Privacy’s Constitutional Moment and the Limits of Data Protection

Privacy and Security and Competition Policy and Antitrust

Article Snapshot


Woodrow Hartzog and Neil Richards


Boston College Law Review, Vol. 61, Iss. 5, May 2020


The United States Congress must decide whether to enact a national privacy law like Europe’s General Data Protection Regulation (GDPR). But GDPR-style rules fail to protect against many harms of data overuse.

Policy Relevance

The United States should adopt a comprehensive national data protection law. The new law should firmly limit data collection.

Main Points

  • The EU's new privacy law, the GDPR, took effect in 2018; in the United States, some state legislatures have enacted state-level laws, such as the California Consumer Protection Act.
    • If Congress does nothing, several American states may pass their own laws.
    • Congress has a “constitutional moment” in which to enact new privacy law.
  • The EU's GDPR sets global norms, because the GDPR does not allow firms to move data across borders without accountability; the United States is likely to adopt a watered-down GDPR, because of a commitment to constitutional rights of free speech.
  • Data protection law based on fair information principles (FIPs) is not enough.
    • “Fair” data processing procedures with consent normalize too much surveillance.
    • Consumers cannot meaningfully control their own data, as they are bombarded with policies and notifications.
  • New privacy law should add “Corporal” rules to address firms’ market power and structure.
    • Executives could be held personally or criminally liable for some privacy violations.
    • Antitrust law could be used to restrain tech platform power, protecting privacy.
  • New privacy law should add “Relational” rules to transform firms that collect data into information fiduciaries, with duties of honesty, protection, discretion, and loyalty to consumers.
  • “Informational” privacy rules should go beyond the FIPs and meaningfully limit data collection, including firm bans on certain data practices.
  • “External” privacy rules are needed to address the social costs of data use, including environmental problems arising from “planned obsolescence,” the harm to democracy from fake news, or smartphone addiction.

Get The Article

Find the full article online

Search for Full Article