America needs an internet privacy bill. However, Congressional inaction or even its best intentions could lead to an Americanized version of Europe’s General Data Protection Regulation (GDPR), a move that would be insufficient and ineffective, argues a leading privacy law expert at Washington University in St. Louis.
In “Privacy’s Constitutional Moment and the Limits of Data Protection,” a paper forthcoming in the Boston College Law Review, Neil Richards, the Koch Distinguished Professor of Law in the School of Law and director of the Cordell Institute for Policy in Medicine & Law, argues that in the U.S., a data protection model similar to GDPR can’t do it all for privacy and a more comprehensive approach is necessary.
The paper is co-authored with Woodrow Hartzog, professor of law and computer science at Northeastern University and a Cordell Institute Fellow.
The GDPR, which has been in effect since May 2018, is a regulation that requires businesses to protect the personal data and privacy of European Union citizens for transactions that occur within EU member states. It requires companies to process personal data only in accordance with European law, including requiring meaningful consent to processing and that companies have a legitimate interest in processing the data.
“We have reached a point in American history where comprehensive privacy regulation is essential,” Richards said. “But since the dawn of the internet, Congress has repeatedly failed to build a robust identity for American privacy law.”
California has passed the California Consumer Privacy Act, similar in scope to aspects of the GDPR in Europe. These frameworks, Richards said, have industry clamoring for a “U.S. GDPR.” Yet for all of its virtues, any version of the GDPR passed by Congress is likely to be watered-down, becoming that Richards and Hartzog call a “GDPR-lite.”
“States seemed poised to blanket the country with Fair Information Processing (FIP)-based laws if Congress fails to act on a national level,” Richards said. “However, there are a number of risks if we move forward with a watered-down version of the European model.”
In their paper, Richards and Hartzog argue that while European-style data protection rules have undeniable virtues, they won’t be enough.
“The FIPs assume data processing is always a worthy goal, but even fairly processed data can lead to oppression and abuse,” the authors wrote. “Data protection is also myopic because it ignores how industry’s appetite for data is wrecking our environment, our democracy, our attention spans, and our emotional health. Even if E.U.-style data protection were sufficient, the United States is too different from Europe to implement and enforce such a framework effectively on its European law terms.
“The advent of the constitutional moment means that right now the window is open for Congress to claim its identity. But it won’t be open for much longer. We argue that a comprehensive model is the best path forward,” they wrote.
The model Richards and Hartzog propose would include fundamental elements of data protection, such as default prohibitions on data processing and data subject rights, but it would not purely be defined by the limited data protection model. It would include substantive protections for consumers in the digital age, including making certain kinds of information collection and use illegal and imposing substantive duties to build and keep trust.
“What we are arguing for is not as refined as the GDPR, and less workable with other countries,” Richards said. “But it does respond to problems with tools that American lawmakers, regulators and courts have regularly used.
“We need to protect people as well.”