Privacy’s Constitutional Moment and the Limits of Data Protection
Search for the full article on Bing
ARTICLE SUMMARY
The United States Congress must decide whether to enact a national privacy law like Europe’s General Data Protection Regulation (GDPR). But GDPR-style rules fail to protect against many harms of data overuse.
POLICY RELEVANCE
The United States should adopt a comprehensive national data protection law. The new law should firmly limit data collection.
KEY TAKEAWAYS
- The EU's new privacy law, the GDPR, took effect in 2018; in the United States, some state legislatures have enacted state-level laws, such as the California Consumer Protection Act.
- If Congress does nothing, several American states may pass their own laws.
- Congress has a “constitutional moment” in which to enact new privacy law.
- If Congress does nothing, several American states may pass their own laws.
- The EU's GDPR sets global norms, because the GDPR does not allow firms to move data across borders without accountability; the United States is likely to adopt a watered-down GDPR, because of a commitment to constitutional rights of free speech.
- Data protection law based on fair information principles (FIPs) is not enough.
- “Fair” data processing procedures with consent normalize too much surveillance.
- Consumers cannot meaningfully control their own data, as they are bombarded with policies and notifications.
- “Fair” data processing procedures with consent normalize too much surveillance.
- New privacy law should add “Corporal” rules to address firms’ market power and structure.
- Executives could be held personally or criminally liable for some privacy violations.
- Antitrust law could be used to restrain tech platform power, protecting privacy.
- Executives could be held personally or criminally liable for some privacy violations.
- New privacy law should add “Relational” rules to transform firms that collect data into information fiduciaries, with duties of honesty, protection, discretion, and loyalty to consumers.
- “Informational” privacy rules should go beyond the FIPs and meaningfully limit data collection, including firm bans on certain data practices.
- “External” privacy rules are needed to address the social costs of data use, including environmental problems arising from “planned obsolescence,” the harm to democracy from fake news, or smartphone addiction.
QUOTE
TAGS
About Neil Richards
Neil Richards is the Koch Distinguished Professor in Law at Washington University School of Law, where he co-directs the Cordell Institute for Policy in Medicine & Law. He is an internationally-recognized expert in privacy law, information law, and freedom of expression. He writes, teaches, and lectures about the regulation of the technologies powered by human information that are revolutionizing our society.
See more with Neil Richards
About Woodrow Hartzog
Woodrow Hartzog is Professor of Law at Boston University School of Law. Professor Hartzog’s scholarship and advocacy focuses on privacy and technology law. His research focuses on the complex problems that arise when people, organizations, and governments use powerful new technologies to collect, analyze, and share human information. He is an internationally recognized expert in the area of privacy, media, and robotics law.
