Von ERIC MALDONADO
In the wake of a leaked trove of insider documents and a whistleblower’s hearing in front of Congress, the world’s social media giant recently found itself thrust into the spotlight once again. And while this most recent Facebook scandal highlights unsavory practices and issues of Facebook, it may also serve to remind us of a separate but related issue: the United States needs more personal data protection. Compared to its transatlantic partner, the European Union (EU), the US might take note of how a more comprehensive data regime could be reached. In this comment, I highlight significant differences in the legal privacy regimes and briefly note how this incongruency may be remedied.
The Right to Privacy: Different on each side of the Atlantic
The EU explicitly recognizes privacy as a fundamental right. Articles 7 and 8 of that Charter provide for the right to privacy and the right to protection of personal data respectively, and since the ratification of the Lisbon Treaty in 2009, the Charter of Fundamental Rights of the EU has had legal standing and therefore been actionable at the Court of Justice of the European Union (CJEU). Moreover, the right to privacy has been refined and extended by relevant legislation. Specifically concerning personal data, the EU’s General Data Protection Regulation (GDPR) represents the most comprehensive legislation for the protection of personal data in the world.
An example is the famous Schrems judgement, a 23-yr old student from Austria filed a complaint to the Data Protection Commissioner to exercise his data protection rights and thereby prevent Facebook Ireland Inc. from transmitting his data to the US after revelations had been made about data surveillance practices in the US.
This action was referred to the CJEU and ultimately led to the invalidation of the US/EU Safe Harbor agreement, because the agreement could not guarantee adequate protection of his personal data, something incompatible with the relevant EU data protection law at the time (the Data Protection Directive). The result was the birth of a new agreement, the US/EU Privacy Shield that, at the end of 2020, was found to be incompatible with the GDPR in the Schrems II decision.
And although the results of these two major cases at the CJEU are not breaking news, the weight of the outcome, i.e., the fact that the US and EU are still negotiating a new agreement for data transmission, is serious disruption to the transatlantic flow of data and to the US/EU relationship. The EU takes privacy and personal data protection, incidentally both fundamental rights, seriously.
Across the Atlantic in the United States, the right to privacy and data protection are not as straightforward; The US has no explicit fundamental right to privacy.
The Supreme Court of the United States (SCOTUS) has long held through precedent that the right to privacy is a peripheral right of other fundamental freedoms and rights provided by the Bill of Rights and the seventeen other Amendments to the US Constitution.
The notoriously nebulous right to privacy in US Constitution has been held by the SCOTUS to be a peripheral right of the Constitution as far back as 1891 in Union Pacific Railway Co. v. Botsford. In Griswold v. Connecticut, then later Roe v. Wade the Court further held that the right to personal privacy exists and cannot be encroached upon by States‘ laws.
That said, digital privacy still has a long way to go. Although Congress has passed laws that provide for privacy in very specific circumstances like credit information, medical records, and telecommunications, examples of scandals like Cambridge Analytica and the Edward Snowden leaks show that there is significant room for progress in legally protecting the privacy of personal data in the United States.
While there have been significant efforts at the State level, such as a toothy data protection legislation in California that resembles the GDPR, a significant protection of personal data at the federal level has yet to pass as law.
The application of competition law as a means of protecting privacy
The conjunction of competition law and privacy law represents an awareness of the value of data and the role it plays in the modern digital economy. Because data is recognized as a capital good and businesses now have an incentive to collect as much personal data on users as possible. The ability to collect data on users now directly contributes to the market power of entities.
A major example of this trend is the precedent set in the 2019 decision of Germany’s competition authority, the Bundeskartellamt, in which it found that Facebook had violated both competition law and personal data protection law.
The Bundeskartellamt found that Facebook had abused its dominant position in the social media market with coercive data collection tactics. By making the use of its platform(s) contingent upon the consent to the collection of personal data, Facebook was stripping its users of the ability to effectively consent to data collection practices as required by the GDPR. This ability moreover stemmed from Facebook’s dominant position.
It was determined therefore that this practice was an abuse of a dominant position and illegal under German competition law. With its decision, the Bundeskartellamt gave weight to the relation between personal data and market power.
The United States now has an opportunity to follow suit. It can now take action to develop a more comprehensive protection of personal data without amending its Constitution or passing a sweeping federal law. The appointment of Lina Khan as chair of the American competition authority, the Federal Trade Commission (FTC), presents an opportunity for competition law to be used to protect the personal data privacy of digital consumers. Khan’s notable research on the effects data has on market power suggests she would be open to protecting the personal data of digital consumers in such a way. She has moreover explicitly stated that in her tenure as director, one of her goals is to give the FTC additional rulemaking authority.
There are a litany of voices calling for additional regulation – some concerned with its de facto status as a gatekeeper to digital markets, and others from its own employees. With that the US can hopefully catch up to Europe’s galloping data regime and further pushes to crack down on Big Tech.A firm transatlantic relationship is key to maintaining the western liberal democracy that it represents. Europe and the US need to focus on deepening their cooperation and harmonization of key policies to remain united against confirmed cyber threats and attacks around the globe. Should the US and EU continue to diverge on data policies, they run the risk of weakening themselves. A house divided against itself cannot stand.
Maldonado, Eric, The U.S. should defend privacy with competition law, JuWissBlog Nr. 95/2021 v. 29.10.2021, https://www.juwiss.de/95-2021/.
Dieses Werk ist lizenziert unter einer Creative Commons Namensnennung – Nicht kommerziell – Keine Bearbeitungen 4.0 International Lizenz.