Data privacy as a microcosm of EU-US individual autonomy divergence
Much of what I have been reading outside of school this month has involved international privacy and data protection regulation. Recent discussions regarding the coming overhaul of EU data protection law make the topic a particularly salient one right now.
One especially helpful resource in this space is a Harvard Law Review article by Professor Paul Schwartz. The piece is entitled “The EU-U.S. Privacy Collision: A Turn to Institutions and Procedures.” In it, Professor Schwartz methodically examines the contrasts and interactions between United States and EU law. I felt it was worth highlighting some of Professor Schwartz’ observations here, and elaborating on them from a broader sociological perspective.
The European and US approaches to data protection differ in both form and substance. The most important difference in form is the topical scope of relevant legislation. The EU has chosen to enact a directive requiring member countries to transcribe the principles contained in the directive into local laws. The result is a powerful incentive for European countries to enact omnibus legislation that imposes the similar requirements on all affected industries. In this way, the country must only ensure the compliance of one regulatory framework with the EU directive.
The US, by contrast, faces no such compliance incentive. Consequently, the US has chosen to enact industry-specific privacy regulations to target specific harms. Thus, liability under US law for the same data protection practices will vary depending on the firm holding the data.
Differences in substance are, in my opinion, even more interesting. The EU and the US both rely, to a degree, on Fair Information Practice Principles (FIPPs) to inform regulations. The two jurisdictions, however, diverge dramatically in their distribution of regulatory emphasis among different FIPPs. The EU focuses on data minimization, data quality, and data subject correction rights—thereby defining the permissible scope of use of data post-collection.
Meanwhile, the US focuses on providing notice of collection and intended uses to data subjects, coupled with data subject consent requirements. Thus, the US regulates the acceptable means for obtaining data, but places fewer restrictions on the use of that data once lawfully acquired.
Those two differing approaches are interesting because they represent a microcosm of a cultural divergence between the EU and the US. In the US, the legal presumption tends to be toward empowering the individual as a mini-sovereign, capable of disposing of most personal matters in any way she sees fit. While society may, on the whole, dispute the wisdom of an adult individual’s decisions, we generally allow her to make those decisions nevertheless.
The history of speech restrictions in the US and the EU is instructive here. Think of the paternalism concerns in Virginia State Pharmacy Board v. Virginia Citizens Consumer Council, a case in which the Supreme Court struck down a ban on pharmacists’ ability to publish prices of prescription drugs. The state’s rationale amounted to concerns that consumers might desire lower-quality drugs at lower prices. That rationale, however, could not justify a government burden on speech. On the other hand, a similar rationale might succeed if only the subjects of the paternalism are children unable to provide effective contractual consent. One example of that scenario would be a restriction on tobacco advertising geared toward children (Lorillard v. Reilly). Clearly then, consent is the guiding light on these issues.
European countries, on the other hand, generally protect only the speech that can pass some sort of balancing test between the value of the speech and harm to some formulation of the public good. Accordingly, European countries often simply ban speech that offends enough people; hate speech is a good example of the phenomenon.
Similarly, in the field of data protection, the US looks to the consent of the consumer, and entrusts the consumer to determine whether the benefits she gains from providing data outweigh the harms of any post-collection uses to which she has agreed. In the EU, the focus on post-collection regulation tends to divest the consumer of that discretion, instead entrusting regulatory authorities to enact and enforce uniform data protection standards. The difference is striking.
In my view, as we seek to preserve and advance harmonization mechanisms to make transatlantic data protection law navigable for businesses, we must be as mindful of the paradigm discrepancies from which today’s regulatory differences emerged. Failure to do so will result in time wasted simply talking past one another.