Computers, Privacy & the Constitution

Is electronic privacy under-regulated in the U.S.?

-- By SophieLange - 26 Feb 2012


Last week President Obama outlined a “consumer privacy bill of rights” and explained that “American Consumers can't wait any longer for clear rules […] that ensure their personal information is safe online".(1) To that end, the [Commerce Department’s National Telecommunications and Information] Administration seeks to work with Congress to enact comprehensive privacy legislation based on these rights. This would mean a departure from the traditional U.S. approach to rely largely on self-regulation and a rapprochement to the E.U. that enacted and constantly revised comprehensive privacy legislation.

European Comprehensive Legislation vs. American Self-regulation

In the E.U. personal privacy is considered a fundamental human right(2), similar to the freedom of speech in the U.S. The ability to control the dissemination of one’s personal data is considered an aspect of human dignity.(3) To that end, Directive 95/46/46 (“Data Protection Directive”) significantly limits the collection, use, dissemination and retention of personally identifiable information.(4) In contrast, in the U.S. data privacy is considered as similar to a property right that can be traded for other rights and privileges.(5) However, although the U.S. Constitution “does not explicitly mention any right of privacy”(6) U.S. courts recognized an unenumerated “right to privacy”.(7) Nevertheless, the U.S. did not adopt comprehensive electronic privacy laws that mandate broadly applicable uniform standards for the collection, use and dissemination of personal data.(8) The U.S. legal framework is composed of a mixture of common-law, federal and state statutory law.(9) Existing legislation provides for protection against unwarranted government intrusion into personal privacy (e.g. the Privacy Act of 1974) and some sectoral standards of protection in specific areas or industries (e.g. the Children’s On-line Privacy Protection Act of 1998).(10) However, since Americans, in general, are more afraid of government intrusions into their personal affairs, and less of similar behavior by private actors, the private sector remains largely unregulated.(11)

Understanding the Clash of Values

The vast differences between these two legal frameworks are to great extent attributable to different cultural values that mandate different approaches to the tension between the objectives of efficiency and privacy. If privacy regulations are too burdensome they will chill the convenience, speed and popularity of electronic transactions.(12) For instance, were online entities prohibited from retaining personal data e-mail service providers would not be allowed to save login information.(13) This would deter customers from using online services. As a consequence, Congress has been reluctant to regulate the Internet to avoid undermining its growth.(14) However, without any guarantee of privacy consumers will be reluctant to engage in electronic transactions.(15) Thus, paucity of privacy protection will decrease the efficiency of electronic transactions.(16)

The strict regulations in the E.U. attribute to the fact that Europeans value the protection of their privacy over efficiency(17) for “[European customers] need more than credit. They need dignity.”(18) However, this does not mandate the same level of protection in the U.S.(19) Americans do value privacy, however not as much as they value economic efficiency.(20) However, U.S. data privacy is under-regulated if an increase in electronic privacy protections would at the same time increase economic efficiency.(21)

Not a winnable argument. No business will agree that any outcome is efficient in which it loses money. In practice, the parties' effective political power determines outcomes. And in the arena of federal politics, anyone trying to stop something is inherently stronger than anyone trying to make something happen. The clash of values turns out to be little more than a clash of interests.

Efficiency and the failure of the free market approach

U.S. legislators deferred electronic privacy to the free market proclaiming that consumers will dictate the appropriate level of privacy protection.(22) This approach ignores that, due to the nature of electronic transactions, consumers are unable to “vote with their dollars” for more privacy protection,(23) because once personal data is disclosed it is virtually irretrievable.(24) While consumers who are dissatisfied with a product can refrain from buying from the same seller again or can warn others from doing business with that seller, such an option is unavailable in most typical electronic transactions. Due to information asymmetries in cyberspace customers usually have no means to find out who used their personal data in which way.(25) Even if users were able to match actions with offending websites they have no means to retrieve their information, for personally identifiable information is often purchased anonymously, from all over the world and can be resold multiple times.(26) Moreover, consumers face a collective action problem. That is, it is difficult for consumers to collectively bargain for increased privacy protections due to difficulties in identifying other like-minded customers and a lack of repeat play.(27) Also, consumers who had bad Internet experiences might be deterred from trying out new websites who have not yet established a reputation of solid privacy protection and new websites are not able to effectively fight this signaling problem.(28)

In addition, there is a “consent fallacy” as the privacy practices of many websites lack voluntary or informed consent.(29) Many services are only available subject to consent to a websites privacy policy affording consumers no other choice but to give up their privacy if they want to use certain services. Moreover, consumers are often misinformed about actual business practices and have a false sense of security about their online privacy.(30) For instance, many consumers falsely believe that a company’s privacy policy prohibited it from sharing their addresses with affiliated companies or from using information to analyze an individual’s online activities.(31) Also, privacy policies are often so intransparent and difficult to understand that consumers often do not know what they are consenting to.

In the United States and China, the State and private market parties are overwhelmingly aligned in favor of a completely surveilled Net, in which government has a "robust social graph" of its society and can acquire any third-party data they need on convenient terms. The European States feel that way about the Net within their borders, and their privacy charade, which is directed against the private market data miners, assumes always a complete hole in the net of "human right to privacy" when the State wants to listen in.

There are no public parties actually interested in a Net that privileges the privacy of individual lives over both the interests of the commercial intermediaries and those of the State. Everywhere at least one and usually both of those interests has identified its future with the exhaustive data-mining of civil society. Whether that is thought of as "fueling private market innovation" or "maintaining social order," it is the enemy of human freedom.


The Commerce Department’s National Telecommunications and Information Administration believes that “as a world leader in the Internet marketplace, […] the U.S. has a special responsibility to develop privacy practices that meet global standards and establish effective online consumer protection.“(32) As consumers require a base level of privacy before they will engage in electronic transactions, “consumer trust is essential for the continued growth of the digital economy".(33) Since consumers are not effectively able to dictate that level of privacy protection, a lack of consumer trust will deter electronic transactions. As a consequence, the adoption of broadly applicable privacy laws that require at least notice and/or consent before collecting personal data would yield a net increase in consumer welfare while commercial entities would benefit from a reassured marketplace subject to uniform and predictable standards.

If the Europeans agreed to "harmonize" all European data privacy legislation, so that "the cloud" could zip all European data around the world all the time without any friction, the US Administation would be delighted to support legislation based on its current policy announcement. Republicans will run on demanding what the put in CISPA: complete impunity for the intelligence and security services (which is also in the WH policy due to its extensive carve-outs), and complete immunity for all private market entities assisting "in good faith" warrantless data-mining of the entire US population. Either way, "the cloud" will make Microsoft, IBM, Oracle and the other North American vendors masters of all the European data, the US will offer something that is great for both the Director of National Intelligence and Google. This eventual US fig leaf will look—minus Google and FB, which will remain ours—so much like all the European fig leaves, covering State data-mining and complicity with the North American data-miners, that there will hardly be anything left to argue about anymore, and we'll have to find another clash of cultures at the bottom of something.

Or we could decide to fix the Net for ourselves. And bring the cases necessary as we go.

(999 words)

You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. To restrict access to your paper simply delete the "#" character on the next two lines:

Note: TWiki has strict formatting rules for preference declarations. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of these lines. If you wish to give access to any other users simply add them to the comma separated ALLOWTOPICVIEW list.


1 :;

2 : Julia M. Fromholz, Data Privacy: The European Union Data Privacy Directive, 15 Berkeley Tech. L.J. 461, 462 (2000); Council Directive 95/46/EC, 1995 O.J. (L281) 31, Preamble (2), (10), (11).

3 : James Q. Whitman, The Two Western Cultures of Privacy: Dignity Versus Liberty, 113 Yale L.J. 1151, 1192-94 (2004); Convention for the Protection of Human Rights and Fundamental Freedoms, Nov. 4, 1950, Eur. Ct. H.R., available at (last visited Feb. 12, 2011); Kevin Bloss, Raising or Razing the e-Curtain?: The E.U. Directive on the Protection of Personal Data, 9 Minn. J. Global Trade 645, 650 (2000).

4 : Council Directive 95/46/EC, at Preamble (2), (4) availatble at

5 : Gail Lasprogata et al., Regulation of Electronic Employee Monitoring: Identifying Fundamental Principle of Employee Privacy through a Comparative Study of Data Privacy Legislation in the European Union, United States and Canada, 2004 Stan. Tech. L. Rev. 4, 6 (2004).

6 : Roe v. Wade, 410 U.S. 113, 151 (1973).

7 : Unenumerated Rights, West's Encyclopedia of American Law, http:// (last visited Nov. 23, 2008).

8 : Jake Spratt, An Economic Argument for Electronic Privacy, 6 I/S: J. L. & Pol'y for Info. Soc'y 513, 515; Julia M. Fromholz, supra at 471.

9 : Bob Sullivan, Privacy Lost: E.U., U.S. Laws Differ Greatly, (Oct. 19, 2006),

10 : Jake Spratt supra at 526-530.

11 : James Q. Whitman supra at 1161-63; Avner Levin & Mary Jo Nicholson, Privacy Law in the United States, the E.U. and Canada: The Allure of the Middle Ground, 2 Ottawa L. & Tech. J. 357, 359 (2005).

12 : Corey Ciocchetti, Just Click Submit: The Collection, Dissemination, and Tagging of Personally Identifying Information, 10 Vand. J. Ent. & Tech. L. 553, 565 (2008); Jake Spratt supra at 537.

13 : Jake Spratt supra at 541.

14 : Tim Wafa, Global Internet Privacy Rights: A Pragmatic Approach, 13 Intell. Prop. L. Bull. 131, 143 (2009).

15 : Jake Spratt supra at 536.

16 : Id. at 541.

17 : Id. at 544.

18 : James Q. Whitman supra at 1192.

19 , 20 : Jake Spratt supra at 544.

21 , 31 : Id.

22 : Julia M. Fromholz supra at 479-484.

23 : Jake Spratt supra at 547-48.

24 : Jake Spratt supra at 544.; Corey Ciocchetti supra at 580.

25 : Jake Spratt supra at 544.; Corey Ciocchetti supra at 580; Ira S. Rubinstein, Privacy and Regulatory Innovation: Moving Beyond Voluntary Codes, 6 I/S: J. L. & Pol'y for Info. Soc'y 355, 363; Jerry Kang, Information Privacy in Cyberspace Transactions, 50 Stan. L.Rev. 1193, 1253 (1998).

26 : Jake Spratt supra at 547-48; Corey Ciocchetti supra at 580.

27 : Jerry Kang supra at 1254-56 (1998); Ira S. Rubinstein supra at 363.

28 : Jake Spratt supra at 549.

29 : Paul M. Schwartz, Internet Privacy and the State, 32 Conn. L. Rev. 815, 833 (2000); Ira S. Rubinstein supra at 363.

30 : Jaikumar Vijayan, Most Consumers Clueless About Online Tracking, (Nov. 2, 2007),,139212-pg,1/article.html; Tim Wafa supra at 137.

32 :

33 :


Webs Webs

r3 - 11 Jan 2013 - 21:48:55 - IanSullivan
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM