Going American on privacy

“Privacy” is getting a lot of attention in Washington and Brussels these days. On March 26, the Federal Trade Commission released its new framework for U.S. privacy law in a report that outlined “best” industry practices (and thus future litigation directions) for businesses that collect and use personal information for business and advertising purposes. In February, the White House issued a Consumer Privacy Bill of Rights and directed the FTC to enforce the rights and the Commerce Department to convene industry and consumer stakeholder groups to develop additional voluntary “codes of conduct” that would help protect privacy while respecting innovation and economic growth. And, back in January, the European Union proposed its first complete overhaul of E.U.-wide privacy law since Europe’s 1995 Data Protection Directive broke new ground by establishing a single, omnibus privacy policy to govern all data about all individuals in all contexts (except for national security and law enforcement). Given all this action, it could turn out to be pretty important to the Internet, information technology companies and consumers whether the world goes American or European on privacy.

In a nutshell, the longstanding American view has been that privacy — while protected against government infringement by the Constitution (in the Bill of Rights), protected by Congress in certain especially sensitive areas through sector-specific laws covering financial, medical and communications data, protected against commercial encroachment by common law torts including invasion of privacy, trespass and negligence, and by broad federal and state prohibitions against “unfair” or deceptive business practices — is nonetheless an elastic concept to be regulated relatively flexibly. This “light” hand of government has yielded digital innovation including vast troves of free content on the Internet and novel business models of which Facebook and Google are only the most visible and financially successful.

In Europe, privacy is enshrined in the Treaty of Lisbon, and other foundational documents, as a fundamental human right. As such, European officials often speak of the right as absolute, though in fact E.U. judicial opinions as well as regulatory practice establish that privacy in Europe, as in the United States, is balanced against other rights and needs (like free speech, public right to know and national security). However, the absolutist “human right” ideal of privacy, along with current Data Protection Directive, has spawned a highly prescriptive, bureaucratic approach to regulating business collection and use of personal data that is less flexible and substantially more rule-based than in the U.S. Moreover, the E.U.’s stringent mindset has resulted in a determination by Brussels that U.S. privacy regulation is “inadequate,” and thus companies are prohibited from transferring personal information from Europe to the United States (even concerning their own employees) unless significant bureaucratic hurdles can be jumped. Perhaps even more ominous, there is a move afoot in Europe to shun U.S.-based providers of Cloud computing services because alleged U.S. weakness on privacy and exaggerated concerns about the PATRIOT Act make America too unsafe for the personal information of Europeans.

This view is wrong, and ultimately self-defeating for Europe, whose consumers and businesses could miss out on the full promise of Internet innovation and digital efficiencies. We could even see the rise of transatlantic digital skirmishes where U.S. Clouds are deemed unsafe (German and other regulators on the Continent have said precisely that), and where U.S. Internet companies have to curtail their business practices and offerings to satisfy European data protection authorities who do not like “Like” buttons and other information-sharing features of social media.