You have to use the internet.
Not just to read this story, but to live and work in the modern world. If that sounds highfalutin, that’s because it is: Internet access is a human right, according to the UN, just like the right to own property, start a family and seek asylum. Privacy’s on the list too, but the state of privacy on the internet is, well, on this week’s Make Me Smart, Kai Ryssdal used the phrase “apocolyptically hosed.”
After our conversation with Joel Reidenberg, Molly Wood mentioned European privacy regulations, noting they’re generally more consumer-focused than U.S. rules.
“Who is the focus of these laws? Is it about protecting us, and giving us all the information we need and allowing us to make informed choices?” she asked. “Or is it about allowing Comcast to keep up with Google and Facebook when it comes to business models that rely on your personal data? I think that is a tension that’s part of being American.”
That’s more or less true, according to experts we talked with. Especially as new regulations spread through the European Union, privacy laws abroad are generally more comprehensive, easy to understand and consumer-friendly than the laws in the U.S.
“[They have] this idea that privacy is something that’s quite central, that it could be thought of in terms of if property rights,” said Indiana University associate professor Scott Shackelford, who teaches cybersecurity law. “Having privacy be the starting point and carving out free speech.”
The U.S. does the reverse, Shackelford said. Free speech is paramount, and privacy protections are carved out as exceptions.
“You can see how both are valid in different ways, but they come to very different policy outcomes for sure,” he added.
We’ve pulled out a few examples:
It’s not a patchwork
Americans’ data are protected by a bunch of different regulations. The FCC is in charge of the rules concerning what data internet service providers, or ISPs, can and can’t sell. Health data is protected under federal Health Insurance Portability and Accountability Act, or HIPAA. The Federal Trade Commission enforces the Children’s Online Privacy Protection Act and cracks down on Instagram #sponcon. States have their own rules, too. It’s an alphabet soup: messy and inconsistent.
“The idea in the EU is you should have some control over your information,” said Henry Farrell, an associate professor of political science and international affairs at George Washington University. “There is some variation in enforcement across specific sectors, but basic principles apply for whatever commercial sector you’re in, so you don’t have the same kind of patchwork of legislation you have in the U.S.”
Enforcement is getting more consistant
Besides being spread out over a lot of different agencies, enforcement of American privacy laws changes wildly according to who’s in office. Those FCC rules concerning ISPs and privacy data? The FCC voted them through at the very end of the Obama administration, last October. With control of the Senate and House, Republicans rolled them back just a few months later.
The EU sees much smaller swings in policy as administrations change, Farrell said, because most member states aren’t as polarized as the U.S. Still, enforcement is often a “black box,” with inconsistent action from independent regulators. That will change as the new EU regulations roll out, Shackelford added.
“There is going to be a one-stop-shop, basically kind of one regulator, one supervisory authority for all EU data privacy law,” he said. “Which is going to be more efficient from the government perspective in Europe, and also for companies because they only have to deal with one entity across all 28 states. It’s really remarkable they were able to agree to that, because that’s not the case, for example, of the U.S. And we’re one country.”
Europeans don’t sweat the fine print (as much)
We talked a lot on the podcast this week about the huge terms of service and privacy policies most people blindly agree to. Even Reidenberg, the privacy expert, told us he mostly skims when he’s signing up for a new service. It’s kind of a calculated risk: You kind of have to hope you’re not blindly agreeing to tie your hands in a lawsuit or clear all your data to be bought and sold. It’s even scarier when you consider apps like Instagram that attract a younger user base.
Europeans have to sign similar stuff, but does it come with the same anxiety?
“Not nearly the same way, and the reason is European privacy law mandates that businesses basically have to adhere to a sense of basic privacy principles with regards to the way that they use your data,” Farrell said. “You know, the fact that there are certain things that they simply cannot do with your data. That is not true for U.S. consumers in the same way at all.”
Under the EU’s new rules, you also have a lot more control over how and when your data moves between services you use.
“If you switch from the equivalent of Comcast to U-Verse, Comcast has to get rid of all your search history when you switch if you request that,” Shackelford said. “So then that’s a big deal.”
Your data expires
Much was made a few years ago about the “Right to Be Forgotten,” an idea that lead Spanish authorities and later the European Court of Justice to scrub search results deemed “inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes for which they were processed and in the light of the time that has elapsed.” In this case, an old news story about a businessman’s debts. That standard opened the floodgates to more requests, and sparked outrage from free speech advocates in the U.S.
The whole affair reaches back to that same idea of a policy “starting point.” Many Europeans think of privacy on a “temporal sliding scale, Shackelford said.
“German Chancellor Angela Merkel, 20 years from now, is going to have more privacy rights than she does the day that she leaves office,” he said. “That is very different in the U.S. Basically, once you’re in the public eye in the U.S., you’re always in the public eye, even if it’s in an involuntary kind of way.”