Why don’t Americans care as much about their privacy as Europeans do?
There’s an intercontinental battle brewing, and it’s got Facebook, Google, and other data collectors large and small fearing for their bottom lines.
For the past two years, tech giants in the U.S. have been negotiating with officials of the European Union about changes to the Safe Harbor Agreement that protects U.S. companies from legal actions related to the transfer of data about the tech companies’ European customers to servers located in the U.S., where privacy laws are less stringent. As Joel Dreyfuss reports in a February 1, 2016, article on CNBC, it seems likely that Google, Facebook, and other services that collect and reuse personal information will be required to apply more stringent protections for Europeans’ private information than they do for their customers who reside elsewhere.
The situation heated up in October 2015 when the European Court of Justice ruled that the government of Ireland, the country in which Facebook and other U.S. tech companies operate data centers, had failed to protect the privacy of European citizens. This was followed in December 2015 by new rules from the European Union stipulating a maximum fine of 4 percent of global revenues for firms that violate privacy regulations that apply to their customers in Europe.
The new EU rules also require disclosure of data breaches, parental permission before anyone under the age of 16 can sign up for a social-media account, and the ability of European residents to have all information about them deleted – the misnamed “right to be forgotten.”
(The March 31, 2015, Legal Shorts explained why, from a technical standpoint, there’s no such thing as being forgotten online because it is nearly impossible – and completely impractical – to remove all copies of information about an individual. Also, if the information is accurate and was acquired legally, you have no right to rewrite history. There’s more about the threat to freedom of expression below.)
Compliance puts U.S. firms between a rock and a hard place
U.S. tech companies lament the rule changes, which will cost them money to implement and will cut into the revenue they receive from the collection and use of personal information about their customers. They argue that the rules will hurt the European economy and “social welfare,” according to the U.S. Chamber of Commerce, which lobbied against the changes.
As it stands, there are fundamental conflicts between the new European rules for data collection on the one hand, and data-security regulations of the U.S. government and other nations on the other. According to Electronic Frontier Foundation international director Danny O’Brien, U.S. firms can’t comply with the EU requirements without violating U.S. security law.
EFF’s Aylin Akturk and Jeremy Malcolm write in a November 20, 2015, post that the new EU policy could infringe on freedom of expression. For example, a site posts an unflattering but accurate quote by a person, and the person subsequently exercises their right to remove the quote as part of their right to be forgotten. This is just one of the big problems with the EU’s policy. In addition to the bureaucracy required to vet take-down requests, the removal process could result in more personal information being made public, not less, according to the EFF.
Europe’s historical perspective on misuse of personal data
Just the thought of their private information being collected, sold, and otherwise reused causes many Europeans to cringe in horror. Fascist governments’ misuse of personal information helped make possible the unthinkable horrors of World War II. Only a fool would believe governments and businesses wouldn’t misuse the personal information at their disposal if it served their purpose – particularly if there’s little or no risk of being caught and punished.
On the other side of the Atlantic, people just shrug it off. U.S. customers don’t object to the collection of their personal information in exchange for the services offered by Google, Facebook, and others. That extends to supermarket reward programs and countless other opportunities to surrender a record of their activities.
Why the continental disparity? Dreyfuss quotes Miriam Wugmeister, a privacy expert for the law firm of Morrison & Foerster:
"You had real misuses of personal information to achieve totalitarian and fascistic goals [during World War II]. To Europeans, the mere collection of personal information is a bad thing and you should only be able to do it when you have a really good reason…. In the U.S., if you want to collect personal information and put it all in a phone book and sell it, that's fine as long as you don't misuse it."
The misuse of our private data is perceived as more likely by Europeans than by Americans. Considering their recent history, I would say the Europeans know whereof they speak. And it’s not only governments who have the potential of using our personal information against our best interests. While the U.S. government and those of other countries create and maintain vast stores of data about their citizens, most of the data collecting is being done these days by private firms. What motivation do they have to protect the data and prevent its misuse?
In a May 29, 2015, post, Todd Ruback, who is the chief privacy officer at anti-tracking vendor Ghostery, makes the case for self-regulation of data collectors. Ruback claims self-regulation would work if there is industry-wide adoption, end-to-end monitoring, and designation of an independent enforcement body. The enforcement requires legislators to enact regulations that give the protections some teeth. Any way you slice it, you’re creating an extensive, expensive, and likely invasive regulatory infrastructure.
Why you can’t leave privacy protections to the libertarians
Imagine removing all limits on what personal information companies and government can collect, but restricting how the public and private entities could use the information. Slate’s Chris Jay Hoofnagle writes in a September 2, 2014, article that so-called use regulation is gaining favor with researchers and business leaders alike. Two industries that are already subject to use regulation are credit-reporting agencies and health-care providers. Both industries collect far more personal information than they are allowed by law to use.
Considering how difficult it is to regulate data collection, use regulation is considered by many analysts as a more “pragmatic” solution to the problem of unauthorized disclosure private data. As Hoofnagle points out, use regulation would result in deregulation of information privacy.
Data flows freely between private data collectors and the government. By releasing their data to the government, businesses know that once the data is combined with government agency data stores, they can request that the data be released in the spirit of open-government laws. Businesses will eventually have unfettered access to huge stores of personal information collected from public and private sources alike.
In addition, companies could argue that limits on how they use the personal information they collect violate their First Amendment rights of free speech and free expression. The Supreme Court decision in Robins v. Spokeo means companies that collect and store private information would be liable in the case of misuse of the data only if the plaintiff can demonstrate concrete (i.e., monetary) damages. As it stands now, use regulation is no regulation at all.
A call for privacy regulation, and consumer control
Nine out of 10 people in the U.S. believe they have lost control of how their personal information is collected and used by businesses. Two out of three of us want stricter government regulation of online privacy, and nearly as many (64 percent) believe there should be tighter regulation of advertisers’ handling of personal information.
These are some of the results of the Pew Research Center’s January 20, 2016, report on the state of privacy in America. How confident are we that businesses keep our private information safe? Not at all, when it comes to online advertisers and social media sites: 76 percent of us lack confidence in advertisers, and 69 percent don’t trust social media with the security of our info. Government agencies fared somewhat better in this category: only 54 percent of us lack confidence in government’s ability to secure our private data, second only to credit-card companies (46 percent).
On the upside, 74 percent of us believe it’s important for us to control who has our personal information, and 65 percent want to control what information is being collected. Conversely, 47 percent of us lack confidence that we know how our personal information will be used, and 59 percent report being confused by the information in a privacy policy. The big surprise to me is that somebody actually took the time to read a privacy policy.
The privacy questions are only going to get thornier as more devices connect to the Internet. Would you be willing to get free use of money-saving, ultra-smart thermostats in exchange for information about when you come and go? How about where you spend your time inside your home? Now throw in the data collected by smart cars and mass transit, facial recognition combined with ubiquitous video surveillance, and FitBit-type biometric devices.