Centre for Information Policy Leadership
  • Home
  • About
    • Meet the Team
  • Membership
  • Events
  • Projects
    • AI Project
    • Brazil AI Project
    • Organizational Accountability
    • Protecting Children's Data Privacy >
      • Policy Paper I: International Issues & Compliance Challenges
    • EU GDPR Implementation >
      • Global Readiness Benchmarks for GDPR
    • Enabling Data Driven Innovation and Big Data >
      • Privacy Risk Management
      • Transparency and User Controls
      • Updating Core Privacy Principles
    • Role of the DPO
    • Enabling Global Data Flows
    • Regional Focus and Outreach >
      • Effective LGPD
  • Resources
    • CIPL White Papers
    • Public Consultations
    • CIPL Articles
    • Hunton Andrews Kurth Privacy & Information Security Law Blog
    • Corporate Digital Responsibility and Accountability
    • Regulatory Engagement
    • Artificial Intelligence
    • Digital Economy and Society
    • Cross-Border Data Transfer Mechanisms
    • GDPR Implementation
    • US Privacy Framework
  • CIPL Blog
  • Media
  • Careers
  • Contact Us
  • Home
  • About
    • Meet the Team
  • Membership
  • Events
  • Projects
    • AI Project
    • Brazil AI Project
    • Organizational Accountability
    • Protecting Children's Data Privacy >
      • Policy Paper I: International Issues & Compliance Challenges
    • EU GDPR Implementation >
      • Global Readiness Benchmarks for GDPR
    • Enabling Data Driven Innovation and Big Data >
      • Privacy Risk Management
      • Transparency and User Controls
      • Updating Core Privacy Principles
    • Role of the DPO
    • Enabling Global Data Flows
    • Regional Focus and Outreach >
      • Effective LGPD
  • Resources
    • CIPL White Papers
    • Public Consultations
    • CIPL Articles
    • Hunton Andrews Kurth Privacy & Information Security Law Blog
    • Corporate Digital Responsibility and Accountability
    • Regulatory Engagement
    • Artificial Intelligence
    • Digital Economy and Society
    • Cross-Border Data Transfer Mechanisms
    • GDPR Implementation
    • US Privacy Framework
  • CIPL Blog
  • Media
  • Careers
  • Contact Us

The U.S. Urgently Needs a Comprehensive Privacy Law that Goes Beyond the Fair Information Practices

11/30/2021

11 Comments

 
By Woodrow Hartzog, Professor of Law & Computer Science, Northeastern University
and Neil Richards, Koch Distinguished Professor in Law, Washington University in St. Louis


​Any views expressed herein are not necessarily the views of CIPL nor Hunton Andrews Kurth LLP
​America’s privacy bill has come due. Since the dawn of the Internet, Congress has repeatedly failed to build a robust identity for American privacy law. But now both U.S. states like California and the European Union have forced Congress’s hand by passing legislation like the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR). These data protection frameworks, structured around principles for Fair Information Processing called the “FIPs,” have industry and privacy advocates alike for a “U.S. GDPR.” States seemed poised to blanket the country with FIP-based laws if Congress fails to act. The United States is thus in the midst of a “constitutional moment” for privacy, in which intense public deliberation and action may bring about constitutive and structural change. And the European data protection model of the GDPR is ascendant.
 
But there are great risks of U.S. lawmakers embracing a watered-down version of the European model as American privacy law enters its constitutional moment. European-style data protection rules have undeniable virtues, but they won’t be enough. The FIPs assume data processing is always a worthy goal, but even fairly processed data can lead to oppression and abuse. Data protection is also myopic because it ignores how industry’s appetite for data is wrecking our environment, our democracy, our attention spans, and our emotional health. Even if E.U.-style data protection were sufficient, the United States is too different from Europe to implement and enforce such a framework effectively on its European law terms. Any U.S. GDPR would in practice be what we call a “GDPR-lite.”
 
Our argument is simple: In the United States, a data protection model cannot do it all for privacy, though if current trends continue, we will likely entrench it as though it can. We propose instead a more comprehensive approach to privacy that is better focused on power asymmetries, corporate structures, and a broader vision of human well-being. Settling for an American GDPR-lite would be a tragic ending to a real opportunity to tackle the critical problems of the information age.
 
If you look closely, the foundation for a pluralistic American theory of privacy based upon constraining corporate power and protecting vulnerable consumers has already been established. We must embrace it. Practically speaking, lawmakers, courts, and companies must embolden the doctrines and legal tools that advance this agenda. This means strengthening trust-based torts like the breach of confidence and theories of indirect liability, prohibiting more data practices outright, and being more skeptical of the role of consent in validating data practices. It also means both governments and organizations must leverage the concept of privacy to further the over-all well-being of their citizens and customers. An effective approach to privacy also requires a shift from focusing mainly on procedural rules to include substantive restrictions as well. Procedural requirements like obligations to get peoples’ consent for data practices ultimately normalize the kinds of data collection and surveillance harms that they are supposed to mitigate. They are a recipe for companies to exploit and manipulate people in service of ever more data. The substantive shift we call for will require lawmakers to revisit some basic assumptions about when data collection and processing is desirable and entertains bolder obligations, such as outright bans and moratoria on certain technologies and practices. It also requires legislatures to be imaginative and go beyond the standard suite of procedural safeguards like transparency and data subject rights like access to data. Lawmakers have been remarkably creative in creating rules for other industries. They should leverage the power to tax, change business incentives, and pierce the corporate veil in going beyond standard data and consumer protection approaches to confront modern privacy risks.
 
If the United States is to take the modern privacy dilemma seriously, lawmakers must act urgently and be willing to expend political capital for effective rules. America’s privacy reckoning is here, but its identity has yet to be defined. Congress has an opportunity to show leadership by embracing a comprehensive approach that addresses modern data and privacy problems, not those of the 1970s. But if it fails to embrace a comprehensive framework that addresses corporate power, vulnerabilities in information relationships, and data’s externalities, America will be resigned to a weak and myopic approach as its constitutional moment passes. Settling for an American GDPR-lite would be a tragic ending to a real opportunity to tackle the critical problems of the information age.
11 Comments
Divorce lawyers newport beach link
8/15/2022 04:58:07 pm

The substantive shift we call for will require lawmakers to revisit some basic assumptions about when data collection and processing is desirable and entertains bolder obligations, such as outright bans and moratoria on certain technologies and practices. Thank you, amazing post!

Reply
Family law attorneys orange county link
8/15/2022 05:22:23 pm

This means strengthening trust-based torts like the breach of confidence and theories of indirect liability, prohibiting more data practices outright, and being more skeptical of the role of consent in validating data practices. Thank you for the beautiful post!

Reply
Rafael Smith link
2/28/2023 11:41:29 am

This means strengthening trust-based torts like the breach of confidence and theories of indirect liability,

Reply
Orange County family law attorneys link
3/3/2023 10:12:43 am

They should leverage the power to tax, change business incentives, and pierce the corporate veil in going beyond standard data and consumer protection approaches to confront modern privacy risks. Thank you, amazing post!

Reply
Orange County divorce attorneys link
3/3/2023 10:33:14 am

The substantive shift we call for will require lawmakers to revisit some basic assumptions about when data collection and processing is desirable and entertains bolder obligations, such as outright bans and moratoria on certain technologies and practices. Thank you for taking the time to write a great post!

Reply
William Sonnier link
8/1/2023 06:16:22 pm

The substantive shift we call for will require lawmakers to revisit some basic assumptions about when data collection and processing is desirable and entertains bolder obligations, such as outright bans and moratoria on certain technologies and practices. Thank you for sharing your great post!

Reply
Telkom University link
12/24/2023 10:34:42 am

What are the shortcomings of relying solely on Fair Information Practices in addressing privacy concerns in the United States?

Reply
Robert Hedman link
12/16/2024 04:38:35 pm

A comprehensive privacy law is essential to safeguard personal data in today's digital age. Fair Information Practices need updating to cover emerging threats and technologies.

Reply
Lisa link
5/1/2025 05:33:32 pm

Hello!

Thanks for sharing your knowledge and wisdom with us, best regards

your follower,

Lisa

Reply
youtube link
5/1/2025 05:36:05 pm

That's a great article, keep it up!

Regards

Reply
feirão link
5/1/2025 05:38:51 pm

amazing blog, regards

Reply



Leave a Reply.

    Archives

    January 2024
    December 2023
    October 2023
    May 2023
    April 2023
    March 2023
    February 2023
    January 2022
    December 2021
    November 2021
    October 2021
    September 2021
    August 2020
    June 2020
    April 2020
    March 2020
    December 2019

    Categories

    All
    Accountability
    Data Processing
    Individual Rights
    Legitimate Interest
    Transparency
    US Privacy

    RSS Feed

Copyright © 2025 by the Centre for Information Policy Leadership at Hunton Andrews Kurth LLP.
Disclaimer | Privacy Policy | Cookies Policy | CA Privacy Notice | Contact
Picture
Picture