The unpersuasive and exceptionalist 'How Law Made Silicon Valley' by Anupam Chander in Emory Law Journal (Forthcoming) presumably exhorts us to try harder, commenting that
Explanations for the success of Silicon Valley focus on the confluence of capital and education. In this article, I put forward a new explanation, one that better elucidates the rise of Silicon Valley as a global trader. Just as nineteenth century American judges altered the common law in order to subsidize industrial development, American judges and legislators altered the law at the turn of the Millennium to promote the development of Internet enterprise. Europe and Asia, by contrast, imposed strict intermediary liability regimes, inflexible intellectual property rules, and strong privacy constraints, impeding local Internet entrepreneurs. The study challenges the conventional wisdom that holds that strong intellectual property rights undergird innovation. While American law favored both commerce and speech enabled by this new medium, European and Asian jurisdictions attended more to the risks to intellectual property rights-holders and, to a lesser extent, ordinary individuals. Innovations that might be celebrated in the United States could lead to jail in Japan. I show how American companies leveraged their liberal home base to become global leaders in cyberspace. Nations seeking to incubate their own Silicon Valley must focus not only on money and education, but also a law that embraces innovation.Chander goes on to discuss privacy as follows -
European Union – Privacy
As James Whitman describes, European privacy law is a world away from the American laissez faire approach. In October 1995, at the same time that the Clinton Administration was declaring its support for industry self-regulation, the European Union was announcing its elaborate and demanding Data Protection Directive. The 1995 Directive requires “unambiguous” consent before the automated processing of personal information. It further requires that information that is gathered must be “collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes.” Rather than a sectoral approach imposing obligations on certain health care and financial providers, European law offers omnibus protections covering all personal information. Certain categories of information processing—political, health, or sex-related information—are regulated even more tightly. The Directive requires that data controllers secure personal data against accidental or unauthorized disclosure. This Directive posed significant constraints on Web 2.0 enterprises, limiting their information gathering and sharing functions.
A 2002 directive, the Privacy and Electronic Communications Directive (the “E-Privacy Directive”), added yet more constraints. The E-Privacy Directive included a broad requirement to ensure the confidentiality of communications, and banned the “surveillance of communications” without the consent of the user. The Directive required “clear and comprehensive information” before a company could store information such as cookies (used to track web behavior), and required the site to offer opt-out of cookies. Such rules complicated the behavioral monitoring necessary for targeted advertising. They made it difficult to garner the datasets about an individual that might enable companies to know better how to cater to his or her interests (and means). Over the years, the E-Privacy Directive was interpreted and amended in ways that largely confirmed its constraints on tracking and information gathering, thus disabling sophisticated marketing capabilities.
The astonishing reach of the Data Protection Directive can be seen in the case known as Criminal Proceedings Against Bodil Lindqvist. Lindqvist was a Swedish parishioner who published a website to assist fellow churchgoers in their confirmation process. She published personal information about her fellow parishioners on this site without their consent, including the fact that one person had “injured her foot.” For this, she was criminally prosecuted under the Swedish law implementing the Data Protection Directive. The European Court of Justice held that Lindqvist had indeed violated European privacy law because she had processed personal information about others (by making it available on the web), without their permission. What would have been readily protected under the First Amendment in the United States was subject to criminal prosecution in Europe.
In another notorious case, Google executives were convicted in Italy of crimes against privacy for not taking down rapidly enough a video ridiculing a disabled child. The executives were convicted specifically of the crime of “illicit treatment of personal data” (trattamento illecito dei dati) because “with the purpose of obtaining a gain they participated in the processing of the video [by distributing it through YouTube] containing health data of the disabled teenager without his consent.” The February 2010 convictions were overturned on appeal in December 2012, but the convictions demonstrated the ambiguities of a a law that might sentence internet executives for not policing their services sufficiently. This case again demonstrates what James Whitman describes as the “‘radically different’” laws on both sides of the Atlantic on the liability of Internet providers for privacy offenses.
South Korea – Privacy
South Korean law offers substantial omnibus protections for privacy online. South Korea’s 2001 Act on the Promotion of Information and Communications Network Utilization and Information Protection (the “Network Act”) was modeled in part on the OECD Guidelines, as well as the German Online Service Data Protection Act (Teledienstedatenschutzgesetz) of 1997, which was itself passed to implement the 1995 European Data Protection Directive. The Network Act requires data processors to “obtain as little amount of personal data as required for the provision of the services,” obtain consent of the data subject for data processing, and safeguard security of the data. Failure to comply can result in fines, imprisonment or both. (By contrast, even the United States Children’s Online Privacy Protection Act does not include criminal sanctions.) In 2011, Korea passed an additional data protection law, the Personal Information Protection Act, which, among other things, established a right to file class actions in court over alleged violations of the law. The new law requires privacy assessments by large database developers. Wherever there is an overlap between PIPA and other privacy protections, the stronger provisions will apply.
Korean privacy law is not a paper tiger. The law establishes a standing committee to mediate personal information disputes, with the power to award enforceable awards once mediation is selected. The committee awards compensatory damages “in almost all cases” where a privacy breach is found, with damages typically ranging from U.S. $100 to U.S. $10,000. The Korean authorities receive more than 17,000 complaints per year.
Japan – Privacy
Japan enacted an omnibus privacy statute, the Personal Information Protection Act, in 2003. While explicit consent does not seem to be required before the collection of personal information, businesses cannot obtain information personal information from individuals by “fraudulent or other unfair means.” The data collector must provide notice of the intended uses of the data. If plans change for the use of the information, “the change must not exceed the scope ‘reasonably recognized as having an appropriate connection with the original [p]urpose of [u]se.’” Businesses cannot share personal information with third parties without the consent of the data subject. Businesses also have security obligations with respect to the personal data. Japan does not provide a private cause of action for data privacy violations, and even though consumer centers and the government receive over 12,000 complaints per year, the enforcement record remains unclear.