POST- DIGITAL ERA RECONCILIATION BETWEEN UNITED STATES AND EUROPEAN UNION PRIVACY LAW ENFORCEMENT.

• Published date: 22 September 2018
• Author: Narielwala, Nidhi
• Date: 22 September 2018

INTRODUCTION

The concept of privacy rights for citizens is not unique to the twenty-first century. Though modern privacy law deals largely with the privacy in one's digital presence, its origins date back to the Bill of Rights. (1) The founding fathers recognized that citizens have a right to privacy from government intrusion in certain spheres of their lives. (2) The ransacking of colonial homes in the eighteenth century by the English government spurred the drafting of the Fourth Amendment. (3) The privacy barriers provided by the Fourth Amendment included protections within safe spaces, such as the home, as well as the requirement of warrants to enter locked areas. (4) The universality of privacy intrusions, however, developed after the Digital Revolution; the rise of technology has eroded the previously established barriers, creating new gaps in privacy protections. (5) Implementing comprehensive privacy laws to prevent intrusions or seek legal recourse is paramount given the ease of digital access to personal information.

The Federal Trade Commission (FTC) was founded in 1914 to help regulate businesses with the specific goal of consumer protection. (6) When the issue of privacy in a consumer context was brought to the public's attention, alongside the rapid development of sophisticated technology, there was a consumer-driven campaign for privacy regulation. (7) As a response, the FTC was put in charge of data privacy regulation in addition to its role as a consumer protection agency. (8) The FTC has passed numerous regulations in an effort to control data collection, use, and transfer by private companies and government entities, but these are not sufficient to combat the growing risk of data breaches by hackers. (9)

The United States (U.S.) needs an independent agency that oversees data protection, such as those set up in the European Union (EU) by the General Data Protection Regulation (GDPR). (10) The GDPR encompasses a variety of protections for entities with data privacy needs across the EU. Unlike the U.S., the EU has specific provisions when it comes to the enforcement of its privacy regulations, specifically the requirement of a Data Protection Officer for any entity that controls or processes personal data. (11) This across-the-board requirement differs from the privacy regulations in the U.S., which are dependent on the industry and type of personal information. (12) For example, information collected in the health care industry is more closely regulated due to the sensitive nature of patient-specific data. (13) The GDPR, however, requires each entity that deals with consumer data to appoint a Data Protection Officer. (14) The tasks of a Data Protection Officer are described in further detail in Article 39 of the GDPR. (15) The GDPR also includes provisions on how Data Protection Officers will be regulated, including provisions that delineate the consequences for violating the Regulation. (16) These consequences mostly consist of imposing administrative fines or penalties. (17) Companies may be subject to a fine of 4% of the company's worldwide annual turnover, which may not seem significant, but can potentially make a significant impact for large companies. These fines can be levied for a variety of noncompliance reasons, such as failing to implement basic processing principles or misapplying the rules to cross-border data transfers. (19) Higher fines will be imposed for egregious violations, such as the violation of the data subjects' rights. (20)

Technology plays an important role in the international economy and has made it easier for companies to operate on a global level. However, these companies have access and control over their consumers' sensitive personal data and have yet to perfect the protection of that data from outside intruders and governmental entities. (21) Because world is quickly shrinking as the development, use, and abuse of technology grows on a global scale, it is more important than ever to create parallels between EU and U.S. privacy laws. While the FTC's enforcement is stern, its power is limited in its reach due to the lack of wholly encompassing privacy laws. (22) Comparatively, the EU's privacy laws are extensive, but they lack in enforcement of those laws. As the Dutch Data Protection Authority Chairman, Jacob Kohnstamm, stated in a privacy panel about global privacy policies, "[T]he EU legislation and U.S. enforcement together is hell." (23) A thorough analysis of the differences between the U.S. and the EU's privacy laws and enforcement tactics is required to determine what approach is best going forward. Reconciliation between the U.S. and the EU's privacy laws is ultimately inevitable, but a timely resolution is essential to prevent potentially catastrophic global data breaches.

Part I of this Note will give a broad overview of the conception and development of contemporary privacy law. Part II will discuss the rise of U.S. and EU enforcement agencies and the differences of enforcement tactics between the two entities. Part III will incorporate the impact of developing technology on privacy rights and why technology plays an important role in our understanding and enforcement of privacy rights. Part IV will demonstrate the usefulness of reconciling differences between U.S. and EU enforcement tactics and privacy rights. Finally, Part V will propose possible avenues of reconciliation, based on the current state of privacy law. Overall, the aim of this Note is to lay out the differences in privacy right enforcement between the EU and the U.S. and to push for an integrated enforcement effort as technology increases the risk of privacy violations on a global scale.

I. DEVELOPMENT OF PRIVACY LAW

This section covers the chronological progression of privacy law in both the U.S. and the EU. In the U.S., the Fourth Amendment serves as the foundation for recognizing privacy rights for citizens, while in the EU, the passing of a French data protection law functioned as an introduction to privacy law. Though modern society requires some variances to accommodate for advancements in technology, the initial framework presented by these privacy law precursors remain relevant.

A. U.S. Privacy Law

Privacy law, being a relatively novel idea, developed at a similar pace in the U.S. and Europe. In the U.S., the Fourth Amendment was ratified in 1791 to protect citizens from governmental intrusions. (24) The framers of the Constitution recognized this right after incidents of the British government intruding upon colonial homes. (25) As Patrick Henry stated in 1788 when advocating for the Bill of Rights, "[t]hey may, unless the general government be restrained by a bill of rights, or some similar restriction, go into your cellars and rooms, and search, ransack, and measure, every thing you eat, drink, and wear. They ought to be restrained Within proper bounds." (26) The Bill of Rights, in general, was the founders' response to the colonials' lack of privacy within their homes. (27) However, many American privacy scholars will argue that the conversation of privacy rights within a legal context dates directly back to the 1890 Harvard Law Review article written by Samuel Warren and Louis Brandeis called "The Right to Privacy." (28) It was written as a direct response to the invention and widespread use of Kodak cameras in 1888, which changed the manner in which society was able to view and disseminate the intimate details of a stranger's life. (29) This article is most remembered for the section below:

Then the "right to life" served only to protect the subject from
                battery in its various forms; liberty meant freedom from actual
                restraint; and the right to property secured to the individual his
                lands and his cattle. Later, there came a recognition of man's
                spiritual nature, of his feelings and his intellect. Gradually the
                scope of these legal rights broadened; and now the right to life has
                come to mean the right to enjoy life,--the right to be let alone; the
                right to liberty secures the exercise of extensive civil privileges
                and the term 'property' has grown to comprise every form of
                possession--intangible, as well as tangible.... But if privacy is once
                recognized as a right entitled to legal protection, the interposition
                of the courts cannot depend on the particular nature of the injuries
                resulting. (30)
                

This section of text from the article serves as the foundational basis of the current tort of "invasion of privacy." (31) Warren and Brandeis' argued that the right of privacy was already 'recognized' by the common law by using a branch of cases that protected the injury of emotional harm from unwanted action or attention to demonstrate that the common law already protects privacy. (32)

Though the argument made by Warren and Brandeis is not incorrect in its conclusion that privacy has been historically protected by common law, their article failed to take into consideration future advancements in technology and the resulting impact of said technology on privacy rights. Currently, the privacy law framework consists of industry-specific legislation that requires a piecemeal approach to privacy law enforcement within the U.S. (33)

B. European Privacy Law

Alternatively, the European development of privacy law started in France. France was the first European country to enact a privacy law specifically addressing data protection in 1978. (34) The French Parliament placed penalties such as imprisonment and maximum fines for any individual, company, or government agency that collected or processed personal data without explicit authorization. (35) This significantly contributed to the creation of the "Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data," which was enacted by the Council of Europe in 1981. (36) This document was the first major international privacy law policy addressing protection of personally identifiable data. (37) Shortly...