The original creators of cyberspace hoped for freedom from state regulation, but their hopes were dashed by the quickly growing importance the internet assumed in economic, socio- cultural and political affairs. Since nations thus continue to play an important regulatory role in this area, the regulation of privacy with respect to cross-border data flows requires their cooperation which, however, is fraught with the difficulties of collective action problems and different national priorities. The paper will analyse the topic with the help of three case studies about negotiations in this area between the United States and the European Union, namely the ‘safe harbor’ agreement, the dispute about the transfer of flight passenger name records (PNR) and the question of access to financial transfers data (SWIFT). It will argue that the fight against international terrorism after 2001 has changed the context of regulation of cross-border data flows; as a consequence, the so far dominant constructivist approach in the respective literature should be complemented by an analysis of the interests of the negotiation partners as well as the institutional factors that are at play.