|
Law in the Internet Society
|
|
The American Dream has been dethroned by the European Dream-- By OnaMunozRuscalleda - 26 Nov 2023IntroductionThe American Dream, often considered the embodiment of freedom and individual rights in the United States, is facing scrutiny in the realm of data privacy. How can the US be considered the epitome of freedom when its citizens’ private data is constantly being tracked without their consent?Privacy in the European UnionIn 2016, the European Union introduced the General Data Protection Regulation (GDPR), a robust framework dedicated to safeguarding privacy and human rights. This legislation imposes stringent requirements on organizations operating within EU countries, establishing seven key principles that include data minimization, storage limitations, and transparency, among others. Non-compliance with the GDPR results in substantial fines, creating a robust regulatory environment.Privacy in the United StatesConversely, the United States lacks a comprehensive data privacy law applicable to all data types and companies. Existing legislation fails to provide holistic protection for individuals' data privacy. Firstly, the Privacy Act of 1974 which governs how federal agencies can collect and use data about individuals in its system of records. This act does not prohibit companies from gathering data on individuals, but prohibits companies from disclosing personal information without written consent from an individual. Secondly, the Health Insurance Portability and Accountability Act of 1996, which regulates how healthcare providers can use a patient’s personal health data. Third, the Gramm-Leach-Bliley Act of 1998, which regulates data privacy concerns for financial institutions. Finally, the Children’s Online Privacy Protection Act of 1998, which regulates what companies can do with the data collected from children under the age of 13. As can be seen, these pieces of legislation constitute a patchwork of legislation which fails to provide comprehensive protection for individual’s data privacy. Some US States have imposed more severe data limitations, such as the California Consumer Privacy Act, which states that consumers have the right to limit the use and disclosure of sensitive personal information collected about them, but there are very few states which have done so. Furthermore, in 2018 US Congress enacted the Clarifying Lawful Overseas Use of Data (CLOUD) Act, which effectively overrules the GDPR. The CLOUD Act allows US authorities to access all data stored on servers operated by American cloud providers, and includes users who do not reside in the US (the title itself makes sure to include the “overseas” clarification). The consequence of this Act being enacted is that it is practically impossible for companies to comply with the GDPR, since doing so would entail violating the CLOUD Act.Explaining the DifferencesFundamental differences in approach stem from the constitutional underpinning of data privacy. In the European Union, personal data protection is enshrined as a fundamental right under Article 8 of the EU Charter of Fundamental Rights. In contrast, the U.S. treats data privacy as part of consumer protection law, primarily within the business sector. Other arguments posit that influential U.S. tech companies advocate for lax online privacy regulations to maintain their information access and power, potentially hindering their competitiveness globally. Additionally, assertions are made that mass surveillance is more normalized in the U.S. compared to the European Union.The Way Forward & Proposed SolutionsWhile acknowledging the complexities, it is imperative for the U.S. to adopt comprehensive data privacy legislation. The Trans-Atlantic Data Privacy Framework, agreed upon in 2022 between the EU and the U.S., represents a positive first step. According to this agreement, data will be able to flow freely between the EU and participating US companies. Furthermore, there will be a new set of rules and safeguards to limit access to data by US intelligence authorities to what is necessary and proportionate to protect national security, and a new two-tier redress system to investigate and resolve complaints of Europeans on access of data by US intelligence authorities (emphasis added). While a good start, there are still issues with this agreement: firstly, the fact that it is not mandatory for all companies, but rather only participating ones; secondly, the fact that there is no definition to what necessary and proportionate entails, leaving the door open for potential abuses; and third, the fact that there is an underlying assumption that Europeans are the only ones that will be able to seek remedy for data breach violations. Thus, there is still a long way to go. To address these concerns, the U.S. should consider two potential approaches. Firstly, a judicial interpretation of the Fourth Amendment (the right of the people to be secure in their persons, houses, papers and effects against unreasonable searches and seizures…) could extend its protection to include data privacy. Secondly, the U.S. should contemplate enacting a comprehensive bill, modeled after the GDPR, to ensure robust protection of individuals' data beyond their roles as consumers.ConclusionThe absence of comprehensive data privacy legislation in the U.S. cannot be justified. Recognizing the evolving landscape and the possibility of legislative change, a concerted effort is needed to establish a framework that guarantees the protection of individual data and aligns with contemporary privacy norms.You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. To restrict access to your paper simply delete the "#" character on the next two lines:
|
|
