“Privacy” is getting a lot of attention in Washington and Brussels these days. On March 26, the Federal Trade Commission released its new framework for U.S. privacy law in a report that outlined “best” industry practices (and thus future litigation directions) for businesses that collect and use personal information for business and advertising purposes. In February, the White House issued a Consumer Privacy Bill of Rights and directed the FTC to enforce the rights and the Commerce Department to convene industry and consumer stakeholder groups to develop additional voluntary “codes of conduct” that would help protect privacy while respecting innovation and economic growth. And, back in January, the European Union proposed its first complete overhaul of E.U.-wide privacy law since Europe’s 1995 Data Protection Directive broke new ground by establishing a single, omnibus privacy policy to govern all data about all individuals in all contexts (except for national security and law enforcement). Given all this action, it could turn out to be pretty important to the Internet, information technology companies and consumers whether the world goes American or European on privacy.
In a nutshell, the longstanding American view has been that privacy — while protected against government infringement by the Constitution (in the Bill of Rights), protected by Congress in certain especially sensitive areas through sector-specific laws covering financial, medical and communications data, protected against commercial encroachment by common law torts including invasion of privacy, trespass and negligence, and by broad federal and state prohibitions against “unfair” or deceptive business practices — is nonetheless an elastic concept to be regulated relatively flexibly. This “light” hand of government has yielded digital innovation including vast troves of free content on the Internet and novel business models of which Facebook and Google are only the most visible and financially successful.
In Europe, privacy is enshrined in the Treaty of Lisbon, and other foundational documents, as a fundamental human right. As such, European officials often speak of the right as absolute, though in fact E.U. judicial opinions as well as regulatory practice establish that privacy in Europe, as in the United States, is balanced against other rights and needs (like free speech, public right to know and national security). However, the absolutist “human right” ideal of privacy, along with current Data Protection Directive, has spawned a highly prescriptive, bureaucratic approach to regulating business collection and use of personal data that is less flexible and substantially more rule-based than in the U.S. Moreover, the E.U.’s stringent mindset has resulted in a determination by Brussels that U.S. privacy regulation is “inadequate,” and thus companies are prohibited from transferring personal information from Europe to the United States (even concerning their own employees) unless significant bureaucratic hurdles can be jumped. Perhaps even more ominous, there is a move afoot in Europe to shun U.S.-based providers of Cloud computing services because alleged U.S. weakness on privacy and exaggerated concerns about the PATRIOT Act make America too unsafe for the personal information of Europeans.
This view is wrong, and ultimately self-defeating for Europe, whose consumers and businesses could miss out on the full promise of Internet innovation and digital efficiencies. We could even see the rise of transatlantic digital skirmishes where U.S. Clouds are deemed unsafe (German and other regulators on the Continent have said precisely that), and where U.S. Internet companies have to curtail their business practices and offerings to satisfy European data protection authorities who do not like “Like” buttons and other information-sharing features of social media.
To avoid a future digital trade war, the U.S. government needs to stick up more aggressively for our substantially better than “adequate” privacy regime. In fact, what we lack in a single, consolidated, omnibus privacy law, we make up for in a consistently aggressive standard of enforcement — namely, injunctions and huge multimillion-dollar legal awards obtained by the FTC, Health and Human Services, state attorneys general and plaintiffs’ lawyers. Ask ChoicePoint, Google, Facebook, BJ’s, etc., whether the hundreds of millions of dollars they have paid to settle, remediate, disclose and respond to privacy lawsuits and investigations was too lenient. There is nothing like this compliance and liability structure today in Europe. Moreover, all of this enforcement stimulates a rather robust culture of compliance that U.S. companies generally travel with in their business activities around the world.
Nonetheless, many in the privacy advocacy community praise the E.U.’s highly prescriptive regime and intensely bureaucratic approach as good, and the U.S. model of more flexible standards disciplined through vigorous enforcement, as bad. They ask why U.S. regulators can’t be more like their E.U. counterparts.
The reason of course is that flexibility pays dividends in innovation and other social benefits. Though the E.U. still disparages the U.S. approach at every opportunity, it must be acknowledged that Europe is moving toward the U.S. in a number of ways. The latest E.U. privacy proposal contains a substantially more detailed cost-benefit analysis than any U.S. policymaker has performed to date. The proposal also cuts some red tape and promotes streamlined E.U.-wide regulatory approvals. It also focuses more heavily on what has been a priority in the U.S., namely information security and data breach notification requirements. The new proposal also seeks to way surpass the U.S. on the enforcement front: not only would the E.U. adopt U.S.-style class action redress but also authorize wildly unreasonable privacy fines of up to 2% of a company’s annual world-wide revenue! This in terrorem risk of enforcement could stifle legitimate business as effectively as any intransigent bureaucracy.
This is not to argue that the U.S. today is a privacy nirvana. Many of the dynamic Internet products and services we enjoy may involve or be paid for through the collection of a good deal of surprising and, in some cases, dubious information collection. But there would surely be considerable social loss in dramatically curtailing digital data flows if the world went European in setting up reams of new paper privacy protections. Fundamentally, the distinction between the U.S. and E.U. on privacy regulation is this: we proceed on the notion that what is not prohibited is permitted, while for the E.U. it is often the opposite. Consumers and workers on both sides of the Atlantic would benefit if the U.S. government would stand up for the American approach to privacy based on relatively flexible regulation, low bureaucracy, reasonable transparency, serious enforcement (and thus deterrence) and the promotion of legal mechanisms that help propagate a culture of compliance among corporations based or doing business in the United States.
Alan Charles Raul practices privacy and Internet law at Sidley Austin LLP in Washington D.C., where he represents tech, media, communications and defense companies (among others). He also represents companies in litigation, investigations and hearings involving government regulation and enforcement. He previously served as Vice Chairman of the White House Privacy and Civil Liberties Oversight Board, and as General Counsel of the Office of Management and Budget and the Department of Agriculture, and as Associate Counsel to the President.