TWikiGuestFirstPaper (18 vs. 19)

Computers, Privacy & the Constitution	View r19 > r18 > r17 > r16 > r15 > r14 ...
Main AmLegalHist CompPrivConst EngLegalHist LawContempSoc LawNetSoc TWiki

 TWikiGuestFirstPaper 19 - 06 Apr 2024 - Main.AnthonyFikry
 Line: 1 to 1
  
   META TOPICPARENT    name="FirstPaper" 
 Changed: 
<
<  Evasive Maneuvers -- How the Privacy Regulations Can Cover Government Actors in the Future 
>
>                      A Comparative Examination of Data Privacy Laws in the United States and the European Union, with Particular Reference to the General Data Protection Regulation
  
 Changed: 
<
< -- By Morgan Carter - 05 Mar 2024
>
>    In an age where personal data has become a valuable commodity for advertisers and organizations at large, the need for robust data privacy legislation has emerged as a defining issue of our time. The General Data Protection Regulation (GDPR), enacted by the European Union (EU) in 2018, represents a comprehensive framework aimed at safeguarding individuals' privacy rights in the digital world. In contradistinction to the EU, the United States lacks a comprehensive data privacy law applicable to all types of data and domestic companies. Instead, data privacy laws in the U.S. tend to be more fragmentary with various state-level regulations governing different sectors and types of data. In the remarks that follow, I shall provide an overview of data privacy laws in the U.S. and the EU, and then subsequently examine whether the U.S. could adopt the GDPR or a similar federal statute to address the shortcomings of its current data privacy regulations.
  
 Changed: 
<
< The California Consumer Privacy Act (CCPA) and other data privacy regulations across the nation were passed with a goal in mind: to protect consumers from the extensive sharing and selling of their data by companies profiting from that personal, and often private, information without consumer knowledge or consent. Similar legislation passed in the years following the CCPA in states like Virginia, Colorado, Utah, and Connecticut. While there are variances across the different consumer data regulations, a consistency across the board is that they are considered progressive steps forward, intended to allow transparency and provide protection for their consumers.
In the time that has passed since the passing of the CCPA (now California Privacy Rights Act (CPRA)), businesses have worked to comply with the obligations imposed, and it seems that more and more legislation aiming to protect consumer data will emerge in the coming years. But the successful implementation of these state privacy regulations has enabled a far more dangerous and pervasive form of data collection, share, and sale of consumer data. It was recently revealed that the United States government has been “buying up reams of consumer data — information scraped from cellphones, social media profiles, internet ad exchanges and other open sources — and deploying it for often-clandestine purposes like law enforcement and national security in the U.S. and abroad.” The digital footprint that any American citizen has, “[t]he places you go, the websites you visit, the opinions you post — all collected and legally sold to federal agencies.” Id. 
There is considerable danger and justified discomfort in the knowledge that the United States government is quietly purchasing and collecting consumer data from companies. This data can be, and is, “used for everything from rounding up undocumented immigrants or detecting border tunnels. We’ve also seen data used for man hunting or identifying specific people in the vicinity of crimes or known criminal activity.” See also. We risk turning into an even bigger surveillance state than we already are with government purchasing consumer data, and many of those risks are even higher for minority populations. [see also Carter, forthcoming Columbia Law Review, March 2024]. 
While consumers may be protected from (some) of the predatory share and sale habits of for-profit businesses thanks to the existing privacy regulatory framework, the United States government has found a way to access this information while not being subject to the requirements of the data privacy regulations specifically designed to avoid such collection as this. This was likely accomplished through a few means. One, the privacy regulations apply to companies that meet certain criteria, and the government and government contractors were probably conducting business with companies that fell outside of these criteria. See id. For example, the CPRA applies “to any for-profit organization, which may do business in the State of California,” (emphasis omitted) and “applies to businesses that:
[1] Have a gross annual revenue of over $25 million in the preceding calendar year, or
[2] Buy, receive, or sell the personal information of 100,000 or more California residents, households, or devices, or
[3] Derive 50% or more of their annual revenue from selling or sharing California residents' personal information[.]”
To avoid the companies who would be subject to regulations like the CPRA, these government organizations and associates need only coordinate with the businesses just outside of these parameters. For instance, the government gleans consumer data from “tiny, obscure data brokers,” with “very little public-facing presence and almost no direct consumer relationship. Some of these companies focus on consumer data. Some focus on social data. Some focus on movement data.”
The second way that government was able to get around the privacy regulations is merely by taking advantage of the functionality of the “opt-out” mechanism. These regulations offer “opt-out” provisions that require businesses that qualify under the legislation to offer consumers the option to either opt out of the sharing of their data, or to be able to see to whom their data is sold. 
In the European Union, the General Data Protection Regulation (GDPR) uses an “opt-in” format that requires consumers to intentionally choose to allow their data to be collected and shared by the pages that they visit. In the United States, it is the exact opposite. As a result of this, more data is collected because opting into data collection is the default option. The companies that evade privacy regulations are able to exploit this default option and collect large swaths of consumer data, and profit off of selling it to third parties such as government and government contractors. 
For current and upcoming consumer data privacy regulations to improve upon their goal of protecting consumer data and increasing transparency about where consumer data is going, future amendments and regulations should adjust the criteria for qualification under the privacy regulations and should make efforts to move our nation to an opt-in system. On the former point, the current revenue requirement should be lowered to include more businesses than it does at present. Considering the government is currently buying data from “tiny” data brokers, a smaller revenue requirement could help to include some of these parties. Alternatively, the number of residents whose data is bought, received, or sold could be reduced for the same purpose. Including for-profit businesses that receive even 10,000 residents’ personal information, instead of the current 100,000, could be included and help to reduce the degree to which the government is able to quietly access this information. 
Also, moving to an opt-out system would at the very least reduce the number of people whose consumer data and private information is caught up in the share and sale data market. The conscious choice to opt into data share would reduce the number of people who do it, and agency could be successfully returned to large swaths of consumers. 
The government has been taking advantage of the data privacy regulatory framework as it is today, but there is still time to change it to avoid an even stronger surveillance state. 
>
>    The GDPR is the most detailed and rigorous data privacy regulatory regime in the world, applying even to entities outside of the EU provided that such entities collect data of EU citizens and residents. The GDPR governs the acquisition, management, and processing of personal data, and imposes the consent of data subjects as a key requirement. Pursuant to the GDPR, companies may only collect data on citizens or residents of the EU with their explicit, informed consent and they must explain to them in simple terms how their data is being used. The GDPR additionally affords data subjects the right to request copies of their data and to request its permanent deletion. Failure to comply with the GDPR may result in fines of up to the higher of €20 million or 4% of global revenue. The adoption and enforcement of the GDPR testifies to the premium placed on data privacy within the EU. 

   Although a GDPR-like statute has not been adopted at the federal level in the U.S., many states, inspired by the GDPR, have enacted data privacy laws, such as the California Consumer Protection Act and the Virginia Consumer Data Protection Act. However, the GDPR applies to a wider range of data, such as cookie data, location information, and IP addresses, whereas data privacy laws on this side of the Atlantic protect, in the main, the health and financial information of data subjects.

   There are several key constitutional and cultural considerations that may shed light on the different approaches to data privacy regulation adopted respectively by the U.S. and the EU. The EU Charter of Fundamental Rights, for instance, protects data privacy as a fundamental right: "Everyone has the right to respect for his private and family life, his home and his correspondence". However, no equivalent provision is explicitly found in the U.S. Constitution, although some have viewed the Fourth Amendment as providing a basis for the right to data privacy; the substantive due process inferred from the Fifth and Fourteenth Amendments could also serve as such a basis, but its future remains uncertain in the aftermath of the Dobbs decision. This commitment to privacy in the EU has profound historical roots, stemming in part from the abuse of individuals' privacy in the 20th century, particularly in fascist and communist regimes.

   A deeper explanation for the discrepancy lies in divergent approaches to the power and scope of government. In the U.S., the default legal order is characterized by an absence of the law, and a greater premium is placed on constraining the power and scope of government, including the federal government. The EU, by contrast, has tended to favor government intervention to a far greater degree, as reflected in the extensive set of social security nets it has in place. In contrast, the U.S. has traditionally taken a more laissez-faire approach that tends to be more favorable to companies that collect and use personal data. In the U.S., there is greater scope for commercial use of personal data, even at the expense of privacy rights. Recent years have seen public opinion shifting gradually towards supporting better protection of personal data as data privacy violations continue to come to the fore, but the underlying cultural differences discussed above continue to pose an impediment to bringing U.S. data privacy laws in alignment with the GDPR.

   The question arises as to whether the US would stand to gain from the adoption of a GDPR-like statute. Proponents may argue that the need for such a statute is even more pronounced in America as most Big Tech companies are American. Others may argue that a statute akin to the GDPR would be defective in the U.S. because it is simply too different from the EU in terms of its institutions and values. A statute such as the GDPR is arguably at variance with America's capitalistic ethos. The GDPR’s stringent requirements and its compliance costs, coupled with potential fines for noncompliance, constitute market distortions. As such, so the argument goes, they may prove inimical to the free market competition which lies at the heart of America’s capitalistic economic system. Moreover, small and medium-sized businesses would bear the brunt of such costs, which increases barriers to entry in the market, and thus arguably stifles the competition and innovation on which America places so high a premium.

   As data breaches and privacy concerns continue to arise, the U.S. faces increasing pressure to solidify its data privacy regulations. While the adoption of a GDPR-like statute presents challenges owing to cultural, legal, and economic disparities, it also offers an opportunity to enhance individual rights and bolster consumer trust in the digital marketplace. By considering and navigating the complexities inherent in the potential adoption of robust data privacy legislation such as the GDPR, the U.S. can work towards establishing itself as a global leader in safeguarding data privacy rights.
    META TOPICPARENT    name="FirstPaper"
-   META TOPICPARENT
+ name="FirstPaper"
-<
<
+ Evasive Maneuvers -- How the Privacy Regulations Can Cover Government Actors in the Future
->
>
+                     A Comparative Examination of Data Privacy Laws in the United States and the European Union, with Particular Reference to the General Data Protection Regulation
-<
<
+-- By Morgan Carter - 05 Mar 2024
->
>
+   In an age where personal data has become a valuable commodity for advertisers and organizations at large, the need for robust data privacy legislation has emerged as a defining issue of our time. The General Data Protection Regulation (GDPR), enacted by the European Union (EU) in 2018, represents a comprehensive framework aimed at safeguarding individuals' privacy rights in the digital world. In contradistinction to the EU, the United States lacks a comprehensive data privacy law applicable to all types of data and domestic companies. Instead, data privacy laws in the U.S. tend to be more fragmentary with various state-level regulations governing different sectors and types of data. In the remarks that follow, I shall provide an overview of data privacy laws in the U.S. and the EU, and then subsequently examine whether the U.S. could adopt the GDPR or a similar federal statute to address the shortcomings of its current data privacy regulations.
-<
<
+The California Consumer Privacy Act (CCPA) and other data privacy regulations across the nation were passed with a goal in mind: to protect consumers from the extensive sharing and selling of their data by companies profiting from that personal, and often private, information without consumer knowledge or consent. Similar legislation passed in the years following the CCPA in states like Virginia, Colorado, Utah, and Connecticut. While there are variances across the different consumer data regulations, a consistency across the board is that they are considered progressive steps forward, intended to allow transparency and provide protection for their consumers.
In the time that has passed since the passing of the CCPA (now California Privacy Rights Act (CPRA)), businesses have worked to comply with the obligations imposed, and it seems that more and more legislation aiming to protect consumer data will emerge in the coming years. But the successful implementation of these state privacy regulations has enabled a far more dangerous and pervasive form of data collection, share, and sale of consumer data. It was recently revealed that the United States government has been “buying up reams of consumer data — information scraped from cellphones, social media profiles, internet ad exchanges and other open sources — and deploying it for often-clandestine purposes like law enforcement and national security in the U.S. and abroad.” The digital footprint that any American citizen has, “[t]he places you go, the websites you visit, the opinions you post — all collected and legally sold to federal agencies.” Id. 
There is considerable danger and justified discomfort in the knowledge that the United States government is quietly purchasing and collecting consumer data from companies. This data can be, and is, “used for everything from rounding up undocumented immigrants or detecting border tunnels. We’ve also seen data used for man hunting or identifying specific people in the vicinity of crimes or known criminal activity.” See also. We risk turning into an even bigger surveillance state than we already are with government purchasing consumer data, and many of those risks are even higher for minority populations. [see also Carter, forthcoming Columbia Law Review, March 2024]. 
While consumers may be protected from (some) of the predatory share and sale habits of for-profit businesses thanks to the existing privacy regulatory framework, the United States government has found a way to access this information while not being subject to the requirements of the data privacy regulations specifically designed to avoid such collection as this. This was likely accomplished through a few means. One, the privacy regulations apply to companies that meet certain criteria, and the government and government contractors were probably conducting business with companies that fell outside of these criteria. See id. For example, the CPRA applies “to any for-profit organization, which may do business in the State of California,” (emphasis omitted) and “applies to businesses that:
[1] Have a gross annual revenue of over $25 million in the preceding calendar year, or
[2] Buy, receive, or sell the personal information of 100,000 or more California residents, households, or devices, or
[3] Derive 50% or more of their annual revenue from selling or sharing California residents' personal information[.]”
To avoid the companies who would be subject to regulations like the CPRA, these government organizations and associates need only coordinate with the businesses just outside of these parameters. For instance, the government gleans consumer data from “tiny, obscure data brokers,” with “very little public-facing presence and almost no direct consumer relationship. Some of these companies focus on consumer data. Some focus on social data. Some focus on movement data.”
The second way that government was able to get around the privacy regulations is merely by taking advantage of the functionality of the “opt-out” mechanism. These regulations offer “opt-out” provisions that require businesses that qualify under the legislation to offer consumers the option to either opt out of the sharing of their data, or to be able to see to whom their data is sold. 
In the European Union, the General Data Protection Regulation (GDPR) uses an “opt-in” format that requires consumers to intentionally choose to allow their data to be collected and shared by the pages that they visit. In the United States, it is the exact opposite. As a result of this, more data is collected because opting into data collection is the default option. The companies that evade privacy regulations are able to exploit this default option and collect large swaths of consumer data, and profit off of selling it to third parties such as government and government contractors. 
For current and upcoming consumer data privacy regulations to improve upon their goal of protecting consumer data and increasing transparency about where consumer data is going, future amendments and regulations should adjust the criteria for qualification under the privacy regulations and should make efforts to move our nation to an opt-in system. On the former point, the current revenue requirement should be lowered to include more businesses than it does at present. Considering the government is currently buying data from “tiny” data brokers, a smaller revenue requirement could help to include some of these parties. Alternatively, the number of residents whose data is bought, received, or sold could be reduced for the same purpose. Including for-profit businesses that receive even 10,000 residents’ personal information, instead of the current 100,000, could be included and help to reduce the degree to which the government is able to quietly access this information. 
Also, moving to an opt-out system would at the very least reduce the number of people whose consumer data and private information is caught up in the share and sale data market. The conscious choice to opt into data share would reduce the number of people who do it, and agency could be successfully returned to large swaths of consumers. 
The government has been taking advantage of the data privacy regulatory framework as it is today, but there is still time to change it to avoid an even stronger surveillance state.
->
>
+   The GDPR is the most detailed and rigorous data privacy regulatory regime in the world, applying even to entities outside of the EU provided that such entities collect data of EU citizens and residents. The GDPR governs the acquisition, management, and processing of personal data, and imposes the consent of data subjects as a key requirement. Pursuant to the GDPR, companies may only collect data on citizens or residents of the EU with their explicit, informed consent and they must explain to them in simple terms how their data is being used. The GDPR additionally affords data subjects the right to request copies of their data and to request its permanent deletion. Failure to comply with the GDPR may result in fines of up to the higher of €20 million or 4% of global revenue. The adoption and enforcement of the GDPR testifies to the premium placed on data privacy within the EU. 

   Although a GDPR-like statute has not been adopted at the federal level in the U.S., many states, inspired by the GDPR, have enacted data privacy laws, such as the California Consumer Protection Act and the Virginia Consumer Data Protection Act. However, the GDPR applies to a wider range of data, such as cookie data, location information, and IP addresses, whereas data privacy laws on this side of the Atlantic protect, in the main, the health and financial information of data subjects.

   There are several key constitutional and cultural considerations that may shed light on the different approaches to data privacy regulation adopted respectively by the U.S. and the EU. The EU Charter of Fundamental Rights, for instance, protects data privacy as a fundamental right: "Everyone has the right to respect for his private and family life, his home and his correspondence". However, no equivalent provision is explicitly found in the U.S. Constitution, although some have viewed the Fourth Amendment as providing a basis for the right to data privacy; the substantive due process inferred from the Fifth and Fourteenth Amendments could also serve as such a basis, but its future remains uncertain in the aftermath of the Dobbs decision. This commitment to privacy in the EU has profound historical roots, stemming in part from the abuse of individuals' privacy in the 20th century, particularly in fascist and communist regimes.

   A deeper explanation for the discrepancy lies in divergent approaches to the power and scope of government. In the U.S., the default legal order is characterized by an absence of the law, and a greater premium is placed on constraining the power and scope of government, including the federal government. The EU, by contrast, has tended to favor government intervention to a far greater degree, as reflected in the extensive set of social security nets it has in place. In contrast, the U.S. has traditionally taken a more laissez-faire approach that tends to be more favorable to companies that collect and use personal data. In the U.S., there is greater scope for commercial use of personal data, even at the expense of privacy rights. Recent years have seen public opinion shifting gradually towards supporting better protection of personal data as data privacy violations continue to come to the fore, but the underlying cultural differences discussed above continue to pose an impediment to bringing U.S. data privacy laws in alignment with the GDPR.

   The question arises as to whether the US would stand to gain from the adoption of a GDPR-like statute. Proponents may argue that the need for such a statute is even more pronounced in America as most Big Tech companies are American. Others may argue that a statute akin to the GDPR would be defective in the U.S. because it is simply too different from the EU in terms of its institutions and values. A statute such as the GDPR is arguably at variance with America's capitalistic ethos. The GDPR’s stringent requirements and its compliance costs, coupled with potential fines for noncompliance, constitute market distortions. As such, so the argument goes, they may prove inimical to the free market competition which lies at the heart of America’s capitalistic economic system. Moreover, small and medium-sized businesses would bear the brunt of such costs, which increases barriers to entry in the market, and thus arguably stifles the competition and innovation on which America places so high a premium.

   As data breaches and privacy concerns continue to arise, the U.S. faces increasing pressure to solidify its data privacy regulations. While the adoption of a GDPR-like statute presents challenges owing to cultural, legal, and economic disparities, it also offers an opportunity to enhance individual rights and bolster consumer trust in the digital marketplace. By considering and navigating the complexities inherent in the potential adoption of robust data privacy legislation such as the GDPR, the U.S. can work towards establishing itself as a global leader in safeguarding data privacy rights.

Revision 19	r19 - 06 Apr 2024 - 13:22:55 - AnthonyFikry
Revision 18	r18 - 05 Mar 2024 - 15:59:03 - MorganC

This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.

Syndicate this site RSS ATOM