My US colleague Toni Tease, who practises in Montana, has an interesting article in the latest issue of her newsletter on a recently enacted statute in her state that appears to go a long way towards data protection. Indeed it may be cheaper and a lot more workable than our approach in Europe because there is no need for a bureaucracy or the regulatory burden of registration or notification.
If I understand the statute correctly, it requires what we would call data controllers to notify promptly data subjects within the state of any unauthorized access to their personal data. There is also a duty to delete personal data when no longer needed. The legislation is due to come into effect on 1 March 2006 and Montana is one of several states in the West with such legislation.
One of the reasons why we have the "Safe Harbor" arrangements with all the complex contractual provisions that those arrangements involve is that the US has not provided much statutory protection for personal data. It appears that the position is now beginning to change.