How GDPR Is Driving the US Privacy Legislation Debate


While US companies might dominate the tech industry, the European Union is leading the way on digital rights. By regulating a key part of the global market, the EU has put data protection on the agenda around the world. In the United States, reeling from the realisation that the control of data affords Big Tech enormous economic and political power, politicians from both sides are now calling for reform.

A lock rests on top of a laptop keyboard
Teaser Image Caption
The privacy debate has reached the other side of the Atlantic

As the EU approaches the one-year anniversary of its General Data Protection Regulation (GDPR), the privacy debate has arrived on the other side of the Atlantic. Democratic presidential candidates in the United States campaign on cracking down on Big Tech’s abuse of personal data. Facebook prepares to be fined up to 5 billion dollars for privacy violations by the Federal Trade Commission and is reportedly willing to subject itself to government oversight.

Facebook and Google have adjusted their messaging to the new “privacy zeitgeist”, as US media have started to call it. “The future is private”, Facebook chief executive Mark Zuckerberg said at the network’s developer conference in April. “Privacy should not be a luxury good,” Google’s chief executive Sundar Pichai wrote in the New York Times.

The privacy zeitgeist has also reached the US Congress. Not too long ago, data privacy was dismissed as a European obsession on Capitol Hill. This spring, hardly a week passes in Washington DC without a hearing on how to rein in Big Tech.

Not too long ago, data privacy was dismissed as a European obsession

For the US, the 2018 Cambridge Analytica scandal, in which data of some 87 million American Facebook users were used for political advertising for the campaign of now-President Donald Trump, was a watershed similar to the EU’s discovery of Edward Snowden’s revelations in 2013. The outrage over the US National Security Agency using Silicon Valley companies to spy on Europeans helped Jan Philipp Albrecht, the former Green MEP and lead negotiator on data protection, to fend of industry lobbying to shepherd a strong version of the bill through the European Parliament in 2016.

The EU has since promoted its law as the global gold standard – taunting the US to catch up in the race for digital governance. In a speech in Washington DC this April, European Justice Commissioner Věra Jourová presented the EU as the “people-friendly camp” and lumped the US and China, which limits the free flow of data and monitors its population with algorithms, together in a camp with “lax controls of privacy in the name of business or government interest.” “I would like to ask the US to join our camp”, she told the audience.

So far the EU is enjoying its first-mover advantage. In the United States, consensus for a data protection regime as strong as GDPR is lacking, but officials privately admit that time is running out for presenting an alternative. Countries around the world are beefing up their data protection laws to meet EU criteria for cross-border personal data exchange. The EU has struck equivalency agreements with six countries – most recently January 2019 with Japan – and with US firms that adhere to the EU-US “Privacy Shield” arrangement. Large US companies have spent millions on GDPR compliance to remain able to provide their services in the EU.

US officials privately admit that time is running out for presenting an alternative

The next compliance headache for these businesses is right around the corner. In the absence of federal action, several US states have passed or are debating their own privacy laws, among them California, home to Apple, Facebook, and Google. The California Consumer Privacy Act (CCPA) was passed in 2019 and will enter effect in January 2020.

The California law puts pressure on lawmakers in DC to find a national solution. Industry leaders have made it clear that they prefer unified rules to a patchwork of legislation. In an op-ed for the Washington Post, Facebook’s MarkZuckerberg called for a “more active role for governments and regulators”.

But it is fair to say that what Zuckerberg has in mind is a far throw from the protections GDPR bestows on EU residents. “Business groups are fighting on two fronts: they are trying to either gut the California law or to pre-empt it in DC”, says Adam Schwartz, senior attorney at the Electronic Frontier Foundation (EFF), an international digital privacy group based in San Francisco. State lawmakers have introduced several amendments that would make the law more friendly to business. At the same time, industry pushes for a softer federal law that will overrule (“pre-empt”) existing state legislation.

The tough battle against the California law may seem surprising. European data privacy officials privately call CCPA a “GDPR ultra-light”. Under the law, Internet users will be able to opt out of the sale of their data, but not of the collection. Unlike GDPR, the law applies to businesses but leaves out public organisations. That means, for example, that many giant US hospitals that are registered under a non-profit status would not be covered. CCPA’s enforcement mechanisms and resources would have to be significantly enhanced to be considered equivalent to independent data protection agencies in the EU.

among industry and Republicans, GDPR has become a bogeyman for over-regulation with the potential to harm businesses

For critics in the US, especially among industry and Republicans, GDPR has become a bogeyman for over-regulation with the potential to harm businesses (through compliance costs, fines and litigation) and undermine national security (by making it harder to track criminals online).

But even fierce privacy advocates in the US are wary of some parts of GDPR. Most agree that a “right to be forgotten” by search engines would never find its way into any US legislation as it might clash with the strong protections for free speech (including “commercial speech”) in the US constitution’s First Amendment. “GDPR is not seen as a template, but as an inspiration”, says Schwartz from EFF.

There is indeed huge interest to learn from the EU’s experience. The European data protection commissioners from the UK, Ireland, Germany, Austria, and France dominated the panels at the annual conference of the International Association of Privacy Professionals in DC this May. Testifying before the Senate Commerce Committee, Ireland’s commissioner Helen Dixon reported about 18 investigations against major tech companies in her country, 11 of which involved Facebook and its subsidiaries WhatsApp and Instagram.

On both sides of the debate, US observers wonder how far EU authorities will actually go in imposing fines, which according to GDPR could be as high 4 per cent of a company’s annual global revenue. The biggest fine imposed so far – Google was ordered to pay 50 million euro for a violation in France – is a far cry from that.

It also seems miniscule compared to the proposed US Federal Trade Commission fine for Facebook of up to 5 billion dollars. But unlike European data protection authorities, the commission does not have the authority to issue fines for original privacy and data security violations. When it found in 2012 that Facebook had deceived its customers by promising them to keep their information private and then repeatedly allowing it to be shared and made public, it could only order the company to remedy its behaviour. More than six years later, the commission can now seek to impose a civil penalty after concluding that Facebook has violated the 2012 consent order.

On both sides of the Atlantic there is a growing sense that stricter privacy laws and fines will not be enough to rein in Facebook, a network that wields much power over citizens’ data and controls access to a range of interconnected internet services. In the US, a bipartisan pair of senators, Richard Blumenthal and Josh Hawley, expressed their concern that even the anticipated fine of up to 5 billion dollars – which would be the largest ever levelled against a US company – would only amount to a “slap on the wrist” for Facebook.

Americans don’t get excited about privacy, but they do get angry when powerful people use their data to manipulate them.

There is a growing chorus of critics who believe that Big Tech is ultimately an anti-trust issue. “It’s time to break up Facebook”, Chris Hughes, one of the platform’s co-founders wrote in a May 9 op-ed in the New York Times, echoing similar calls by the Democratic Senator from Massachusetts and presidential candidate Elizabeth Warren.

“We need to tie the giant with a thousand pieces of string”, says Barry Lynn, director of the Open Markets Institute, a non-profit group in DC that fights corporate monopolies. Lynn admires Germany’s competition watchdog, the Bundeskartellamt, for ruling earlier this year that Facebook’s practice of collecting user data outside of the network (from the Facebook-owned services WhatsApp and Instagram or from third-party websites with Facebook Like and Share buttons) without prior user consent amounted to an abuse of market dominance.

The battle is on – even if both sides of the Atlantic end up with different definitions of privacy. “Facebook is a direct threat to our democracy”, says Lynn. “Americans don’t get excited about privacy, but they do get angry when powerful people use their data to manipulate them.” Whether or not the US manages to devise its own GDPR-style privacy law before next year, the future is unlikely to be business as usual for Big Tech.

This article was originally published in the Green European Journal on May 21, 2019.