Yesterday’s NYT article on US/EU consumer data protection, interviewing Commissioner Viviane Reding, has sparked interesting comment and debate, so – with thanks to @omertene for the link – and since the US and the Eurozone at least share a currency unit, here’s my 2 cents:
Richard Thomas (former Information Commissioner in the UK) described the trans-Atlantic privacy perspective as being based on feelings of “suspicion, ignorance and superiority”… before clarifying, of course, that this was true regardless of which side you started from. However, even if the feelings are similar and mutual, the reasons which underlie them are frequently asymmetric, occasionally fundamental, and possibly in some cases irreconcilable. And if you think that’s a sweeping generalisation, let me warn you that there are more to come – shot through with my opinions and questionable inferences, yes, but mostly with some basis in experience, if not objective fact.
I want to look at two main areas: the role of “rights” in privacy regulation, and the role of commercial interest.
The role of privacy
At its core, the EU’s privacy regime is based on the concept of a fundamental right to the preservation and integrity of privacy – or, as linguistic differences sometimes oblige us to put it – the quiet enjoyment of private and family life, or respect for the ‘private sphere’. The EU’s assertion that privacy is a ‘fundamental right’ often provokes a reaction of some mistrust in US counterparts I’ve spoken to. In their view there’s something suspiciously… well, socialist about it, frankly. It’s a gut feeling of unease, more than anything else; a instinct that this insistence on “rights” is a bit hippy, and rather too likely to lead to people abjuring all kinds of responsibilities too.
The corresponding EU perspective is often to be rather offended by this disparaging view of “rights” – after all, aren’t they a rather noble social aspiration? A sign of civilised progress up Maslow’s hierarchy and away from the base instincts of the market?
And here’s one of the fundamental splits. The EU, for its part, does place a lot of faith in “rights” as the basis for laws that have to apply across a diverse set of cultures, legal traditions and social norms. The US – at least from an EU perspective – puts its faith in the market and in the ability of everyman to sue. Right or wrong, the impression is that in the EU, your right to redress arises out of violation of a right, whereas in the US it arises out of a tort.
The primacy of commerce
There is also a trans-Atlantic tension over how much privilege to give to commercial interests. Again, at risk of sweeping generalisation, here are the two high-level perspectives: the EU views the US approach as prepared to write off almost any privacy-related behaviour, provided it stimulates economic activity. Commercial interest trumps all, and the use of personal data for commercial ends is, in principle, a Good Thing. This is reflected in various characterisations of personal data as a monetisable commodity, or even “the new oil”.
The idea that the commercial value of personal data is its only relevant value, though, generates unease in the European psyche. In particular, it underlies their mistrust of ‘voluntary codes of conduct’ as the sole or principal constraints on privacy-related commercial activity. Commercial data processors, they argue, simply have too many irresistible incentives to ignore such self-regulation. If the only risk arising from commercial data exploitation falls on the data subject, then only regulation can keep data processors honest: market forces won’t do the job.
Conversely, US counterparts often see the EU as insisting too much on principle, whether or not it does any good – and with the implication that it often does harm. In particular, attempts to constrain commercial data use through privacy principles are seen as a brake on innovation and thus on economic activity. There are two European ripostes to this argument:
First, they may say, regulatory constraints do not prevent the exercise of commercial innovation – indeed, ingenuity thrives on constraint, and can be relied on to find its way round obstacles in pursuit of a commercial goal.
Second, the correct way to regulate innovation is to define, pre-emptively, the principles it must respect, and then let it run. Waiting until after the event and then relying on the courts to put the privacy toothpaste back in the tube is, in this hyper-connected age, to take irresponsible liberties with the interests of the individual and consumer.
The US counter-blast is that economic activity is the interest of the individual and consumer, and that fine and fancy privacy constraints are an unaffordable luxury if your economy just isn’t cutting it in the global market.
Again, I suspect this is an EU-US fissure that runs deep and can be bridged or papered over, but probably not closed.
In the interests of (relative) brevity, I have not touched on a couple of other significant areas: (i) the “homogeneity” of EU privacy regulation, and why that is often over-stated; (ii) the implications of relying on “harm” as a metric for privacy redress. The hope is that this post will be the first in a short series, and that we will also get informed comment from US, Continental European and Asia-Pacific contributors… And with that, over to you…