Privacy’s Constitutional Moment and the Limits of Data Protection

Article Source: Boston College Law Review, Vol. 61, Iss. 5, May 2020
Publication Date:
Time to Read: 2 minute read
Written By:

Search for the full article on Bing



The United States Congress must decide whether to enact a national privacy law like Europe’s General Data Protection Regulation (GDPR). But GDPR-style rules fail to protect against many harms of data overuse.


Policy Relevance:

The United States should adopt a comprehensive national data protection law. The new law should firmly limit data collection.


Key Takeaways:
  • The EU's new privacy law, the GDPR, took effect in 2018; in the United States, some state legislatures have enacted state-level laws, such as the California Consumer Protection Act.
    • If Congress does nothing, several American states may pass their own laws.
    • Congress has a “constitutional moment” in which to enact new privacy law.
  • The EU's GDPR sets global norms, because the GDPR does not allow firms to move data across borders without accountability; the United States is likely to adopt a watered-down GDPR, because of a commitment to constitutional rights of free speech.
  • Data protection law based on fair information principles (FIPs) is not enough.
    • “Fair” data processing procedures with consent normalize too much surveillance.
    • Consumers cannot meaningfully control their own data, as they are bombarded with policies and notifications.
  • New privacy law should add “Corporal” rules to address firms’ market power and structure.
    • Executives could be held personally or criminally liable for some privacy violations.
    • Antitrust law could be used to restrain tech platform power, protecting privacy.
  • New privacy law should add “Relational” rules to transform firms that collect data into information fiduciaries, with duties of honesty, protection, discretion, and loyalty to consumers.
  • “Informational” privacy rules should go beyond the FIPs and meaningfully limit data collection, including firm bans on certain data practices.
  • “External” privacy rules are needed to address the social costs of data use, including environmental problems arising from “planned obsolescence,” the harm to democracy from fake news, or smartphone addiction.



Neil Richards

About Neil Richards

Neil Richards is the Koch Distinguished Professor in Law at Washington University School of Law, where he co-directs the Cordell Institute for Policy in Medicine & Law. He is an internationally-recognized expert in privacy law, information law, and freedom of expression. He writes, teaches, and lectures about the regulation of the technologies powered by human information that are revolutionizing our society.

Woodrow Hartzog

About Woodrow Hartzog

Woodrow Hartzog is Professor of Law at Boston University School of Law. Professor Hartzog’s scholarship and advocacy focuses on privacy and technology law. His research focuses on the complex problems that arise when people, organizations, and governments use powerful new technologies to collect, analyze, and share human information. He is an internationally recognized expert in the area of privacy, media, and robotics law.