Approximately 200 U.S. companies, mainly high-tech vendors, have signed up for safe harbor. Most of the businesses are small or midsize, but there are notable exceptions, including Microsoft Corp., Hewlett-Packard Co., Procter & Gamble Co., Eastman Kodak Co. and Intel Corp.

European Union officials last week said that they're disappointed that more companies haven't signed up but they're not giving up on the safe-harbor agreement. Neither is the Bush administration, according to officials and experts in Europe and the U.S.

Companies that sign up for safe harbor agree to follow certain data privacy practices, such as getting users' consent to share their data and allowing customers to access their personal information, as well as data use restrictions.

There's no question that Europe's privacy rules are here to stay. But European authorities, with few exceptions, haven't been aggressively enforcing their rules, even against businesses in their own countries.

Privacy observers in Germany and England said data-protection authorities don't have the staff to enforce privacy laws. England is levying small fines against violators, but German privacy rules are so complex that it's impossible for local companies to fully comply, said Florian Baum, an attorney at Brobeck Hale and Dorr in Munich. "Nobody, really, is very eager to follow those rules," he said.

In the U.S., a company that violates its stated privacy policy is subject to Federal Trade Commission enforcement action. Some experts suggested that U.S. businesses are avoiding safe harbor because they fear that saying they comply with its stringent terms is akin to painting a bull's-eye on their companies and inviting inspection.

Scott Salley, chief privacy executive at McKesson Corp., said that fear is what's holding U.S. companies back. Nonetheless, his San Francisco-based health care products firm has signed up for safe harbor.

Self-Certification Difficult

Companies that adopt safe harbor self-certify that they're in compliance, but that's not necessarily an easy process.

McKesson created a multidepartmental task force to review its data practices, which led to new rules on data access and a procedure for annual auditing. It was an opportunity to centralize corporate privacy practices, said Salley.

There are alternatives to safe harbor. Companies can use individual contracts stipulating privacy protections. But Salley said safe harbor's blanket coverage is more attractive.

"We need something in place," he said. "If people blow off safe harbor, what are you going to do then?"

Despite questions about the future of safe harbor, the Bush administration supports the agreement, which was adopted during the Clinton presidency.

"The safe-harbor program is one of the easiest, most efficient ways for U.S. companies to comply with the European directive on data protection," said Michele O'Neil, deputy assistant secretary for IT at the U.S. Department of Commerce.

U.S. Compliance Lags on Privacy A European Union report released earlier this year was critical of some safe-harbor compliance efforts. Privacy policies: In some cases, privacy policies couldn't be accessed on company Web sites. Pick and choose: Only half the firms that have signed up meet every privacy requirement. Some companies drop a provision about a user's right to access his own data. Opt in: Some firms have opt-in rules on sensitive data but don't spell out what data qualifies.