By Woodrow Hartzog, Professor of Law & Computer Science, Northeastern University
and Neil Richards, Koch Distinguished Professor in Law, Washington University in St. Louis
Any views expressed herein are not necessarily the views of CIPL nor Hunton Andrews Kurth LLP
and Neil Richards, Koch Distinguished Professor in Law, Washington University in St. Louis
Any views expressed herein are not necessarily the views of CIPL nor Hunton Andrews Kurth LLP
America’s privacy bill has come due. Since the dawn of the Internet, Congress has repeatedly failed to build a robust identity for American privacy law. But now both U.S. states like California and the European Union have forced Congress’s hand by passing legislation like the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR). These data protection frameworks, structured around principles for Fair Information Processing called the “FIPs,” have industry and privacy advocates alike for a “U.S. GDPR.” States seemed poised to blanket the country with FIP-based laws if Congress fails to act. The United States is thus in the midst of a “constitutional moment” for privacy, in which intense public deliberation and action may bring about constitutive and structural change. And the European data protection model of the GDPR is ascendant.
But there are great risks of U.S. lawmakers embracing a watered-down version of the European model as American privacy law enters its constitutional moment. European-style data protection rules have undeniable virtues, but they won’t be enough. The FIPs assume data processing is always a worthy goal, but even fairly processed data can lead to oppression and abuse. Data protection is also myopic because it ignores how industry’s appetite for data is wrecking our environment, our democracy, our attention spans, and our emotional health. Even if E.U.-style data protection were sufficient, the United States is too different from Europe to implement and enforce such a framework effectively on its European law terms. Any U.S. GDPR would in practice be what we call a “GDPR-lite.”
Our argument is simple: In the United States, a data protection model cannot do it all for privacy, though if current trends continue, we will likely entrench it as though it can. We propose instead a more comprehensive approach to privacy that is better focused on power asymmetries, corporate structures, and a broader vision of human well-being. Settling for an American GDPR-lite would be a tragic ending to a real opportunity to tackle the critical problems of the information age.
If you look closely, the foundation for a pluralistic American theory of privacy based upon constraining corporate power and protecting vulnerable consumers has already been established. We must embrace it. Practically speaking, lawmakers, courts, and companies must embolden the doctrines and legal tools that advance this agenda. This means strengthening trust-based torts like the breach of confidence and theories of indirect liability, prohibiting more data practices outright, and being more skeptical of the role of consent in validating data practices. It also means both governments and organizations must leverage the concept of privacy to further the over-all well-being of their citizens and customers. An effective approach to privacy also requires a shift from focusing mainly on procedural rules to include substantive restrictions as well. Procedural requirements like obligations to get peoples’ consent for data practices ultimately normalize the kinds of data collection and surveillance harms that they are supposed to mitigate. They are a recipe for companies to exploit and manipulate people in service of ever more data. The substantive shift we call for will require lawmakers to revisit some basic assumptions about when data collection and processing is desirable and entertains bolder obligations, such as outright bans and moratoria on certain technologies and practices. It also requires legislatures to be imaginative and go beyond the standard suite of procedural safeguards like transparency and data subject rights like access to data. Lawmakers have been remarkably creative in creating rules for other industries. They should leverage the power to tax, change business incentives, and pierce the corporate veil in going beyond standard data and consumer protection approaches to confront modern privacy risks.
If the United States is to take the modern privacy dilemma seriously, lawmakers must act urgently and be willing to expend political capital for effective rules. America’s privacy reckoning is here, but its identity has yet to be defined. Congress has an opportunity to show leadership by embracing a comprehensive approach that addresses modern data and privacy problems, not those of the 1970s. But if it fails to embrace a comprehensive framework that addresses corporate power, vulnerabilities in information relationships, and data’s externalities, America will be resigned to a weak and myopic approach as its constitutional moment passes. Settling for an American GDPR-lite would be a tragic ending to a real opportunity to tackle the critical problems of the information age.
But there are great risks of U.S. lawmakers embracing a watered-down version of the European model as American privacy law enters its constitutional moment. European-style data protection rules have undeniable virtues, but they won’t be enough. The FIPs assume data processing is always a worthy goal, but even fairly processed data can lead to oppression and abuse. Data protection is also myopic because it ignores how industry’s appetite for data is wrecking our environment, our democracy, our attention spans, and our emotional health. Even if E.U.-style data protection were sufficient, the United States is too different from Europe to implement and enforce such a framework effectively on its European law terms. Any U.S. GDPR would in practice be what we call a “GDPR-lite.”
Our argument is simple: In the United States, a data protection model cannot do it all for privacy, though if current trends continue, we will likely entrench it as though it can. We propose instead a more comprehensive approach to privacy that is better focused on power asymmetries, corporate structures, and a broader vision of human well-being. Settling for an American GDPR-lite would be a tragic ending to a real opportunity to tackle the critical problems of the information age.
If you look closely, the foundation for a pluralistic American theory of privacy based upon constraining corporate power and protecting vulnerable consumers has already been established. We must embrace it. Practically speaking, lawmakers, courts, and companies must embolden the doctrines and legal tools that advance this agenda. This means strengthening trust-based torts like the breach of confidence and theories of indirect liability, prohibiting more data practices outright, and being more skeptical of the role of consent in validating data practices. It also means both governments and organizations must leverage the concept of privacy to further the over-all well-being of their citizens and customers. An effective approach to privacy also requires a shift from focusing mainly on procedural rules to include substantive restrictions as well. Procedural requirements like obligations to get peoples’ consent for data practices ultimately normalize the kinds of data collection and surveillance harms that they are supposed to mitigate. They are a recipe for companies to exploit and manipulate people in service of ever more data. The substantive shift we call for will require lawmakers to revisit some basic assumptions about when data collection and processing is desirable and entertains bolder obligations, such as outright bans and moratoria on certain technologies and practices. It also requires legislatures to be imaginative and go beyond the standard suite of procedural safeguards like transparency and data subject rights like access to data. Lawmakers have been remarkably creative in creating rules for other industries. They should leverage the power to tax, change business incentives, and pierce the corporate veil in going beyond standard data and consumer protection approaches to confront modern privacy risks.
If the United States is to take the modern privacy dilemma seriously, lawmakers must act urgently and be willing to expend political capital for effective rules. America’s privacy reckoning is here, but its identity has yet to be defined. Congress has an opportunity to show leadership by embracing a comprehensive approach that addresses modern data and privacy problems, not those of the 1970s. But if it fails to embrace a comprehensive framework that addresses corporate power, vulnerabilities in information relationships, and data’s externalities, America will be resigned to a weak and myopic approach as its constitutional moment passes. Settling for an American GDPR-lite would be a tragic ending to a real opportunity to tackle the critical problems of the information age.
RSS Feed
