The Emperor Has No Clothes: A Critique of Applying the European Union Approach to Privacy Regulation in the United States

Article excerpt


Internet users in the United States and the European Union ("EU") often debate the state of international data privacy, while scholars and companies also present questions to the Internet community regarding the regulation of data privacy and the amount of regulation required in the U.S. Inquiries range from how to determine the necessary degree of regulation and how to implement regulations to how to enforce any regulations that the U.S. lawmakers2 may pass. Historically, the EU and the U.S. approach data3 privacy regulations in diametrically opposed ways.4 While the EU relies primarily on legislation and heavy regulation, the U.S. has adopted a market-based, self-regulatory approach to data privacy.5 The EU further distinguishes itself from the U.S. by implementing an approach that guarantees its citizens protection of their "fundamental rights."6 Such protection allows for strict governmental control of information flow. The U.S., on the other hand, does not recognize data privacy as a fundamental right, employing instead a less prophylactic approach than that taken by the EU.7

Despite these ideological differences, the EU codified its "fundamental right" principle in 1998 when it enacted Directive 95/46 (the "Directive"). With the Directive, the EU created a broad, overarching piece of legislation that gives significant power to the individual with regard to use of her personal information. First, it purports to create uniformity in EU data practices by requiring companies to inform consumers of what they plan to do with the personal information which they collect from their websites.8 Second, in so doing, the Directive requires the respective companies to secure affirmative consent from consumers to collect, use, and disseminate this information.9 Third, once companies obtain consent, they must document and register the consent with local "data authorities" who retain the information in their own databases.10 Fourth, during this process, the Directive allows individuals to access their information and allows them to request amendments and/or corrections to their data.11 Finally, the Directive also allows individuals to know the identity of the companies collecting their data.12 Assuming that the company uses the information consistent with its stated purpose, the Directive then requires the company to relinquish information that has already been used.13 In the international context, the Directive explicitly bars data transfers to other countries that do not provide "adequate" data protection, as defined by the Directive.14

In promulgating the Directive, the EU broadened the distinction between the U.S. and EU approaches to Internet privacy, ultimately presenting global companies with a conundrum concerning the appropriate method to use.15 The competing U.S. and EU ideologies create a unique yet frustrating problem for Internet companies around the world,16 including both brick-and-mortar stores as well as "virtual" companies.17 Business globalization, together with e-business growth, creates situations in which one country's laws may have substantial effects upon those of another country.18

This Note focuses on the Directive's effect on the United States. This Note argues that implementing a similar omnibus system in the U.S. is not feasible.19 The Directive is a facade rather than an actual, workable solution to privacy concerns. Although some scholars offer significant policy arguments in favor of implementing more regulation in the U.S., the inquiry should be limited to whether the U.S. really needs stricter privacy regulations and, more importantly, whether the U.S. legal framework places constraints on implementing such broad legislation instead of self-regulation. U.S. policymakers should strive to find a workable, reasonable solution that fits within the constructs of existing values and norms in the privacy arena rather than institute an extremely rigid and an unworkable solution. …