‘Towards a Transatlantic Concept of Data Privacy’ by Erdem Büyüksagis in (2019) 30(1)
Fordham Intellectual Property, Media and Entertainment Law Journal comments
Due to ever-growing big data and the ease with which information can be transmitted over the Internet, it has become more complicated for individuals to enjoy their rights to access, to rectify and erase personal information, and for the judiciary to apply conventional privacy law rules, such as consent, transparency, and purpose limitation. On both sides of the Atlantic, this phenomenon has motivated legislatures and courts to extend protective measures in data privacy. Nevertheless, data protection standards in the United States and the European Union (‘EU’) appear to many observers to be radically different and even mutually incompatible. The European Court of Justice’s ruling in Google Spain led many to assume that EU law gives more importance to data protection than does US law.
In this Article, I argue that the United States and the EU do in fact give similar levels of legal and regulatory protection to private data. Despite the Google Spain decision, the absence of an explicit reference to privacy or data protection in the US Constitution, and cultural differences regarding the value placed on privacy between these jurisdictions, critics have not offered any convincing arguments to show that either the perception of privacy or the consequences of its violation are radically different in the United States and in Europe. First, when assessing whether private data gathered by governments agencies or private businesses ought to be made available to the general public, courts in both jurisdictions take into account the nature of the information in question, its sensitivity for the data subject’s privacy, the data subject’s identity, the reasons behind the storage and disclosure of the information, and the public’s interest in the information. My point is illustrated by the fact that courts in the United States and the EU rely upon similar tests to deal with potential data breaches. Second, particularly since the adoption of the General Data Protection Regulation, data protection is on the agenda of a number of state legislatures in the United States. The adoption of the California Consumer Privacy Act constitutes a non-negligible shift in the nation’s data privacy regime, since its effective territorial reach will not be limited to California, but will involve all the states given as the headquarters of hundreds of high technology companies that are based in the region commonly known as ‘Silicon Valley’.
My analysis leads me to the conclusion that the regulatory and case law developments on both sides of the Atlantic hint at a harmonization process of data protection standards because of the ever-growing recognition of the need for specific data protection laws and their substantive convergence.