The internet has been with us for a quarter of a century, but the US has still not passed a law requiring its companies to abide by meaningful data-privacy protections. This matters because most of the western world’s big technology companies are American. In 2020, America’s privacy bill will finally be settled.
In May 2018, the EU’s General Data Protection Regulation (GDPR) took effect, and it is already transforming American privacy law and practice. GDPR is a comprehensive set of regulations, and its extensive requirements are becoming a global market norm. In practice, if you want to do international business in personal data, you have to follow at least the spirit of GDPR, even in the US.
State legislatures have taken the initiative and called Congress’s hand on privacy, even if Congress hasn’t updated its approach to privacy in years. Influenced by the GDPR, states have started to pass their own data protection statutes, such as the new California Consumer Protection Act. And now, after years of opposition to regulation, big technology companies have started to call for a baseline US privacy law that everyone abides by. Congress now finds itself sandwiched between bottom-up momentum from the states, and sideways influence from the EU. In 2020 it will be forced to make a choice.
While the GDPR and the US states’ proposals differ in important ways, each more or less requires transparency and accountability from companies and control for data subjects. But any version of the GDPR that is likely to pass Congress is also likely to be significantly watered down, and look more like the existing US model of notice (reading the privacy policy) and choice (opting out of Facebook and Google).
European-style data-protection rules have undeniable virtues, but they won’t be enough. The GDPR assumes data processing is always a worthy goal, but even fairly processed data can lead to oppression and abuse. Data-protection rules can also be short-sighted because they ignore how industry’s appetite for data is wrecking our environment, our democracy, our attention spans and our emotional health. Even if GDPR-style data protection were sufficient, the US is too different from Europe to implement and enforce such a framework effectively on those terms. Any US version of GDPR would, in practice, be something of a GDPR-lite.
Data-protection regulation is not the only option, however. Congress could instead take a harder look at the the big technology companies’ monopoly powers, for example. It could look at the huge power differences between these companies and their customers. And it could use a privacy law to articulate a broader vision of human wellbeing that proactively responds to the challenges of the information age – though realistically this last option is unlikely to end up on the statute books.
What is certain though is that the US can’t wait for ever. This year, comprehensive privacy laws will be implemented in the US. And the form they take will have consequences for data privacy across the globe.
Woodrow Hartzog professor of Law and Computer Science at Northeastern University. Neil Richards is professor of Law and director of the Cordell Institute at Washington University in St. Louis, St Louis
This article was originally published by WIRED UK
