Privacy's Constitutional Moment and the Limits of Data Protection

61 Boston College Law Review (Forthcoming 2020)

79 Pages Posted: 24 Aug 2019 Last revised: 20 Nov 2019

See all articles by Woodrow Hartzog

Woodrow Hartzog

Northeastern University School of Law and Khoury College of Computer Sciences; Center for Law, Innovation and Creativity (CLIC); Stanford Law School Center for Internet and Society

Neil M. Richards

Washington University School of Law; Yale Information Society Project; Stanford Center for Internet and Society

Date Written: August 23, 2019

Abstract

America’s privacy bill has come due. Since the dawn of the Internet, Congress has repeatedly failed to build a robust identity for American privacy law. But now both California and the European Union have forced Congress’s hand by passing the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR). These data protection frameworks, structured around principles for Fair Information Processing called the “FIPs,” have industry and privacy advocates alike clamoring for a “U.S. GDPR.” States seemed poised to blanket the country with FIP-based laws if Congress fails to act. The United States is thus in the midst of a “constitutional moment” for privacy, in which intense public deliberation and action may bring about constitutive and structural change. And the European data protection model of the GDPR is ascendant.

In this article we highlight the risks of U.S. lawmakers embracing a watered-down version of the European model as American privacy law enters its constitutional moment. European-style data protection rules have undeniable virtues, but they won’t be enough. The FIPs assume data processing is always a worthy goal, but even fairly processed data can lead to oppression and abuse. Data protection is also myopic because it ignores how industry’s appetite for data is wrecking our environment, our democracy, our attention spans, and our emotional health. Even if E.U.-style data protection were sufficient, the United States is too different from Europe to implement and enforce such a framework effectively on its European law terms. Any U.S. GDPR would in practice be what we call a “GDPR-Lite.”

Our argument is simple: In the United States, a data protection model cannot do it all for privacy, though if current trends continue, we will likely entrench it as though it can. Drawing from constitutional theory and the traditions of privacy regulation in the United States, we propose instead a “comprehensive approach” to privacy that is better focused on power asymmetries, corporate structures, and a broader vision of human well-being. Settling for an American GDPR-lite would be a tragic ending to a real opportunity to tackle the critical problems of the information age. In this constitutional moment for privacy, we can and should demand more. This article offers a path forward to do just that.

Keywords: privacy, GDPR, trust, fair information practices, privacy reform, CCPA, data protection, consumer protection

Suggested Citation

Hartzog, Woodrow and Richards, Neil M., Privacy's Constitutional Moment and the Limits of Data Protection (August 23, 2019). 61 Boston College Law Review (Forthcoming 2020). Available at SSRN: https://ssrn.com/abstract=3441502 or http://dx.doi.org/10.2139/ssrn.3441502

Woodrow Hartzog (Contact Author)

Northeastern University School of Law and Khoury College of Computer Sciences ( email )

416 Huntington Avenue
Boston, MA 02115
United States

HOME PAGE: http://https://www.northeastern.edu/law/faculty/directory/hartzog.html

Center for Law, Innovation and Creativity (CLIC) ( email )

416 Huntington Avenue
Boston, MA 02115
United States

Stanford Law School Center for Internet and Society ( email )

Palo Alto, CA
United States

HOME PAGE: http://cyberlaw.stanford.edu/profile/woodrow-hartzog

Neil M. Richards

Washington University School of Law ( email )

Campus Box 1120
St. Louis, MO 63130
United States
314.935.4794 (Phone)

HOME PAGE: http://law.wustl.edu/faculty-staff-directory/profile/neil-richards/

Yale Information Society Project ( email )

New Haven, CT 06520
United States

Stanford Center for Internet and Society ( email )

559 Nathan Abbott Way
Stanford, CA 94305-8610
United States

Register to save articles to
your library

Register

Paper statistics

Downloads
295
Abstract Views
1,212
rank
105,274
PlumX Metrics