included the U.S. focused instead on threats posed by public sector data use only, relegating
private sector issues to industry self-regulation. The majority of countries adopted no privacy
legislation through the 1980s.
In the last ten years, however, the European Union has dominated global privacy debates
and has effectively promoted the comprehensive model. Passed in 1995, the EU data privacy
directive required that all member states adopt comprehensive legislation for the public and
private sectors and create independent regulatory agencies. Additionally, the directive includes
an extra-territorial provision that limits the transfer of personal information from Europe to third-
countries that do not have adequate privacy legislation.
Five member states – Belgium, Greece,
Italy, Portugal, and Spain – passed data privacy rules because of the directive. Additionally, over
twenty non-member states have adopted comprehensive rules. All members of the OECD –
except for the U.S., Turkey, South Korea and Mexico – now have comprehensive rules. In total,
Although the U.S. has waged a vocal international campaign against Europe’s approach, it
has not been able to contain the spread of European rules. Seven countries – including key
markets such as Japan, Canada, and Australia – that had previously shared the U.S. system of
protection have adopted the EU comprehensive system. Europe even forced the U.S. itself to
make concessions. After considerable transatlantic tensions, the two sides settled the dispute
about the (in-)adequacy of American rules through the adoption of the so-called Safe Harbor
agreement. The agreement requires that U.S. firms active in European markets abide by EU rules
59
Schwartz and Reidenberg 1996 provides a useful description of the difference between U.S. and European
regulation.
60
For an overview of the directive see Simitis 1995.
61
See Council of Europe 2004.
28
Convention