Should the U.S. Adopt European-Style Data-Privacy Protections?Joel Reidenberg in The Wall Street Journal, March 08, 2013
Companies are watching you. They want to know where you go on the Web, what you buy and what causes you support—with the hope of sending you targeted offers based on your preferences and lifestyle choices.
But who is watching over these businesses? Who is making sure they aren't misusing personal data or breaking privacy promises they make to customers?
In Europe, there are strict rules about what companies can and can't do in terms of collecting, using, disclosing and storing personal information, and governments are pushing to make the regulations even stronger. That has prompted renewed debate about whether it is time for the U.S. to toughen its relatively lax privacy regulations.
In one camp are those who believe the U.S. government should refrain from meddling. They say the lack of privacy restrictions in the U.S. has encouraged innovation in the online-marketing industry, which is still evolving, and they question whether a Congress that isn't capable of passing a budget can be trusted with crafting complex privacy legislation.
The U.S.'s experiment with self-regulation has been a failure, say those who believe Europe's approach to privacy is superior. By trusting industry to police itself, the U.S. has created a situation where consumers have little control over personal data and few remedies when they find their privacy has been invaded.
Yes: Our Experiment With Self-Regulation Has Failed
Thirty-five years ago, a federal commission studied privacy protections in the U.S. and concluded that "neither law nor technology now gives an individual the tools to protect his legitimate interests in the records organizations keep about him."
If that was the conclusion then, imagine what the commission would say about privacy today in the age of cloud computing and big data.
Sensitive health information gleaned from the websites we visit is collected and sold, GPS and cell-signal location tracking by the police is conducted without warrants, and online retailers target consumers for higher prices based on their Web browsing histories. Industry self-regulation and options like privacy settings on social networks, Web browsers and mobile apps have failed to keep up with advances in invasive tracking techniques. Our limited legal rights don't come close to protecting us against online tracking and profiling.
In contrast to the U.S., the European Union has a comprehensive set of legal rights to protect personal data. Every country in the EU has a statute establishing fair information practices for the collection, use, disclosure and storage of personal information, and has combined these rights with remedies for violations and the creation of an independent government agency for oversight. This European model has significant merits compared with the U.S. piecemeal approach.
Citizens come first. Europe's system recognizes that privacy, regardless of context, is a core democratic value that must be safeguarded, not left to market forces. In the U.S., companies reveal only what they want about their data practices, privacy notices are largely incomprehensible and companies can rewrite their policies after collecting your data.
One size doesn't fit all, though, and the rigid implementation of privacy laws can bring unintended consequences—like a ban on hidden filming that would treat the taping of police behaving badly as a criminal act. To avoid that, safe harbors can be added to legislation to limit liability in certain cases and situations.
Market bias is corrected. Stricter privacy laws don't stifle innovation or prevent online companies from sending targeted offers to consumers. Rather, they shift control from industry to individuals by requiring businesses to demonstrate that consumers approve of the way their information is being used.
Good business practice is incentivized. In a world where information has great value, it is common sense and good business practice for organizations to know what personal information they hold, to have internal controls on how it is processed and to make sure information is being used fairly. Strict, comprehensive privacy standards like those found in Europe motivate companies to adopt such practices and review them regularly to avoid punishment for misbehavior.
Redress is available. In Europe, individuals can take action when their privacy is violated. In the U.S., remedies exist only in targeted areas. For example, if a doctor discloses a patient's medical condition, the patient can sue under the health-information privacy law, but if a website discloses the same information, the web user has no claim. The lack of consistency undermines public trust in online activity and leaves victims legally helpless.
Independent oversight is provided. Oversight is critical if privacy rules are to have real meaning. An independent board helps ensure that the implementation of privacy principles in the dynamic and complex online environment is fair to both citizens and industry.
The flow of information is guaranteed. The European rules limit data exports to countries with insufficient privacy protection, which creates a serious problem for data transfers to the U.S. And as other regions adopt Europe's approach, complying with foreign laws is becoming more difficult for U.S. businesses.
Some say Washington can't be trusted with crafting complex privacy legislation and that the market, if left alone, can correct many of the flaws inherent in our current system. I disagree. Washington may be stymied by gridlock, but privacy tends to have bipartisan support and polls show that most Americans want more legal protections.
The U.S.'s experiment with self-regulation has failed Americans. We need a robust, legally enforceable Privacy Bill of Rights in the U.S.
Dr. Reidenberg is the Waxberg Professor of Law and the founding academic director of the Center on Law and Information Policy at Fordham Law School in New York. He can be reached at firstname.lastname@example.org.