Law in the Internet Society

The American Dream has been dethroned by the European Dream

-- By OnaMunozRuscalleda - 26 Nov 2023

Introduction

The American Dream, often considered the embodiment of freedom and individual rights in the United States, is facing scrutiny in the realm of data privacy. How can the US be considered the epitome of freedom when its citizens’ private data is constantly being tracked without their consent?

Privacy in the European Union

In 2016, the European Union introduced the General Data Protection Regulation (GDPR), a robust framework dedicated to safeguarding privacy and human rights. This legislation imposes stringent requirements on organizations operating within EU countries, establishing seven key principles that include data minimization, storage limitations, and transparency, among others. Non-compliance with the GDPR results in substantial fines, creating a robust regulatory environment.

Privacy in the United States

Conversely, the United States lacks a comprehensive data privacy law applicable to all data types and companies. Existing legislation fails to provide holistic protection for individuals' data privacy. Firstly, the Privacy Act of 1974 which governs how federal agencies can collect and use data about individuals in its system of records. This act does not prohibit companies from gathering data on individuals, but prohibits companies from disclosing personal information without written consent from an individual. Secondly, the Health Insurance Portability and Accountability Act of 1996, which regulates how healthcare providers can use a patient’s personal health data. Third, the Gramm-Leach-Bliley Act of 1998, which regulates data privacy concerns for financial institutions. Finally, the Children’s Online Privacy Protection Act of 1998, which regulates what companies can do with the data collected from children under the age of 13. As can be seen, these pieces of legislation constitute a patchwork of legislation which fails to provide comprehensive protection for individual’s data privacy. Some US States have imposed more severe data limitations, such as the California Consumer Privacy Act, which states that consumers have the right to limit the use and disclosure of sensitive personal information collected about them, but there are very few states which have done so. Furthermore, in 2018 US Congress enacted the Clarifying Lawful Overseas Use of Data (CLOUD) Act, which effectively overrules the GDPR. The CLOUD Act allows US authorities to access all data stored on servers operated by American cloud providers, and includes users who do not reside in the US (the title itself makes sure to include the “overseas” clarification). The consequence of this Act being enacted is that it is practically impossible for companies to comply with the GDPR, since doing so would entail violating the CLOUD Act.

Explaining the Differences

Fundamental differences in approach stem from the constitutional underpinning of data privacy. In the European Union, personal data protection is enshrined as a fundamental right under Article 8 of the EU Charter of Fundamental Rights. In contrast, the U.S. treats data privacy as part of consumer protection law, primarily within the business sector. Other arguments posit that influential U.S. tech companies advocate for lax online privacy regulations to maintain their information access and power, potentially hindering their competitiveness globally. Additionally, assertions are made that mass surveillance is more normalized in the U.S. compared to the European Union.

The Way Forward & Proposed Solutions

While acknowledging the complexities, it is imperative for the U.S. to adopt comprehensive data privacy legislation. The Trans-Atlantic Data Privacy Framework, agreed upon in 2022 between the EU and the U.S., represents a positive first step. According to this agreement, data will be able to flow freely between the EU and participating US companies. Furthermore, there will be a new set of rules and safeguards to limit access to data by US intelligence authorities to what is necessary and proportionate to protect national security, and a new two-tier redress system to investigate and resolve complaints of Europeans on access of data by US intelligence authorities (emphasis added). While a good start, there are still issues with this agreement: firstly, the fact that it is not mandatory for all companies, but rather only participating ones; secondly, the fact that there is no definition to what necessary and proportionate entails, leaving the door open for potential abuses; and third, the fact that there is an underlying assumption that Europeans are the only ones that will be able to seek remedy for data breach violations. Thus, there is still a long way to go. To address these concerns, the U.S. should consider two potential approaches. Firstly, a judicial interpretation of the Fourth Amendment (the right of the people to be secure in their persons, houses, papers and effects against unreasonable searches and seizures…) could extend its protection to include data privacy. Secondly, the U.S. should contemplate enacting a comprehensive bill, modeled after the GDPR, to ensure robust protection of individuals' data beyond their roles as consumers.

Conclusion

The absence of comprehensive data privacy legislation in the U.S. cannot be justified. Recognizing the evolving landscape and the possibility of legislative change, a concerted effort is needed to establish a framework that guarantees the protection of individual data and aligns with contemporary privacy norms.

I have tried before to indicate why I think this is mere baloney:

  1. GDPR is not a guarantor of personal privacy. It is a tax and regulatory system, through which data businesses, not people, are protected, and through which the unlimited exercise of personal surveillance by member states over their citizens is reinforced;
  2. What you call the "absence" of data privacy legislation in the US is in fact the presence of a carefully-crafted no-legislation system, a zone of anti-regulation with arbitrary exceptions resulting from the same "democratic" processes that have (unsurprisingly) produced a more social-democratic seeming (and equally pro-oligarchical) set of outcomes in "European" government. (The only technically significant society in that collection is no longer actually a part of the European Union, and is drifting rapidly towards an even more surveillance-compliant and pro-oligarchical set of data rules than the US.)
  3. The European ambition to be the world's leading exporter of guardrails is fatally hampered by its complete inability to manufacture the steel of which they are made. EU regulations affect platforms for services used by billions of people outside Europe, none of which are European businesses. European political posturing is uniquely unrelated to any intellectual or economic power: China and the US produce the platforms and services which suck up the human consciousness of Europe, Africa, South America, etc. They make the money and they determine (in their essential conflict between ethically-irreponsible capitalism and morally-repugnant authoritarianism) the political future of humankind. India, with its intellectual and demographic power, is the pivotal society whose trajectory expresses the outcome of that destiny. The Europeans are a tiny number of somewhat wealthy people, surprisingly unproductive of software and related materials, terrified of the rest of the world's young, within reach of Russian destruction and sliding rapidly towards fascism. They are absolutely dependent for their economic vitality and national security on the very structures and entities which they claim to be regulating, and which (beyond their capacity to throw lawyers and levy fines) they are utterly unable to control. They cannot manufacture even the basic material components of the wireless net at prices they can afford. Their children spend most of their waking hours using technologies designed and operated by foreign parties to bilk, deceive, swindle and depress them. Without the comprehensive surveillance they are thus entitled to buy back from the US, their internal security systems would collapse. The claim that they have anything to contribute to, let alone that they are the fount of, freedom is facially absurd.

I have made all these points in class before, far too tediously. You vehemently disagree with them, which is fine. But isn't it time you stopped ignoring them? The draft would be stronger if it at least acknowledged the possibility of dissent and perhaps even met the arguments.


You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. To restrict access to your paper simply delete the "#" character on the next two lines:

Note: TWiki has strict formatting rules for preference declarations. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of these lines. If you wish to give access to any other users simply add them to the comma separated ALLOWTOPICVIEW list.

Navigation

Webs Webs

r2 - 09 Jan 2024 - 15:28:18 - EbenMoglen
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM