The following exchange occurred during a conversation between a representative of a U.S. technology company and a European data protection authority (DPA):
Company representative: Your data protection law is making it impossible for us to offer our technology in Europe!
DPA: It is your technology that has to adapt to our legal system, not the other way around!
The question of whether legal requirements should determine how technology and business models are structured, or whether the law should bend to technological and business imperatives, is at the root of the many of the differences between the EU and U.S. approaches to data privacy. And the differing status of privacy as a constitutional or human right underlies how this question is dealt with in the two systems.
There are major differences in how the two systems protect data privacy at a constitutional or human rights level. The U.S. Constitution does not mention the term “privacy”, but the Fourth Amendment protects against unreasonable searches and seizures by the government, and the U.S. Supreme Court has construed other constitutional provisions—such as the Due Process Clause of the Fourteenth Amendment—to create privacy rights in certain circumstances.
Data protection and privacy rights are explicitly recognized in the treaties that form the constitutional basis of the EU. In addition, they are protected as fundamental rights in the constitutions of various EU member states and by rulings of the highest European and member state courts.
The U.S. system protects constitutional rights only against government action, whereas in the EU the state has a duty to protect the privacy of individuals against violations by nongovernmental actors as well.
Privacy is generally protected in the U.S. as a “negative” right that obliges the government to refrain from taking actions that would violate constitutional rights; by contrast, in the EU, the state also has a constitutional obligation to affirmatively protect privacy rights.
In the U.S., by definition, a constitutional right is only protected if it can be found to derive from the U.S. Constitution. However, in the EU, human or fundamental rights—including data privacy—constitute so-called “general principles of law” that apply mandatorily even if they do not directly derive from a specific constitutional source.
These differences lead to transatlantic tensions. Americans often seek to treat data protection as a trade issue, while in the EU its status as a fundamental right means that it cannot be dealt with solely as a commercial matter—which will inevitably put the two sides on a collision course during forthcoming negotiation of the EU-U.S. Free Trade Agreement.
The constant reference in U.S. parlance to persons as “consumers” also grates on European sensitivities, which regard human beings as individuals with inalienable rights rather than merely as participants in the marketplace.
For their part, Europeans are often ignorant of the long tradition under U.S. law of protecting privacy against government intrusion. An eminent European academic has remarked to me that U.S. law has protections against governmental intrusion on privacy that the EU should envy.
Even the most respected legal commentators have sometimes been misled by differences in the EU and U.S. constitutional systems for privacy protection. For example, in his seminal 2004 article in the Yale Law Journal, Prof. James Q. Whitman argues that privacy protection in the EU is based on the protection of personal dignity—as in the sense of one’s personal honour—whereas actually its basis is the constitutional concept of human dignity—which requires respect for a person’s individual worth as a human being.
Insufficient attention has been devoted to resolving transatlantic misunderstandings over the status of privacy and data protection as a human right. For example, why do the EU and U.S. agencies negotiating data privacy matters not establish an ongoing initiative to help them better understand the basic constitutional concepts on which each other’s systems of privacy rights are based?
All this suggests that the EU and the U.S. will have to invest much more effort to increase mutual understanding of their differing systems for the protection of constitutional rights if there is to be a transatlantic accommodation on data privacy.