The EU-U.S. Privacy Collision: A Turn to Institutions and Procedures

The European Commission’s release in late January 2012 of its proposed "General Data Protection Regulation" provides a perfect juncture to assess the ongoing EU-U.S. privacy collision. An intense debate is now occurring around critical areas of information policy, including the rules for lawfulness of personal processing, the "right to be forgotten," and the conditions for data flows between the EU and the United States.This Article begins by tracing the rise of the current EU-U.S. privacy status quo. The 1995 Data Protection Directive staked out a number of bold positions, including a limit on international data transfers to countries that lacked "adequate" legal protections for personal information. The impact of the Directive has been considerable. Yet, the United States proves an outlier to the story of international information privacy law. As an initial matter, the EU is skeptical regarding the level of protection that U.S. law actually provides. Moreover, despite the important role of the United States in early global information privacy debates, the rest of the world has followed the EU model and enacted EU-style "data protection" laws. At the same time, the aftermath of the Directive has seen ad hoc policy efforts between the United States and EU that have created numerous paths to satisfy the EU’s requirement of "adequacy" for data transfers from the EU to the United States. This Article argues that this policymaking has not been led exclusively by the EU, but has been a collaborative effort marked by accommodation and compromise. It then analyzes the likely impact of the Proposed Regulation on Data Protection, which is slated to replace the Directive. The Proposed Regulation threatens to destabilize the current privacy policy equilibrium and prevent the kind of decentralized global policymaking that has occurred in the past. The Proposed Regulation overturns the current equilibrium by heightening certain individual rights beyond levels that U.S. information privacy law recognizes. It also centralizes power in the European Commission in a way that destabilizes the policy equilibrium within the EU, and thereby threatens the current policy processes around harmonization networks. To avert the privacy collision ahead, this Article advocates modifications to the kinds of institutions and procedures that the Proposed Regulation would create.

[1]  Paul M. Schwartz,et al.  The PII Problem: Privacy and a New Concept of Personally Identifiable Information , 2011 .

[2]  Joel R. Reidenberg Privacy Wrongs in Search of Remedies , 2003 .

[3]  Tasneem Hameed,et al.  Change. , 2018, The Journal of the Oklahoma State Medical Association.