The General Data Protection Regulation that went into effect in Europe on May 25, 2018, represents a revolution in privacy law. Whether the revolution is a positive one or not is open to debate particularly given how poorly the “GDPR” is drafted and how little privacy advocates seem to understand the regulation. A number of pundits have suggested a similar law could be enacted in the United States.
How likely is such a development?
Hmm…how often do you win the lottery?
Privacy Law Bias
Any post of this type should begin with the author revealing his or her biases. Few do, but I will. I am a lawyer who represents small businesses primarily in the United States. Given this, I don’t view businesses as being evil, even the Facebooks and Googles of the world who can test one’s patience. That being said, even I feel “big data” is a bit out of control and people should be given more insight and choice about how their data is collected and used. I view the GDPR as a vast overreach in this regard and would prefer a middle ground between the no regulations approach in the United States and the government power grab in the EU.
One of the more fascinating aspects of arguing with someone about the GDPR is their apparent belief that the European Union and countries in the EU are pillars of righteousness for privacy. One only has to stroll through a large city in Europe such as London to know this isn’t the case. Which country has more surveillance cameras – North Korea or England?
As of 2015, North Korea was estimated to have 740,000 such cameras.
As of 2013, England has between 4,000,000 and 6,000,000 such cameras – roughly one for every 11 people. [Telegraph Article]
So, apparently, the EU is concerned about specific types of privacy more than others.
EU vs. U.S. – The Privacy Wars
To understand whether a law similar to the GDPR will be enacted in the United States anytime soon, it helps to consider the attitudes towards business held by each group.
Quick. Name a search engine based in the EU?
How about a social media site?
How about any major Internet company based in the EU?
Can’t? Don’t feel bad. None of the top 15 internet companies in the world are based in the EU. The largest such company is probably Odigeo, which is a travel site based in Spain. Does Europe lack entrepreneurs? Of course, not. The Union and countries are just so heavily regulated that innovation is snuffed out. The first move most smart entrepreneurs in the EU make…is to leave the EU for other jurisdictions where business ideas can be pursued without being weighed down in red tape.
Regulations in the United States are a different matter altogether. Innovation is encouraged, and laws are enacted to create a market for growth. For example, the United States has a law that gives websites immunity from defamation claims based on statements made by users about third parties, which provides us with a legal basis for companies such as Yelp to exist. In the EU, sites can be held liable for defamatory comments by users and executives can face prison sentences in some countries. This view is long-standing in the EU with Google executives even found criminally liable in 2010 for the acts of individuals posted in a video uploaded to a Google platform. Google did not make the video. The executives had nothing to do with the video, but they were still convicted.
Put simply, the United States favors and fosters business growth while the EU does neither. There is nothing wrong with the EU position per se, but the attitude of EU bureaucrats in Brussels also explains why a GDPR-like law is unlikely in the United States.
National Privacy Law?
Privacy law on the commercial side is a bit of a joke in the United States. California and a few other states have enacted laws requiring particular disclosures by online companies, but business is left alone to do as it may for the most part on privacy topics. But could this approach change? It is extremely unlikely for many reasons:
1. President Trump – Politics aside, do you think President Trump is going to pass a law bolstering consumer rights and hurting businesses?
2. Republicans In House – Republicans have a stranglehold on the House of Representatives. Even when President Trump leaves office, it is difficult to see how a bill creating a vast privacy regulatory environment for the Internet will get passed. Keep in mind, these are the politicians who feel net neutrality is an excessive regulatory burden.
3. Politicized Privacy – The European Union gives privacy the gravitas of free speech. In the United States, the concept is more controversial as one sees in hotly debated cases such as Roe v. Wade. While many people view Roe as an abortion case, the ruling is actually about privacy. The Supreme Court held that a woman’s right to an abortion fell within the right to privacy of a woman as protected by the Fourteenth Amendment. Pro-life advocates are outraged by this ruling because they feel it creates a right not expressed in the Constitution. Convincing many pro-life politicians to issue a sweeping law defining privacy as a critical right in the form of a GDPR-like law seems a stretch since social advocates would certainly seek to extend the right to other controversial areas.
4. Democrats – Ah, but what if the Democrats eventually take Congress and the White House? Despite our “spirited” politics, the country as a whole remains anti-big government. The majority of Democrats elected in this scenario would hardly be anti-business given the donations such businesses would make to their campaigns. Even with President Obama and a strong presence in Congress, the Democrats never ventured into hot-button online legal debates. There is little reason to see this changing in the foreseeable future.
If ever there was an event that might motivate change, Cambridge Analytica was probably that event. The case involved a company obtaining massive data points for individuals without their consent and then targeting those individuals with political ads during elections. The scandal is far more complicated than this simple summary, and you should read up on it, but the point is the personal information of individuals was harvested through Facebook and used in allegedly devious ways without the consent of those individuals – a perceived privacy violation.
And what happened as a result of the scandal?
Congress required “The Zuck” to appear before it on behalf of Facebook where there was much harrumphing.
Facebook’s stock value dropped 12 percent…which it has since regained.
Many laws were proposed by outraged politicians. A few were even submitted for consideration to Congress.
And all indications are no new laws will be enacted ensuring additional privacy rights to consumers. At best, California appears to be pursuing a possible expanded privacy bill, but enforcement of any resulting act is going to be a wee bit difficult against any companies located outside of California.
For better or for worse, personal privacy is not a point of concern for the majority of individuals in the United States. Whereas the idea of a being wiretapped outraged Americans in the 1970s and 1980s, many people now have devices such as Alexa in their homes that record everything said without the inhabitants expressing any concern whatsoever.
Whatever your thoughts on the GDPR, the regulation is purely a European beast.
It ain’t coming to the United States.
It just ain’t.
…and this is why I don’t play the lottery. In fact, we are likely to see a national privacy law in the next few years. The passage of the California Consumer Privacy Act is leading to massive upheaval in the United States. Every state seems to be in the process of creating a privacy law – all with different requirements. A national privacy law in the only answer to avoid complete chaos on the topic. Expect one in late 2019 or 2020.
Richard A. Chapo, Esq.