Why Such Lack of Coherence Between US and EU Data Privacy Law?

By: Gregory Voss, Associate Professor, TBS Education (Toulouse, France)

This piece originally appeared in the blog of the University of Illinois Journal of Law, Technology & Policy (JLTP). The original blog post can be found here.

My article “Obstacles to Transatlantic Harmonization of Data Privacy Law in Context” will appear in the forthcoming Fall 2019 Issue of the University of Illinois Journal of Law, Technology & Policy (JLTP). A pre-print of the article is available here. Not only will this article serve as an introduction to privacy and data protection issues, it will also help readers to understand the paradoxical divergence between US and EU Data Privacy Law after a common set of principles (known as the FIPPs) defined early legislation.

At this juncture, this study is important for a few reasons. First, the European Union’s newly applicable General Data Protection Regulation (GDPR) has extraterritorial effect (even businesses that are not established in Europe may be required to respect the GDPR in connection with the processing of the personal data of EU residents, if such processing is in connection with the offer of goods or services—whether for pay or in exchange for personal data—to such EU residents, or if monitoring of such EU residents’ behavior within the European Union is engaged in, such as in connection with behavioral marketing). In this context, companies are struggling with issues of compliance and the dilemma of whether to treat US customers’ information with fewer protections than that of their EU counterparts, since the US data privacy laws are patchy, or to apply the stricter standard worldwide. As globalization tends to require harmonized legal standards, they could hope for equality through the ongoing US discussions on new federal privacy legislation. However, this article will help companies to understand why they are unlikely to obtain harmonized legal standards, and will also point to this divergence as the reason why US privacy standards are not considered adequate by Europeans, which leads to the requirement that certain firms must sign on to the Privacy Shield framework, negotiated between the European Union and the United States, in order to receive cross-border transfers of the personal data of EU residents (for example, in connection with the provision of cloud or other processing services).

Secondly, in connection with such discussions in the United States, this article focuses on the reasons for divergence, which could to a certain extent be addressed by the legislature in a new legislative text. While it is unlikely that full harmonization could occur, arguably that is not required for a legal system to be found by the European Union to provide adequate data protection, thus allowing for cross-border data transfers without a Privacy Shield framework. However, US mass surveillance may prevent any such adequacy finding. Furthermore, while lobbying is discussed in a negative sense in this article, companies could choose to support harmonized laws, thereby easing compliance, through corporate political activity in support of legislation like the GDPR.

After an explanation of the interest in harmonized data privacy laws in a globalized economy, where the current US piecemeal legislation makes it an “outlier”, this article goes on to discuss the origins of data privacy law in the 1970s and the underlying FIPPs developed between the United States and Europe. Three major obstacles to transatlantic harmonization of data privacy law are then posited and detailed. These are: laissez-faire policy and neoliberalism in the United States, the lobbying power of the US technology industry giants in a conducive US legislative system, and the differing constitutional provisions on each side of the Atlantic. The first of these obstacles could be a subject for the debates between the potential candidates of the 2020 US presidential elections. The second, which involves advertising-dependent technology companies ensuring their future prosperity, could be the subject of counter efforts by civil society groups and companies responsible for privacy, if legislators truly have the will to reform US data privacy law. The last of these obstacles is related to differing legal cultures and may be the most difficult to counter. Despite the optimism of other writers, I believe that the best that can be achieved in the United States, given these obstacles, is what some academics have referred to as a “GDPR-lite”. However, one area for improvement is the creation of a data privacy protection agency (DPA) that is truly independent, unlike the current de facto DPA in the US—the Federal Trade Commission—which even its supporters agree needs reform.

The pre-print of this article was cited by EU tech policy journalist Jennifer Baker in a CPO Magazine article [1]. Baker (@BrusselsGeek) tweeted that it was a “Great paper. I read it with interest and recommend it to anyone covering this area!”[2] My hope is that you will read it too, and that it will give you food for thought and perhaps action.

My thanks go out to the JLTP editors, members and staff for making this blog post possible and for their assistance during the editing process of my article.

[1] Jennifer Baker, Groundhog Day for Privacy Shield Review, CPO Magazine (Sept. 24, 2019), https://www.cpomagazine.com/data-protection/groundhog-day-for-privacy-shield-review/.

[2] Jennifer Baker (@BrusselsGeek), Twitter (1:35 AM Sept. 25, 2019), https://twitter.com/BrusselsGeek/status/1176777340803846145.

Full article available in open access on line: W. Gregory Voss, « Obstacles to Transatlantic Harmonization of Data Privacy Law in Context”, 2019 University of Illinois Journal of Law, Technology & Policy 405-463 (Issue 2, Fall 2019): http://illinoisjltp.com/journal/wp-content/uploads/2019/11/Voss.pdf 

Tags: business|Data protection|European Union|Law|United States