Europe and U.S. have different approaches to protecting privacy of personal data
Laws are very different when governments consider something a right and not a privilege. Healthcare is one example. Privacy is another.
European officials made clear last week that when it comes to protecting people’s personal information, the burden is on businesses, not consumers, to do the heavy lifting.
A new data-privacy rule, to apply to more than 500 million people in 28 countries, will be put into effect by early 2017. Among other provisions, it will guarantee Europeans the right to have companies delete information about them that’s no longer relevant and require businesses to inform regulators within three days of any data breach.
“The regulation returns control over citizens’ personal data to citizens,” said Jan Philipp Albrecht, the European Parliament’s chief negotiator in drafting the new rule.
Contrast that with the approach in this country, where business interests uniformly come first. For example, corporate lobbyists have made sure that consumers have to opt out from having their personal data shared, rather than require companies to seek customers’ upfront approval.
“Every developed country in the world has a general privacy law — except us,” said Neil Richards, a law professor at Washington University in St. Louis. “What we have instead is a mishmash of state laws based on what the market will bear.”
Every expert I spoke with said the starting point for any discussion of privacy rights in America begins with the question of how it will affect business. The Europeans, they said, began their rule-making discussion four years ago with an understanding that privacy is a human right.
“Americans care a lot about privacy, too,” said Nancy Kim, a professor at California Western School of Law. “The difference is that Europeans haven’t bought into the ‘market knows best’ philosophy.
“In the U.S., the words ‘free market’ and ‘free speech’ are powerful rhetorical tools that businesses use to fend off regulation,” she said.
Critics of Europe’s privacy laws said in the past that the region talked a good game but failed to follow through with strong enforcement powers. That’s changed.
The new rule includes a pitbull of a provision stipulating that any company violating people’s privacy could face a penalty of as much as 4% of its global revenue. For a Google or Facebook, that could run into billions of dollars.
Vera Jourova, the European Union’s justice commissioner, said businesses and consumers will “profit from clear rules that are fit for the digital age, that give strong protection and at the same time create opportunities and encourage innovation.”
What they’ll encourage, if nothing else, is greater accountability for the self-appointed stewards of personal information, the corporations that treat details of people’s lives like a commodity that can be bought and sold.
The European law will extend to any company with customers in the region, even if it’s based elsewhere, like, say, Silicon Valley.
It requires businesses to appoint a data protection officer if large amounts of customer information are collected and to obtain people’s consent before sharing data with others.
The law also enshrines the notion of a “right to be forgotten.” In other words, you can tell a company to delete all info about you “provided that there are no legitimate grounds for retaining it.”
No longer would a business be able to keep you in its database for marketing purposes even after you’ve canceled the service.
One tricky aspect of that, however, is how search engines or media outlets should respond to requests for past missteps or embarrassments — a story about a drunken-driving arrest, say — to be pulled from online archives.
Press groups in Europe and elsewhere say this could allow people to rewrite history. It’s a valid concern.
Otherwise, the provisions in the European law strike me as a common-sense approach to legitimate consumer worries. They don’t place companies at a disadvantage. Rather, they acknowledge that individuals should have some say about the storing and use of their personal information.
Why should a business gain commercial control of someone’s data just because that person bought a pair of shoes or visited a website?
There may be valid reasons for relinquishing control of some information — being able to bank or shop online, for example — but that shouldn’t be a blanket authorization for businesses to do as they please once your back is turned.
So why don’t we follow Europe’s example and establish nationwide privacy rules here?
The 1st Amendment is one issue. Corporations claim they have a free-speech right to buy and sell customer data. The real barrier, though, is philosophical.
“Our default is not to regulate, especially in the information sector,” said Ryan Calo, an assistant law professor at the University of Washington. “We’re more comfortable having companies decide how they’ll address privacy issues.”
That may be, but, as with gun control, you have to wonder how many unfortunate incidents it will take before we decide that maybe some stricter regulation can be in the best interest of society.
Since 2005, according to San Diego’s Privacy Rights Clearinghouse, more than 895 million consumer records have been put at risk by nearly 4,700 known data breaches.
“I always wonder why numbers like those don’t prompt companies to at least encrypt their data,” said Beth Givens, executive director of the advocacy group. “Most records are still unencrypted.”
Companies don’t encrypt for two reasons: because it’s more expensive and because they don’t have to. Simple as that.
Europe’s nailed it: People have a right to privacy and businesses must honor that right.
That, however, is not the American way.