Harvard Law Review Harvard Law Review Harvard Law Review

Comparative Law

The EU-U.S. Privacy Collision: A Turn to Institutions and Procedures

Internet scholarship in the United States generally concentrates on how decisions made in this country about copyright law, network neutrality, and other policy areas shape cyberspace. In one important aspect of the evolving Internet, however, a comparative focus is indispensable. Legal forces outside the United States have significantly shaped the governance of information privacy, a highly important aspect of cyberspace, and one involving central issues of civil liberties. The EU has played a major role in international decisions involving information privacy, a role that has been bolstered by the authority of EU member states to block data transfers to third party nations, including the United States.

The European Commission’s release in late January 2012 of its proposed “General Data Protection Regulation” (the Proposed Regulation) provides a perfect juncture to assess the ongoing EU-U.S. privacy collision. An intense debate is now occurring about critical areas of information policy, including the rules for lawfulness of personal processing, the “right to be forgotten,” and the conditions for data flows between the EU and the United States.

This Article begins by tracing the rise of the current EU-U.S. privacy status quo. The European Commission’s 1995 Data Protection Directive (the Directive) staked out a number of bold positions, including a limit on international data transfers to countries that lacked “adequate” legal protections for personal information. The impact of the Directive has been considerable. The Directive has shaped the form of numerous laws, inside and outside of the EU, and contributed to the creation of a substantive EU model of data protection, which has also been highly influential.

This Article explores the path that the United States has taken in its information privacy law and explores the reasons for the relative lack of American influence on worldwide information privacy regulatory models. As an initial matter, the EU is skeptical regarding the level of protection that U.S. law actually provides. Moreover, despite the important role of the United States in early global information privacy debates, the rest of the world has followed the EU model and enacted EU-style “data protection” laws.

At the same time, the aftermath of the Directive has seen ad hoc policy efforts between the United States and EU that have created numerous paths to satisfy the EU’s requirement of “adequacy” for data transfers from the EU to the United States. The policy instruments involved are the Safe Harbor, the two sets of Model Contractual Clauses, and the Binding Corporate Rules. These policy instruments provide key elements for an intense process of nonlegislative lawmaking, and one that has involved a large cast of characters, both governmental and nongovernmental.

This Article argues that this policymaking has not been led exclusively by the EU, but has been a collaborative effort marked by accommodation and compromise. In discussing this process of nonlegislative lawmaking, this Article will distinguish the current policymaking with respect to privacy from Professor Anu Bradford’s “Brussels Effect.” This nonlegislative “lawmaking” is a productive outcome in line with the concept of “harmonization networks” that Professor Anne-Marie Slaughter has identified in her scholarship. “Harmonization networks” develop when regulators in different countries work together to harmonize or otherwise adjust different kinds of domestic law to achieve outcomes favorable to all parties.

The Article then analyzes the likely impact of the Proposed Regulation, which is slated to replace the Directive. The Proposed Regulation threatens to destabilize the current privacy policy equilibrium and prevent the kind of decentralized global policymaking that has occurred in the past. The Proposed Regulation overturns the current balance by heightening certain individual rights beyond levels that U.S. information privacy law recognizes. It also centralizes power in the European Commission in a way that destabilizes the policy equilibrium within the EU, and thereby threatens the current policy processes around harmonization networks.

To avert the privacy collision ahead, this Article advocates modifications to the kinds of institutions and procedures that the Proposed Regulation would create. A “Revised Data Protection Regulation” should concentrate on imposing uniformity only on “field definitions,” that is, the critical terms that mark the scope of this regulatory field. The Revised Regulation should be clear that member states can supplement areas that do not fall within its scope with national measures. This approach would leave room for further experiments in data protection by the member states. The Revised Regulation should also alter the currently proposed procedures to limit the Commission’s assertion of power as the final arbiter of information privacy law.