Why Such Lack of Coherence Between U.S. and EU Data Privacy Law?

By: Gregory Voss, Associate Professor, TBS Business School (Toulouse, France)

In the forthcoming Fall 2019 Issue of the University of Illinois Journal of Law, Technology & Policy (JLTP), my article “Obstacles to Transatlantic Harmonization of Data Privacy Law in Context” will appear. (A pre-print of the article is available at https://ssrn.com/abstract=3446833.) Not only will this article serve to as an introduction to privacy and data protection issues, it also will help to understand the paradoxical divergence between U.S. and EU Data Privacy Law, after a common set of principles (known as the FIPPs) defined early legislation.

At this conjuncture this study is important for a few reasons. First, the European Union’s newly applicable General Data Protection Regulation (GDPR) has extraterritorial effect—even businesses with no establishment in Europe may be required to respect the GDPR in connection with the processing of personal data of EU residents, if such processing is in connection with the offer of goods or services (whether for pay or in exchange for personal data) to such EU residents, or if behavioral monitoring of such EU residents’ behavior with in the European Union is engaged in, such as in connection with behavioral marketing. In this context, companies are struggling with issues of compliance and the dilemma of treating U.S. customers’ information with fewer protections than those of their EU residents, as the U.S. data privacy laws are patchy, or applying the higher standard worldwide. As globalization would tend to require harmonized legal standards, they could hope for the same through the ongoing U.S. discussions of new federal privacy legislation. However, this article will help them understand why they are unlikely to obtain harmonized legal standards, and will also point to this divergence as the reason for which U.S. privacy standards are not considered adequate by Europeans, which leads to the requirement that certain firms must sign on to the Privacy Shield framework, negotiated between the European Union and the United States, in order to receive cross-border transfers of personal data of EU residents (for example, in connection with the provision of cloud or other processing services).

Secondly, in connection with such discussions in the United States, this article focuses on the reasons for divergence, would could to a certain extent be addressed by the legislature in a new legislative text. While it is unlikely that full harmonization could occur, arguably that is not required for a legal system to be found to provide adequate protection for data by the European Union, thus allowing for cross-border data transfers without a Privacy Shield framework. However, U.S. mass surveillance might prevent any such adequacy finding. Furthermore, while lobbying is discussed in a negative sense in this article, companies could choose to support harmonized laws, thereby easing compliance, through corporate political activity in support of legislation like the GDPR.

After a development regarding the interest of harmonized data privacy laws in a globalized economy, where the current U.S. piecemeal legislation makes it an “outlier,” this article goes to the origins of data privacy law in the 1970s and the underlying FIPPs developed between the United States and Europe. Then three major obstacles to transatlantic harmonization of data privacy law are posited and detailed. These are: laissez-faire policy and neoliberalism in the United States, the lobbying power of the U.S. technology industry giants in a conducive U.S. legislative system and differing constitutional provisions on one side and the other of the Atlantic. The first of these obstacles could be a subject for the debates between the potential candidates for the 2020 U.S. presidential elections; the second, which involves advertising-dependent technology companies ensuring their future great prosperity, could be the subject of counter efforts by civil society groups and privacy-responsible companies, if legislators have the true will to reform U.S. data privacy law. The last of these obstacles is related to differing legal cultures and may be the most difficult to counter. In any event, I think that the most that may be achieved in the United States, given these obstacles, is what some academics have referred to as a “GDPR-lite,” despite the optimism of other writers. However, one area for improvement is the creation of a true independent data privacy protection agency (DPA), unlike the current U.S. de facto DPA—the Federal Trade Commission—which even its supporters agree needs reform.

The pre-print of this article was cited by EU tech policy journalist Jennifer Baker in a CPO Magazine article.[1] Baker (@BrusselsGeek) tweeted that it was a “Great paper. I read it with interest and recommend it to anyone covering this area! 🙂”[2] My hope is that you will read it, too, and that it will give you matter for thought and perhaps action.

My thanks go out to the JLTP editors, members and staff for making this blog post possible and for their assistance during the editing process of my article.

[1] Jennifer Baker, Groundhog Day for Privacy Shield Review, CPO Magazine (Sept. 24, 2019), https://www.cpomagazine.com/data-protection/groundhog-day-for-privacy-shield-review/.

[2] Jennifer Baker (@BrusselsGeek), Twitter (1:35 AM Sept. 25, 2019), https://twitter.com/BrusselsGeek/status/1176777340803846145.