Law in the Internet Society
Maya Uchima What to Learn From the European Union’s Recent Reforms on Data Privacy

The Privacy Infringement Problem in the US

It has become more and more apparent in today’s society that the concept of privacy has been eroded, redefined, and curtailed as the power of corporations have dominated. Consumers must actively and aggressively opt-out from having private information logged and stored by websites. Oftentimes, consumers are not given the option to prevent companies from collecting data from them. For example, EPIC’s lawsuit against Google, alleging that Google has been tracking in-store purchases by gathering information from credit card transactions and using that data to target ads specific to each consumer. Not only can purchases (on and offline) reveal one’s tastes and interests, but searches on the internet or viewing trends logged by a cable box can provide valuable data that can be used in profitable marketing strategies. There is an argument that these targeted ads serve only to make life easier, more convenient, and tailored. Nevertheless, with no choice given to the consumer, the discomfort one feels due to the ruthless invasion of private life far outweighs the possible benefit of finding out about a sale at a preferred shoe store. It feels like the fight for privacy has succumbed to the allure of a blinded trust in these mega corporations.

Insufficient Protections

The US is not without any protections for the consumer. The Fourth Amendment outlines broadly the right against unreasonable search and seizures. This sets the foundation for arguing for the consumer’s right to protect his data and his online choices. There exist also the Wiretap Laws, Electronic Communications Privacy Act, and most importantly, the FTC Act of 1914, which seeks to protect consumers from unfair or unreasonable business practices. The FTC is granted the power to pursue a corporation for questionable behavior, but unless the FTC deems the behavior worthy of an investigation, the private consumer is left with scant recourse. Other regulations tend to be too specific, such as a regulation on just medical data disclosure or just financial data protection. So what can the US do to begin providing more coverage for the consumer?

Possible Pointers in the EU

The EU’s recent policies may shed some light for possible next steps. Regulation 679 (2016), also known as GDPR, will go into effect across the member states of the EU (including the UK) in May 2018. It hopes to strengthen supervision and protection of consumer data. These new policies apply to both “controllers” and “processors” of data who work in conjunction to carry out any activity concerning the usage of personal data. The regulation sets out higher punishments if there is a breach and increased legal compliance regulations, including keeping more strict activity logs. It also defines “personal data” more broadly, now including IP addresses, where before it only recognized personally identifiable information (names, social security, etc.). The EU also issued Directive 680 (2016), the Law Enforcement Directive, last year. Directives, although not treated as immediate and binding legislation as regulations are, act as general guidelines for member states, which in turn create internal policies to fall into compliance with the overarching goal of the directive. It states that data can only be used in the process of preventing or investigating crimes and proceeds to define the limitations and scope of what constitutes a crime more clearly. Administrative agencies will provide independent supervision over law enforcement actions and certain remedies will be made available for the infringement of privacy if it is breached unfairly or disproportionately.

Not a Perfect System

The EU’s continued interest in protecting consumers stems most likely from a stronger belief that privacy is a fundamental human right, a value not quite shared yet in the US. There have been many theories for why Europeans in general tend to want to shield their private lives more so than citizens in the US. One of the most dominant theories states that the trauma from during the Holocaust when Nazi officials would use school and bank records to find the names and addresses of Jewish people in the area has strengthened the necessity of protections for personal information. However, the EU system is not perfect. Their policies work mainly because of a heightened sense of trust among citizens in their individual member states’ governments. The US government has struggled with its citizens to maintain a semblance of respect for privacy and with the reveal in 2013 of PRISM being used by the NSA to monitor and track the data from internet transactions, the people’s distrust of the government has skyrocketed. To call for US citizens to all of the sudden embrace government regulation and surveillance as guardians of their data against corporations would be too large a bridge to gap, and would, in fact, lead to many other problems, as the government and its subsidiaries have proven to be a dubious and mysterious entity when it comes to maintaining boundaries with its citizens. The key takeaway from the EU reforms would be the shift in mentality towards viewing privacy as a fundamental right to be protected at all costs. The EU has instituted independent bodies to oversee the uses of data and has ensured steep remedies for breaches. These steps will not end the problems with private data infringement, but may begin the deterring process.

I take the point of the draft to be that the GDPR is useful and important. Because you don't actually summarize, discuss, or mention any of the reasons why one might instead believe that the GDPR is an enormous irrelevancy, it's hard to know whether you are right.

I find it difficult to believe that support for GDPR hinges on whether one thinks that privacy is a human right, because I believe rather firmly in privacy as a human right and I think the GDPR is a grotesque absurdity of no value in supporting human rights of any kind whatever. I don't think very convincing a hypothesis that I don't care about the GDPR because I don't care enough about the Holocaust; I think I care about the Holocaust rather more than plenty. I don't think it is possible to give a good account of US skepticism about the GDPR and other similar legislation without mentioning the First Amendment, which you don't.

From my point of view, the best way to improve the draft is to put your ideas in contact with the ideas of those who disagree. I think explaining how you meet objections---whether on the basis of fundamental balancing of freedom of thought and expression against the data control aspect of the privacy rights of persons; or theoretical criticism of the idea of data control as a meaningful part of the privacy paradigm instead of secrecy, anonymity and autonomy; or implementation concerns about the effort to use the location of the data subject as a basis for environmental regulation---will help you to clarify your own ideas and sharpen their expression. This draft is the sound of one hand clapping not very loudly, because there is no dialogue in which it participates.


Webs Webs

r2 - 04 Dec 2017 - 17:45:26 - EbenMoglen
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM