“You Just Don’t Understand”: The Current EU–U.S. Privacy Battles
For someone who has received his legal education in both the EU and the U.S., and has long worked in both worlds, the current political skirmishes between the two concerning the proposed EU data protection reform have been both entertaining and disappointing. Entertaining, since observing the two largest political and economic entities in Western world engage in a game of one-upmanship over which has the best system for privacy and data protection can often be amusing. Disappointing, because it is obvious that each side has an imperfect understanding of each other’s system, and because the energy they have been putting into such tit-for-tat battles could be better spent trying to reach an accommodation between them.
Among the highlights of these battles reported in the press have been a statement by a European NGO that the lobbying over the reform is the most intense ever seen in Brussels or even Washington and a veiled threat by a U.S. government representative that the reform could lead to a trade war. One wonders under what metric anyone could compare the intensity of current lobbying with other controversial legislative initiatives in Brussels and Washington over the past few decades, and what constructive purpose is served by threatening a trade war at the time of the greatest economic crisis since World War II.
The root of these problems is that, despite statements by the EU and the U.S. about how much they want to work together, neither of them actually understands the other’s system of privacy and data protection. The EU system is based on fundamental rights protections and civil law concepts that are profoundly different from those under U.S. law (which does not provide any constitutional protections to data processing by the private sector), and suffers from a lack of harmonization among 27 member state laws and numerous EU legal instruments.
With regard to the U.S. system, as Prof. Daniel Solove put it, “U.S. privacy law is so muddled that it can’t provide clear answers about how most types of data are protected.” Prof. Fred Cate has recently described the U.S. Supreme Court’s privacy jurisprudence as “confused and disjointed”. If U.S. experts can’t make sense of their own privacy law, how are Europeans expected to do so?
All this has led to a mutual blame game that has not covered either side in glory.
EU officials have expressed “shock” at the level of U.S. lobbying surrounding the data protection reform, as if intense lobbying has not been an accepted part of the legislative game in Brussels since time immemorial (and why shouldn’t governments and companies from outside the EU make their views known, since the reform will have a profound effect on them?).
For their part, the U.S. government and U.S. companies seem to assume that the more pressure they put on European policymakers the better, perhaps because this is what is expected in Washington. In fact, the best way to affect the legislative debate in Brussels is through carefully-crafted proposals based on compelling arguments under EU law, not a blunderbuss approach that rails against threats to U.S. business models and is ultimately counterproductive (if the final texts of the data protection reform package are not to their liking, U.S. parties will have themselves partially to blame).
The tragedy of all this is that, despite profound differences, the EU and the U.S. really do have much in common when it comes to a desire to protect personal data and privacy, and face common threats from ascendant powers (e.g. China) in this regard. If the two were willing to tone down their rhetoric and try to understand in a more thoughtful way the similarities and differences of how their two legal systems protect personal data, they might discover that working together to protect privacy was easier than they thought.
Having become increasingly cynical over the last 20 years about the ability of the two sides of the transatlantic data privacy debate to engage in a constructive dialogue, I do not expect this to happen any time soon, but I would be happy to be proved wrong.
About the Author
Christopher Kuner is Senior of Counsel in the Brussels office of Wilson, Sonsini, Goodrich & Rosati and is Honorary Fellow of the Centre for European Legal Studies, University of Cambridge, where he also teaches. His books European Data Protection Law: Corporate Compliance and Regulation (2007) and Transborder Data Flows and Data Privacy Law (2013) are both published by Oxford University Press. He is editor-in-chief of the journal International Data Privacy Law and co-chair of the Task Force on Privacy and Data Protection of the International Chamber of Commerce and has 20 years’ experience working in EU data protection law. He holds a PhD in data protection law from Tilburg University (the Netherlands), and law degrees from New York University and Notre Dame Law School.