“The right to be left alone is the most comprehensive of rights, and the right most valued by civilized men.” [1] The evolution of information technology catalyzes economic globalization as larger quantities of data are easily stored, processed, and circulated across the globe in a matter of seconds.[2]   Data is now an extremely valuable commodity and a larger part of our economy than most realize. [3] While other countries have extensive data protection laws to protect citizen’s personal data, the United States (U.S.) lacks a universal, federal data protection law.  With the continual growth of e-commerce, the spread of consumer information exceeds national borders and governments must do their part in ensuring its protection. 

This paper will examine the current state of data privacy laws in the U.S. and discuss why the U.S. approach to data privacy using its current patchwork approach, is unsustainable and flawed. The sectoral, self-regulatory framework weakens the U.S’s ability to compete in a globalized market as the Internet continues to become more “bordered.”

Part I will compare the EU and U.S. data privacy laws. After establishing both the U.S. and EU frameworks, Part II will analyze the impact of the European Union’s (EU) model of the General Data Privacy Regulation (GDPR) on the U.S. Next, Part III will analyze why the patchwork framework the U.S. uses is not feasible to remain globally competitive. I will then provide recommendations to strengthen U.S. data privacy regulations in Part IV. Lastly,  I will then conclude the U.S. should use GDPR as a benchmark making slight improvements to become a global leader for data privacy policy.

I. Comparison of the EU and U.S. Models

In comparing the U.S. and EU models of data privacy, one can see many differences and some similarities at the legislative, enforcement and constitutional levels.  At the legislative level, the EU model is more streamlined and less complex than the U.S.  The EU relies primarily on one law, the GDPR which replaced the Data Protection Directive (DPD) as the EU’s data protection framework.[4] In contrast, the U.S. has developed its data privacy laws through a series of unconnected pieces of legislation, targeting specific markets or sectors, to reactively address concerns, leaving state and federal laws often inconsistent with one another. [5] The EU model has only one source that provides the right to data protection, making it a straightforward, simple system, whereas the U.S. has no comprehensive law guaranteeing privacy rights of personal information.  [6]

The EU and U.S. data privacy laws share common goals and origins, but are immensely different in terms of their approach to actually protecting individuals.  Unlike in the U.S., the GDPR takes a strong stance to ensure companies both internal and external to the EU, comply with its high standards for citizen data protection. [7] In contrast, U.S. citizens are not given the right to privacy on any and all personal information. [8] Rather, the right to privacy depends on the type of information and whether or not the sector or industry controlling the data is subject to regulation. [9] On the other hand, EU informational privacy is not bound by such factors because GDPR grants a broad right to privacy across the board, regardless of the type of business or information involved. [10]

Lastly, while the EU model is often portrayed as the “golden standard” for data privacy regulation,  the U.S. is seen as a country with a “weak” or non-existent privacy regime. [11]  The GDPR makes clear that anyone processing the data of EU residents, regardless of their primary business location, is subject to the regulation.[12] Since the EU has passed the GDPR, several other countries have followed their footsteps by passing their own data protection laws. [13]   For example, in August 2019, Brazil’s President signed the country’s comprehensive data privacy regulation into law, which closely mimics the GDPR. [14] The GDPR will have an impact on future technology development and countries need to quickly adapt to these changes.

II. GDPR’s Impact on the United States 

U.S. companies could either comply with the GDPR or cease offering sales and services to EU consumers. While this may formally be a “free choice,” there is no real alternative for most large U.S. companies. To meet the requirements of GDPR, companies need to invest a lot of money, manpower and resources on upgrading at a minimum their “technology platforms, privacy policies, changing practices and adjusting data storage and processes.” [15] The impacts on American and Chinese companies are especially significant since the U.S. and China, the two leading global economic powers, have many companies that do business with the EU.[16] According to a PricewaterhouseCoopers survey, 68% of American companies are expected to spend between $1 million and $10 million to meet the GDPR requirements, and 9% are expected to spend more than $10 million. [17] By adding a requirement that a country provide adequate protections for personal information before a data transfer can occur, the EU intended to set the tone and raise the bar for data privacy standards around the world. [18]

III. Analysis: An Imperative Need for a Comprehensive Approach to Data Privacy

The U.S. model as it is stands currently, is not practical and does not work. Developing a regulatory policy is an exercise in balancing values that are difficult to compare. Protecting both privacy and innovation requires balancing flexibility with the need for legal clarity and strong consumer protections.  With the rest of the world adopting privacy approaches similar to the EU, the U.S. lags further behind. 

In almost every country’s constitution, including the EU, the concept of privacy is considered to be a fundamental right that is recognized, either explicitly or implicitly. [19]Unlike the EU, the right to privacy is not considered to be a fundamental right in the U.S. [20] As such, U.S. citizens do not have an explicit federal constitutional right to privacy.[21] This attitude towards data privacy rights has shaped poor data protection in the U.S., ultimately leading it to become the sectoral, self-regulatory, patchwork framework it uses today. 

The use of the Internet leaves individuals susceptible to various invasions of privacy. As tracking technology gets more and more sophisticated, polls show consumers want legal rights over how their personal data is collected and used.[22] On the other hand, many mistakenly believe that these protections already exist. [23]  One study showed that consumers believed the mere existence of a privacy policy on a site means that their personal data is protected. [24] Despite persistent consumer concerns about data collection, the U.S. has consistently rejected both omnibus legislation and the fundamental-rights approach to data protection. [25] 

The U.S. system as it stands currently, is not equipped to handle breaches of privacy, and there is still a lot that needs to be done. For instance, some companies storing clients’ credit card information do not encrypt their files, which is a very basic step that one takes to protect sensitive information.[26] In light of the growing number of data breaches, U.S. consumers especially, are in need of a comprehensive data protection reform to protect themselves.  [27]

Data protection in the U.S. is governed by a reactive, sector based, self-regulatory system that address specific privacy needs, where both state and federal laws “overlap, dovetail and contradict one another.” [28] The process of sector-by-sector regulation, coupled with an ambiguous standard, has transformed U.S. data privacy law into a system of self-regulation in which each state is left to determine the applicable meaning of “appropriate.” [29]

From a global perspective, the U.S. is home to some of the largest and most technologically advanced data companies in the world such as Amazon, Google and Facebook. Critics argue that this dominance in the global market place, is a result of the lack of a comprehensive federal regulation protecting personal data and informational privacy. [30] However, while there is some validity to that “model”, it facilitates regulatory capture, industry lobbying, and privacy abuses often falling through regulatory cracks. [31]

Furthermore, proponents of U.S. data privacy laws have boasted that the statutes are more granular and focused to a risk in a specific sector, as opposed to EU’s one size-fits all approach.[32] Critics on the other hand, assert that both federal and state laws remain ineffective and are unsustainable in a technology driven world where privacy concerns are constantly developing.[33]

In the absence of advances in legislation, industry efforts to voluntarily self-regulate have proven to be lackluster. Using a patchwork structure leaves gaps. In addition to gaps, individual state and federal laws are often inconsistent with one another creating market confusion. [34] However, without a universal, federal legislation, it will increasingly become tougher for companies to understand how to comply with all these regulations.

From a federal level, there are currently twelve pieces of federal legislation, each addressing specific industries the personal information uses. [35] Among the most important federal laws are: Health Insurance Portability and Accountability Act  (HIPAA) (personally identifiable health information), the Computer Fraud and Abuse Act (CFAA) (hacking), and ECPA (electronic communications). [36]Next, virtually all states have laws requiring a business to notify a consumer when its security has been breached. Other states have gone further and have also enacted data destruction laws, or laws requiring the destruction of data once the business no longer wants to retain the information.  [37]

Another major problem with the current U.S. model is that there are multiple enforcement agencies that handle data protection.  Each federal law in the U.S. is enforced by a different agency or state body. For example, HIPAA is enforced by the Office of Civil Rights within the U.S. Department of Health and Human Services (HHS). State consumer protection regulators (usually the state Attorney General) also exercise privacy regulatory authority.[38]   Additionally, the Federal Trade Commission (FTC) is the primary regulatory body at the federal level, but is limited in their enforcement of consumer data and privacy. [39]

While the enforcement at the federal level is scattershot, individual enforcement of data protection is also effete.  In the U.S., courts have been reluctant to grant relief for petitioners by claiming a breach of privacy. [40] Often, courts dismiss data breach claims due to a lack of standing based on insufficient evidence of direct or actual harm. [41]  For example, standing is hard to establish in data breach cases without evidence of pecuniary loss, but it is even harder to prevail when standing is granted based on alleged future harm. [42]  However, the majority of data breach cases rely upon speculative future harm, absent evidence of pecuniary losses. [43] The U.S. desperately needs one coordinated and streamlined agency.

A growing number of foreign countries, and some U.S. states have articulated distinct visions for how to address privacy concerns, leading to a nationally and globally fragmented regulatory landscape. Such fragmentation naturally disincentivizes innovation by increasing the regulatory costs for products that require scale. [44] Generally, countries will move to comply with the strictest privacy standard in order to obtain equal bargaining power and reduce their own costs of compliance. [45]

IV. Adopting a Universal, Federal Data Privacy Regulation

Conforming to the GDPR or using GDPR as a benchmark for a data privacy law may be easier than it first appears since U.S. data privacy policies have strongly influenced the EU’s new data protection laws. At a minimum, the U.S. data protection policy should copy the EU model with the idea that a stronger government involvement is needed in data regulation. Establishing one universal, federal approach would create a comprehensive framework to data privacy, allowing the U.S. to remain globally competitive.

The U.S. government must take further precautions to protect the data privacy of its own citizens by recognizing a fundamental right to data privacy. The U.S. should adopt a portion of the EU model, which extends the fundamental right to privacy to personal information contained in consumers’ data. When privacy of personal data is recognized as a fundamental right, that information can no longer constitutionally be bought and sold on the open market as property.

By passing a universal federal policy which would include a fundamental right to data privacy, the U.S. will create a shift in thinking from an “ownership” model to a “leasing” model. Essentially, all employees of a business will need to change their perspective from viewing the data as their “own”, to viewing the data as belonging to the data subject or “leasing” the data. A company can only collect and process a user’s data to the extent explicit consent is given for their activities and such consent can be withdrawn at any time. Therefore, an individual’s rights will generally trump a company’s rights to an individual’s data.

However, the omnibus U.S. data regulation policy needs to be strong enough to encourage businesses to provide sufficient data security, but not too much regulation that businesses are unnecessarily burdened. In borrowing from the EU model, the U.S. should not only increase government enforcement through its legislation, it should also form an independent data protection agency.

Next, with laws at both the federal and state levels that target numerous sectors, an agency with the overarching sole focus on data protection would be more skilled at identifying and resolving problems. If the U.S. were to adopt the EU’s stance on government intervention, creating a data protection agency, and focus on prevention of data breaches, the new changes would translate to the U.S. system. Some may argue that this would give too much control to the government, but the value of data protection against the value of moderate government intrusion is greatly outweighed.

 Opponents of a universal, federal data privacy regulation could also be argued that more government involvement would pose a burden to businesses and corporations. Undoubtedly, businesses should have the freedom to make their own decisions and act in any way that would best serve their shareholders. However, they still owe a duty to their consumers to take reasonable data security measures. More government enforcement would not mean that the government would step in to control the decisions companies make, it would only mean that companies would have to start complying with the existing law.

One could make the argument that businesses are delegated the duty of protecting customer information. businesses need to make a profit, and selling information is very lucrative. On the other hand,  the U.S. system places too much faith in the market, and allowing companies to self-regulate data protection naturally leads to the problem of conflict of interest. Even if a company is not selling information, it lacks incentives to take that extra step to provide a sufficient level of data protection.  Businesses are responsible only to themselves, and without an outside force driving change, it is difficult to bring about any sort of data protection. Because the U.S. endorses self-regulation without legal sanctions to incentivize it or enforce it,” it is hard to believe that the strategy is anything more than a political device to avoid regulation.

Though the idea of fining data breaches regardless of type, would be a new practice in the U.S., it would not be much different from the accepted U.S. practice of fining corporations for breaches of health care data. Thus, it would not be such a radical idea as to be unacceptable to U.S. citizens. However, similar to the EU data agencies, there should be a limit to the amount for which a company can be fined if it fails to provide reasonable data protection. Fines should not be so low as to amount to a slap on the wrist, but the data protection agency also should not be so extreme to result in an organization becoming bankrupt.

The U.S. should develop a policy in hopes to articulate a renewed vision, one that reduces fragmentation nationally and increases harmonization nationally and globally. Data privacy is becoming an important global social and economic issue. Consistent data privacy laws in the U.S. and the EU would result in virtually complete harmonization in international privacy law. 

V. Conclusion

In conclusion, no system is perfect and the U.S. model of data protection is not an exception. The U.S. should create a new model for data privacy based on a combination of several approaches to protect consumers’ private information. The elements of the EU model that the U.S. could adopt would fare better in the U.S. because of the vast amount of resources at the country’s disposal. Not only would it make working with the EU easier, as there are concerns about the rising number of data breaches in the U.S, but it would also promote harmonization with data transfers globally. While we do not need to duplicate the EU model, there are several portions of the EU model that we should borrow. Given the recent and massive technological advances that have changed how information is both created and used, there is certainly a case to be made for taking a look at whether there are smarter ways to protect privacy in this digital age. By doing this, it is hard to argue with seeking an approach that produces desirable privacy outcomes in a way that maximizes benefits at all levels, while minimizing costs and that promotes regulatory harmony.

[1] Olmstead v. United States, 277 U.S. 438, 470, 48 S. Ct. 564, 569 (1928)

[2] ARTICLE: THE TORTOISE AND THE HARE OF INTERNATIONAL DATA PRIVACY LAW: CAN THE UNITED STATES CATCH UP TO RISING GLOBAL STANDARDS?, 27 Cath. U. J. L. & Tech. 77, 78

[3] ARTICLE: PRIVACY BASICS A COLORADO LAWYER SHOULD KNOW: THE CALIFORNIA CONSUMER PRIVACY ACT AND THE COLORADO CONSUMER DATA PRIVACY ACT, 97 Denv. L. Rev. Online 54, 58

[4] 27 Cath. U. J. L. & Tech. 77

[5] NOTE: NAVIGATING THE ATLANTIC: UNDERSTANDING EU DATA PRIVACY COMPLIANCE AMIDST A SEA OF UNCERTAINTY, 91 S. Cal. L. Rev. 163, 178-179

[6] COMMENT: Personal Privacy in the Information Age: Comparison of Internet Data Protection Regulations in the U.S. and the European Union, 21 Loy. L.A. Int’l & Comp. L.J. 661, 671

[7] NOTE: UNTANGLING THE WEB: AN ARGUMENT FOR COMPREHENSIVE DATA PRIVACY LEGISLATION IN THE UNITED STATES, 35 Suffolk Transnat'’ L. Rev. 363

[8] Id. at 363

[9] ARTICLE: TOWARDS A GLOBAL DATA PRIVACY STANDARD , 71 Fla. L. Rev. 365.

[10] See David Banisar & Simon Davies, Privacy and Human Rights: An International Survey of Privacy Laws and Practice (visited Mar. 16, 2019) <http://www.gilc.org/privacy/survey/ intro.html>.

[11] A. Michael Froomkin, The Death of Privacy?, 52 Stan. L. Rev. 1461, 1524-25 (2000) ("Without some sort of government intervention to encourage self-regulation, "wolves self-regulate for the good of themselves and the pack, not the deer.").

[12] NOTE: COMPARATIVE ANALYSIS OF THE EU’S GDPR AND BRAZIL’S LGPD: ENFORCEMENT CHALLENGES WITH THE LGPD, 44 Brooklyn J. Int’l L. 859

[13] Id at 372.

[14] Id at 374.

[15] See PricewaterHouse Coopers <https://www.pwc.com/us/en/services/consulting/library/gdpr-readiness.html>

[16] 9 Harv. L. & Pol’y Rev. 355* Symposium: The consumer always has rights: Envisioning a Progressive Free Market: Protecting Privacy in an Era of weakening Regulation

[17] Id.

[18] 35 Suffolk Transnat'l L. Rev. 363, 373.

[19] Id. at 374.

[20] COMMENT: Personal Privacy in the Information Age: Comparison of Internet Data Protection Regulations in the U.S. and the European Union, 21 Loy. L.A. Int’l & Comp. L.J. 661

[21] Id.

[22]  9 Harv. L. & Pol’y Rev. 355* Symposium: The consumer always has rights: Envisioning a progressive free market: Protecting Privacy in an Era of weakening Regulation

[23] Id.

[24] Id. at 1525.

[25] Id.

[26] Id. at 1527.

[27] Peter Henning, Looking for Liability in B.P.'s Gulf Oil Spill, New York Times Dealbook (June 7, 2010), http://dealbook.nytimes.com/2010/06/07/ looking-for-liability-in-bps-gulf-oil-spill/ (describing fines for environmental breaches).

[28] 91 S. Cal. L. Rev. 163, 175

[29] 35 Suffolk Transnat’l L. Rev. 363, 373

[30] ARTICLE: Artificial Intelligence: Risks to Privacy and Democracy, 21 Yale J. L. & Tech. 106

[31] 91 S. Cal. L. Rev. 163, 175

[32] 71 Fla. L. Rev. 365, *381

[33] Id.

[34] 91 S. Cal. L. Rev. 163, 178-179

[35] Id. at 178.

[36] 32 J. Nat’l Ass’n L. Jud. 810

[37] Article: In the Middle: Creating a Middle Road Between U.S. and EU Data Privacy Protection Policies, 32 J. Nat’l Ass’n L. Jud. 810, *821

[38] ARTICLE: Data Protection in the U.S. , 66 Am. J. Comp. L. 299, 305-306

[39] See Division of Privacy and Identity Protection, FED. TRADE COMMISSION, https://www.ftc.gov/about-ftc/bureaus-offices/bureau-consumer-protection/our-divisions/division-privacy-and-identity (explaining the responsibilities of the FTC as they relate to privacy breaches).

[40] 32 J. Nat’l Ass’n L. Jud. 810

[41] Id.

[42] 71 Fla. L. Rev. 365, 384

[43] Id.

[44] ARTICLE: In the Middle: Creating a Middle Road Between U.S. and EU Data Protection Policies, 32 J. Nat'l Ass'n L. Jud. 810

[45] 32 J. Nat’l Ass’n L. Jud. 810