that your information will never be shared with a third party" (quoted in Richtel, 2000, p. C2). Several similar cases emerged where e-commerce retailers had violated their privacy policies, bringing into question the value of industry self-regulation (As Online Firms Go Bust, 2000).

A few months earlier, the online advertising company DoubleClick announced that it would start linking its online data about the users of the Web sites on which it advertised with information about the purchasing habits of those users at a number of major retailers, catalog companies, and publishers (Will, 2000; Shen, 2000). DoubleClick was able to combine these two sets of personal data through its earlier acquisition of Abacus Direct, a corporation that compiled information on the purchasing habits of millions of consumers. This linking of personal data with the often anonymous Web site data led to a brief storm of protest, perhaps best summed up in a Boston Globe article's title: "DoubleClick's Double Cross" (Bray, 2000). A few months later, responding to this pressure--and perhaps not least to a drop in the value of its shares--DoubleClick announced that it would put on hold the plan to combine these two sets of data.

In both cases, negative publicity, pressure from Wall Street investors, and intervention in the dispute by the Federal Trade Commission led to at least a temporary resolution that offered some level of privacy protection for those whose personal data were involved. However, protection for personal data in the future relied mostly on the willingness of the businesses involved to sustain the agreements rather than the force of any existing body of law.

In sharp contrast, had those Toysmart.com customers been residents of a member state of the European Union, and had the safe-harbor-agreement negotiated between the U.S. and the E.U. applied in that case, the situation would have been very different. The dissimilar notions of personal data privacy protection in the E.U. and U.S. forced the respective entities to negotiate a mechanism that would allow such contradictory philosophies to co-exist after the issuance of an E.U. directive in 1995.

What follows is a brief explanation of why a safe-harbor agreement was needed, followed by a description of some of the main features of that safe-harbor agreement. Several of the concerns many privacy advocates have expressed about the current U.S. approach to privacy protection are then summarized, leading into an analysis of three Senate bills introduced during the 106th Congress in an effort to address some of the perceived shortcomings of existing legislation. Finally, after an examination of events in the 107th Congress, this study concludes that the opportunity for comprehensive privacy legislation may have passed. Perhaps the most significant factor in the failure to enact data privacy protection in the U.S. has been the characterization of the issue as a consumer right rather than as a civil right. Seeing privacy as a consumer right appeared to make it easier for organizations who collect personal data to argue that the costs to them of providing data privacy are too high.