1. Data privacy concerns entwined with anti-globalization
Anti-globalization has become a serious theme in Western countries. Right-wing and left-wing political movements converge on the issue. Centrist elites acknowledge that the great wave of borderless commerce since the end of the Cold War has imposed unanticipated, serious harm on local work forces.
Recent political developments around the world underscore the trend. A consensus is developing that something must be done, with no agreement on what. In addition, the nature of security risks has changed: both terrorism and financial and industrial crime increasingly inhabit the shadow world created by the Internet. At a base level, substantial constituencies are now re-examining the main economic drivers of the modern world, with potentially severe political and commercial ramifications.
The same dynamic of expansion and reaction is now confronting the movement of data. On the one hand, most people recognize the benefits of technology. On the other hand, many scapegoat technology as the problem. "Security" and "privacy" are the surrogate targets for these concerns. They exert the same rallying power as "jobs," "income equality" and "immigration." The "cloud" and "networking" may inspire the same suspicions as "outsourcing" and "free trade." However, there is a major difference—there are no simple fixes for macroeconomic trends; but there is a sense that there are available methods to address privacy concerns. These include law, regulation, computer mechanics and cyber warfare.
Concern about data privacy and security, whether for intrinsic reasons or as a vehicle to advance other agendas, has been building as a result of various high-profile incidents, including the multiple reports of vast commercial hacking, Snowden's exposé of government surveillance activities, and cyber breaches of sensitive government personnel data. The tipping point may have been reached as a result of the presumptive Russian/WikiLeaks involvement in the US political process. Until those events occurred, "hacking" was considered something that occurred largely outside of the overt political sphere, instead impacting private institutions (such as banks) and individuals (suffering identity theft) or occurring behind the closed doors of national security agencies. The extraordinary infiltration and disclosure of data from the Democratic Party, campaign officials and current and former US national leaders is vivid and tangible. Everyone can understand "if it can happen to them, it can happen to me." In this environment, data privacy and security issues may be manipulated, and related violations penalized, based on economic or political motivations.
2. US and EU approaches to data privacy have differed, but are converging
While there is no express general right to privacy in the US Constitution, several of its provisions (in particular, in the Bill of Rights) protect specific aspects of an individual's privacy,i and the Fourteenth Amendment is often interpreted (despite some prominent opponents ii) as guaranteeing a fairly broad right to privacy; spawning several seminal Supreme Court cases.iii In addition, many US states recognize related torts, such as for invasion of privacy and protection of rights of publicity. In Europe, privacy has a long tradition as a fundamental human right. It is enshrined in the European Union's Charter of Fundamental Rights, which is enforced by a dedicated Court of Human Rights and is the cornerstone for a plethora of related privacy law, regulation and cases.
However, historically, the approach taken by each jurisdiction to the privacy of data about individuals has differed. The data privacy regime in the European Union ("EU") reflects the "fundamental human right" approach and generally expects "privacy by default." In contrast, the US has tended to focus instead on the constitutional right to free speech, transparency and the people's "right to know." In the EU, any encroachment on overarching, universally applicable rights to privacy of an individual's data requires a specific justification, rationale or "lawful basis." In the US, by contrast, any assertion of an inherent right to data privacy generally requires specific law-making or expanded interpretations of existing law (whether by legislatures, regulators or courts) to "create" a right that does not otherwise exist. The EU has an omnibus data privacy regime, applicable in all industries and to all businesses,iv while the US has a patchwork of laws and precedents in specific areas such as health care, higher education and financial services.v When it comes to the consent of an individual to the collection of data about them, the US takes more of a libertarian view, so individuals are largely considered freely able to give consent to any use of their data by any means and in any circumstances, while in the EU, an individual's consent can be challenging to establish and rely upon in certain circumstances (perhaps most notably within the employer-employee contextvi).
When it comes to international business and relations, particularly across the Atlantic, these differences in approach and legal regime create tension. EU citizens and other stakeholders bemoan a lack of respect for EU data privacy laws by US businesses and government. EU courts have declared that the US does not provide "adequate protection" of personal datavii and in response have stretched territorial concepts to the limit in an effort to make global businesses headquartered outside the EU subject to EU data privacy laws.viii EU regulators have "upped the ante" by introducing new regulations with maximum fines based on a percentage of a business's worldwide revenues.ix Meanwhile, US businesses, which at home (outside certain sectors) have generally been free to use and monetize personal data as they see fit, unless there is a contract or law that specifically prevents them from doing so, have been frustrated by the EU legal regime and have been deterred from doing business in Europe. This is because the EU legal regime appears to many US businesses as introducing draconian and often entirely new compliance obligations. From a US perspective, the European approach jeopardizes profits and even existing business models, appears in a constant state of flux, and calls into question or invalidates entirely compliance mechanisms that were once considered adequate.x
Notably, the legal (and political) balance has appeared at times to be shifting to the European approach to data privacy. In order to facilitate transatlantic data transfers, the US government recently made significant concessions on issues like the surveillance and rights of EU citizens to litigate data privacy complaints in US courts.xi In addition, while there is currently no EU-style omnibus data protection law, there have been several moves to introduce one.
3. New privacy protection measures are rising in the US
The "holes" in the US patchwork grow smaller every day, with the regular introduction of new state and federal data privacy laws governing different issues, not to mention the FTC's increasingly active role in enforcing consumer data privacy and cybersecurity rights, under the general umbrella of "unfair or deceptive" trade practices. There have also been several recent examples of a policy shift by big business in the US towards "privacy-first" principles as a compelling consumer offering, even in the face of demands for cross-border disclosurexii and calls for decryption of consumer data in extremely dramatic scenarios. Finally, the plaintiffs' class action bar has shown a growing interest in damages cases for hacking and negligence on the part of hacked businesses.xiv
Government enforcement of law and policies is often the front line. However, there is a more serious enforcement mechanism at hand.xv The US pioneered the use of private litigation for the enforcement of public policy. Beginning over a hundred years ago with antitrust enforcement, followed by securities fraud, organized crime,xvi corporate corruption,xvii and, most recently, terror financing, the private right of action has been a mainstay of US policy and jurisprudence. It is the substantive and economic basis of a large part of the US legal profession. While its use in the data privacy context has been limited so far, and many cases get dismissed for lack of common injury or harm, there has been much discussion about this situation, and it is likely only a matter of time before there are new laws to address the issue.xviii New legislation, together with existing laws and case precedent, dramatically increases the pool of potential litigants and offers them ever more fertile opportunities to sue for data privacy incursions and violations, whether because of external hacking or internal mishandling (whether intentional, reckless or negligent). Government and private litigation often cooperate in pursuing enforcement targets, where the governmental parties seek criminal or civil penalties and the private plaintiffs seek money damages. This powerful combination can pose extreme, possibly existential risk for business defendants. And this is the likely future for privacy enforcement.
There are many possible scenarios of business risk in the constantly evolving landscape of data privacy rights, cyber threat capabilities, and regional economic and political interests. As a result, implementing a robust data privacy regime requires more than solid data management and security practices. A company's global market strategy increasingly must anticipate how data collection, use, and transfer restrictions are likely to change over time, and data privacy and security programs must be designed to respond to those changes faster than the competition.