Colin J. Bennett and Charles D. Raab
The recently passed European Directive on the Protection of Personal Data aims to harmonize European data protection law at a higher level of protection than exists now. It represents a European consensus on a standard for personal privacy and a model for countries without data protection laws. The protracted process for agreement and ratification, however, has produced a document with many derogations and ambiguities, reflecting the wider moves towards "subsidiarity" within the European Union. Of concern to North America is the stipulation that transborder data flow may not be permitted unless the receiving country can demonstrate an "adequate" level of protection. While the process through which this provision will be interpreted and applied is so far found to be complicated and unclear, nevertheless European authorities will be reluctant to tolerate "data havens", a fact that should concern North American business that relies on the unimpeded flows of personal data from and to Europe. Neither Canada nor the United States can claim "adequate" data protection according to the European standard. However, Canadian efforts through the Canadian Standards Association and the Federal Information Highway Advisory Council signal an attempt to fashion a more comprehensive policy framework for privacy than the more incremental and reactive approach of the United States. This divergence is explained by key cultural, economic and political factors within Canada, which have caused a different reaction to the extra-territorial effects of the European Union's Data Protection Directive.