This week, details were released of a newly-negotiated Safe Harbor deal, renamed, the EU – U.S. Privacy Shield, that will ease business concerns about transatlantic data flows. But it will face some European skepticism and an inevitable court challenge.
With all of this, you’d be forgiven for thinking there are massive differences between the U.S. approach to privacy and the European’s. But the reality is that both sides share substantial common ground on privacy, as with so much in our social and political traditions.
The EU and U.S. both treat privacy as a fundamental, or constitutional, right, and both have an elaborate structure of legal rights and responsibilities in place. Importantly, both provide the same high level of privacy protection in actual practice.
The EU’s commitment to privacy as a human right is articulated in its foundational treaties, which guarantee “the right to respect for … private and family life, home and communications,” and safeguard “the right to the protection of personal data.”
Europe’s single comprehensive data protection law explicitly furthers this commitment, and privacy’s status as a fundamental human right has been upheld in three recent European court cases: supporting the European Commission’s data retention directive; establishing a right to be forgotten; and invalidating the previous Safe Harbor. Europe has also ratified international treaties establishing privacy as a human right.
It is just as true, but not as widely recognized, that privacy is held as a fundamental right in the U.S. It is, in fact, guaranteed by the U.S. constitution, including the Fourth Amendment’s stipulation that “the right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated….” Supreme Court Justice Louis Brandeis described this constitutional privacy right as “the most comprehensive of rights and the right most valued by civilized men.” The U.S. has also signed international treaties establishing privacy as more than an economic right.
The U.S. system includes two essential protections of this constitutional right: first, the need for probable-cause warrants, obtained from an independent judge; and second, the exclusionary rule, which bars improperly obtained information from being used by the government in a trial.
U.S. law also specifically provides for a right to digital privacy, including in the Electronic Communications Privacy Act, and the Foreign Intelligence Surveillance Act of 1978, which, in 2014, was amended to improve accountability and transparency.
Much of the perception that there is a wide gulf between the U.S. and EU comes from differences in legal form and underlying philosophical rationale. The U.S.’s sectorial system protects sensitive personal information throughout the economy and is vigorously enforced by a variety of regulatory agencies, including the Federal Trade Commission. But it is more complicated than a single overarching privacy law such as Europe’s. Moreover, some key privacy protections are found in U.S. consumer laws, making it appear that they are mere utilitarian protections of an individual’s marketplace interests.
There is no doubt that European legal texts are more explicit in connecting human rights and privacy than those in the U.S. But in actual practice, both offer the critical requirements of transparency, individual participation, purpose specification, data minimization, use limitation, data quality and integrity, security, accountability, and auditing. This commonality is not surprising, as both systems grew out of the Fair Information Practices that were first developed by the U.S. in the 1970s.
But this difference of emphasis has too often led to careless rhetoric — on both sides of the Atlantic — that obscures the fact that both systems offer a uniform, high level of individual privacy protection. We have to hope that this fact trumps the rhetoric, as data becomes a bigger driver of economic opportunity and more essential to the way people everywhere live their lives.