In a nutshell, the longstanding American view has been that privacy — while protected against government infringement by the Constitution (in the Bill of Rights), protected by Congress in certain especially sensitive areas through sector-specific laws covering financial, medical and communications data, protected against commercial encroachment by common law torts including invasion of privacy, trespass and negligence, and by broad federal and state prohibitions against “unfair” or deceptive business practices — is nonetheless an elastic concept to be regulated relatively flexibly. This “light” hand of government has yielded digital innovation including vast troves of free content on the Internet and novel business models of which Facebook and Google are only the most visible and financially successful.
In Europe, privacy is enshrined in the Treaty of Lisbon, and other foundational documents, as a fundamental human right. As such, European officials often speak of the right as absolute, though in fact E.U. judicial opinions as well as regulatory practice establish that privacy in Europe, as in the United States, is balanced against other rights and needs (like free speech, public right to know and national security). However, the absolutist “human right” ideal of privacy, along with current Data Protection Directive, has spawned a highly prescriptive, bureaucratic approach to regulating business collection and use of personal data that is less flexible and substantially more rule-based than in the U.S. Moreover, the E.U.’s stringent mindset has resulted in a determination by Brussels that U.S. privacy regulation is “inadequate,” and thus companies are prohibited from transferring personal information from Europe to the United States (even concerning their own employees) unless significant bureaucratic hurdles can be jumped. Perhaps even more ominous, there is a move afoot in Europe to shun U.S.-based providers of Cloud computing services because alleged U.S. weakness on privacy and exaggerated concerns about the PATRIOT Act make America too unsafe for the personal information of Europeans.
This view is wrong, and ultimately self-defeating for Europe, whose consumers and businesses could miss out on the full promise of Internet innovation and digital efficiencies. We could even see the rise of transatlantic digital skirmishes where U.S. Clouds are deemed unsafe (German and other regulators on the Continent have said precisely that), and where U.S. Internet companies have to curtail their business practices and offerings to satisfy European data protection authorities who do not like “Like” buttons and other information-sharing features of social media.