Last week on his personal blog, Peter Fleischer, Global Privacy Counsel for Google, posted an interesting essay entitled “We Need a Better, Simpler Narrative of US Privacy Laws.” Fleischer says that Europe has done a better job marketing its privacy regime to the world than the United States and argues that “The US has to figure out how to explain its privacy laws on the global stage” since “Europe is convincing many countries around the world to implement privacy laws that follow the European model.” He notes that “in the last year alone, a dozen countries in Latin America and Asia have adopted euro-style privacy laws [while] not a single country, anywhere, has followed the US model.” Fleischer argues that this has ramifications for long-term trade policy and global Internet regulation more generally.
I found this essay very interesting because I deal with some of these issues in my latest law review article, “The Pursuit of Privacy in a World Where Information Control is Failing” (Harvard Journal of Law & Public Policy, vol. 36, no. 2, Spring 2013). In the article, I suggest that the U.S. does have a unique privacy regime and it is one that is very similar in character to the regime that governs online child safety issues. Whether we are talking about online safety or digital privacy, the defining characteristics of the U.S. regime are that it is bottom-up, evolutionary, education-based, empowerment-focused, and resiliency-centered. It focuses on responding to safety and privacy harms after exhausting other alternatives, including market responses and the evolution of societal norms.
The EU regime, by contrast, is more top-down in character and takes a more static, inflexible view of privacy rights. It tries to impose a one-size-fits-all model on a diverse citizenry and it attempts to do so through heavy-handed data directives and ongoing “agency threats.” It is a regime that makes more sweeping pronouncements about rights and harms and generally recommends a “precautionary principle” approach to technological change in which digital innovation is more “permissioned.”
Put simply, the U.S. regime is reactive in character while the E.U. regime is more preemptive. The U.S. system focuses on responding to safety and privacy problems using a more diverse toolbox of solutions, some of which are governmental in character while others are based on evolving social and market norms and responses. To be clear, law does enter the picture here in the U.S., but it does so in a very different way than it does in the E.U. Fleischer actually explains that point quite nicely in his essay:
[W]hat is the US model? People in the privacy profession know that the US has a dense “patchwork” model of privacy laws: every individual US State has numerous privacy laws, the Federal government has numerous sectoral laws, and numerous other “non-privacy” laws, like consumer protection laws, are regularly invoked in privacy matters. Regulators in many corners of government, ranging from State attorneys general, to the Federal Trade Commission, and armies of class action lawyers inspect every privacy issue for possible actions.
Indeed, in my new law review article, I summarize the litany of cases the FTC has brought recently on the data security and privacy front using its authority under Section 5 of the Federal Trade Commission Act to police “unfair and deceptive” practices. State AGs are active on this front as well, and there is plenty of class action activity every time there’s a privacy or data security screw-up.
Meanwhile, public officials continue to work collaboratively with privacy advocates, corporations, and educators to develop better education and awareness-building efforts, including “best practices” on safety, security, and privacy issues.
For more details on this U.S. model, please consult pages 436-454 of my article, in which I provide a comprehensive overview of what I refer to as America’s “3-E Approach” to dealing with online safety and digital privacy concerns. The “3-Es” refer to education, empowerment, and targeted enforcement of existing legal standards. As I note in the article:
[America’s “3-E Approach”] does not imagine it is possible to craft a single, universal solution to online safety or privacy concerns. It aims instead to create a flexible framework that can help individuals cope with a world of rapidly evolving technological change and constantly shifting social and market norms as they pertain to information sharing.
But what frustrates Fleischer is that the U.S model still doesn’t translate into a simple narrative for international audiences:
How on earth do you explain US privacy laws to an international audience? How do you explain the role of class action litigation to people in countries where it doesn’t even exist? The US privacy law narrative is convoluted. That’s a pity, since almost all of the global privacy professionals with whom I’ve discussed this issue agree with me that the sum of all the individual parts of US privacy laws amounts to a robust legal framework to protect privacy. (I didn’t say “perfect”, since laws never are, and I’m not grading them either.)
By contrast, Europe’s privacy narrative is simple and appealing. Its laws are very general, aspirational, horizontal and concise. Critics could say they’re also inevitably vague, as any high-level law would have to be. But, like the US Bill of Rights, they have a sort of simple and profound universality that has inspired people around the world. And they are enforced (at least, on paper) by a single, identifiable, specialist regulator.
I understand the frustration Fleischer is expressing here regarding how to frame the U.S. model for broader audiences. But the crucial point here is that, as he correctly notes, “the sum of all the individual parts of US privacy laws amounts to a robust legal framework to protect privacy,” even if it is the case that we will never achieve anything near perfection when it comes to online privacy (or online safety for that matter). But it is unfortunate that Fleischer ignores the many other moving pieces at work here that are important to the U.S. system, especially the diverse array of educational and awareness-building efforts as well as the astonishing array of empowerment tools that currently exist to help user protect their privacy to the degree they desire.
Of course, it should also be obvious that the U.S. regime is never going to appeal to a global audience as much as Europe’s privacy regime for the same reason that many other U.S. policy regimes don’t appeal to certain countries or their leaders: Our systems aren’t regulatory enough in character for them! But while those top-down, centralized, preemptive regulatory regimes will almost always be more “aspirational, horizontal and concise” — and, therefore, have greater appeal to activist-minded lawmakers and regulators — that also means those regimes will likely leave less breathing room for social evolution (i.e., evolving norms about safety and privacy) and economic innovation (new digital goods and services that potentially disrupt those regulatory expectations). That has real consequences for long-term growth and overall consumer welfare.
This is a model worth defending, even if it is sometimes hard to delineate its contours. Please read my HJLPP article for a fuller exploration of that model and a defense of it.