AMERICA rarely looks to the bureaucrats of Brussels for guidance. Commercial freedom appeals more than dirigisme. But when it comes to data privacy, the case for copying the best bits of the European Union’s approach is compelling.
The General Data Protection Regulation (GDPR) is due to come into force next month. It is rules-heavy and has its flaws, but its premise that consumers should be in charge of their personal data is the right one. The law lets users gain access to, and to correct, information that firms hold on them. It gives consumers the right to transfer their data to another organisation. It requires companies to define how they keep data secure. And it lets regulators levy big fines if firms break the rules.
America has enacted privacy rules in areas such as health care. But it has never passed an overarching data-protection law. The latest attempt, the Consumer Privacy Bill of Rights, introduced in 2012 by the Obama administration, died a slow death in Congress. The GDPR should inspire another try.
The failings of America’s self-regulatory approach are becoming clearer by the week. Large parts of the online economy are fuelled by data that consumers spray around without thought. Companies’ arcane privacy policies obfuscate what they do with their users’ information, which often amounts to pretty much anything they please. Facebook is embroiled in crisis after news that data on 87m users had been passed to a political-campaign firm. Identity-theft is widespread; the annual cost to American consumers exceeds $16bn, according to some estimates. On March 29th Under Armour, a clothing brand, said that hackers had gained access to information about 150m users of its MyFitnessPal app.
These scandals are changing the calculus about the benefits of self-regulation. Opponents of privacy legislation have long argued that the imposition of rules would keep technology companies from innovating. Yet as trust leaches out of the system, innovation is likely to suffer. If consumers fret about what smartphone apps may do with their data, fewer new offerings will take off—especially in artificial intelligence. It emerged this week that Grindr, a dating app aimed at gay people, had been sharing details of users’ HIV status with other firms. Tim Cook, the chief executive of Apple (which, admittedly, has sold itself on the idea that its customers’ data should not be a source of profit), has called privacy a “human right”. Even Mark Zuckerberg, Facebook’s boss, has signalled an openness to regulation. It is striking that many of the firms preparing for the GDPR’s arrival in Europe enthuse that the law has forced them to put their data house in order (see article).
The need to minimise legal fragmentation only adds to the case for America to adopt bits of the GDPR. One reason behind the new rules in the EU was to harmonise data-protection laws so that firms can do business across Europe more easily. America is moving in the opposite direction. States that have detected a need for greater privacy are drafting their own laws. California, for instance, has pending legislation that would establish a data-protection authority to regulate how the state’s big tech firms use Californians’ personal data.
Internationally, too, America is increasingly an outlier. Any American firm that serves European customers will soon have no choice but to comply with the GDPR; some firms plan to employ the rules worldwide. Other countries are adopting GDPR-style laws. A similar regime on both sides of the Atlantic would help keep data flowing across borders. The alternative, of a regulatory patchwork, would make it harder for the West to amass a shared stock of AI training data to rival China’s.
Putting the personal into data
America need not adopt the GDPR wholesale. The legislation is far from perfect. At nearly 100 articles long, it is too complex and tries to achieve too many things. The compliance costs for smaller firms, in particular, look burdensome. In addition, parts of the GDPR are out of step with America’s constitutional guarantee of free speech: a “right to be forgotten” of the kind that the new law enshrines will not fly.
But these are arguments for using the GDPR as a template, not for ignoring the issue of data protection. If America continues on today’s path, it will fail to protect the privacy of its citizens and long-term health of its firms. America’s data economy has thrived so far with hardly any rules. That era is over.