Photo: Like its namesake, the European Data Protection Directive ("DPD"), this Mercedes is old, German-designed, clunky and noisy – yet effective. [Photo: Omer Tene]
Old habits die hard. Policymakers on both sides of the Atlantic are engaged in a Herculean effort to reform their respective privacy frameworks. While progress has been and will continue to be made for the next year or so, there is cause for concern that at the end of the day, in the words of the prophet, “there is no new thing under the sun” (Ecclesiastes 1:9).
The United States: Self Regulation
The United States legal framework has traditionally been a quiltwork of legislative patches covering specific sectors, such as health, financial, and children’s data. Significantly, information about individuals’ shopping habits and, more importantly, online and mobile browsing, location and social activities, has remained largely unregulated (see overview in my article with Jules Polonetsky, To Track or “Do Not Track”: Advancing Transparency and Individual Control in Online Behavioral Advertising). While increasingly crafty and proactive in its role as a privacy enforcer, the FTC has had to rely on the slimmest of legislative mandates, Section 5 of the FTC Act, which prohibits ‘‘unfair or deceptive acts or practices”.
To be sure, the FTC has had impressive achievements; reaching consent decrees with Google and Facebook, both of which include 20-year privacy audits; launching a serious discussion of a “do-not-track” mechanism; establishing aglobal network of enforcement agencies; and more. However, there is a limit as to the mileage that the FTC can squeeze out of its opaque legislative mandate. Protecting consumers against “deceptive acts or practices” does not amount to protecting privacy: companies remain at liberty to explicitly state they will do anything and everything with individuals’ data (and thus do not “deceive” anyone when they act on their promise). And prohibiting ‘‘unfair acts or practices” is as vague a legal standard as can be; in fact, in some legal systems it might be considered anathema to fundamental principles of jurisprudence (nullum crimen sine lege). While some have heralded an emerging “common law of FTC consent decrees”, such “common law” leaves much to be desired as it is based on non-transparent negotiations behind closed doors, resulting in short, terse orders.
This is why legislating the fundamental privacy principles, better known as the FIPPs (fair information practice principles), remains crucial. Without them, the FTC cannot do much more than enforce promises made in corporate privacy policies, which are largely acknowledged to be vacuous. Indeed, in its March 2012 “blueprint” for privacy protection, the White House called for legislation codifying the FIPPs (referred to by the White House as a “consumer privacy bill of rights”). Yet Washington insiders warn that the prospects of the FIPPs becoming law are slim, not only in an election year, but also after the elections, without major personnel changes in Congress.
This leaves us with the “multistakeholder process”, conjured by the White House in its report and recentlyinitiated in practice. Yet many doubt the potential for significant progress in a multistakeholder setting; where incentives are strong for grandstanding, thinly disguised industry turf wars, and policy laundering. These critics point to the repeated failures of industry self regulation. Some question the legal authority or even competence of fora such as the W3C tracking protection working group to decide on policy issues such as the definition of “tracking” or legitimate exemptions from consent requirements.
Europe: More Regulation
Across the ocean, in Europe, the European Commission submitted in January 2012 a proposal to reform the highly influential yet outdated 1995 Data Protection Directive (“DPD”) (see photo above). There is broad consensus, from Palo Alto to Brussels, that while a boon for lawyers and privacy professionals, the DPD has brought little effective protection to individuals. Does anyone really think European citizens have more privacy than individuals in the U.S.? The DPD mandated companies to engage in bizarre rituals such as signing multiple (i.e., hundreds or even thousands of) copies of “standard contractual clauses”, which were immediately filed in dusty cabinets never to be looked at again. It set forth individuals rights, such as access, rectification, and freedom from automated decisions, which were seldom understood – much less pursued or enforced by individuals. It set up a network of national enforcement agencies, which often lacked resources or legal tools to enforce.
This post is cross posted with permission from the Concurring Opinions blog. To continue reading this post please click here.