Follow the European model on privacy rights
Americans haven't had much good news about their privacy since Edward Snowden launched his soap opera of National Security Agency revelations last June. True, the president, Sen. Dianne Feinstein and Patriot Act co-author Rep. Jim Sensenbrenner finally are distancing themselves from the most outrageous snooping. But it hasn't stopped.
According to The New York Times, a request from one U.S. phone company to cease sharing its records with the NSA was rebuffed in March by the Foreign Intelligence Surveillance (Act) Court, the secret federal tribunal that mostly seems to specialize in saying “yes” to surveillance.
About half of Americans tell pollsters they are alarmed by these trends. Others appear resigned to a pervasive loss of privacy as the inevitable cost of life in an information society. But there is no reason to draw such a dire conclusion. Europe does much better at defending its citizens' privacy. At about the same time the FISA court was upholding NSA claims on Americans' telecommunications data, the European Court of Justice in Luxembourg ruled to precisely the opposite effect. It struck down laws mandating long-term retention of consumers' telecommunications data.
In strong language, the court cited the lack of adequate safeguards “against the risk of abuse and against any unlawful access and use of the data” as a threat “to respect for private life and to the protection of personal data.”
Why don't we find American courts issuing such sweeping defenses of privacy? Much of the explanation surely lies in the contrasting legal strategies and principles adopted by this country and by Europe.
Europe has created rights applying to government and private-sector treatment of personal data in general across different institutions and contexts of use. These broad privacy rights were established in a directive adopted by the European Parliament and the Council of the European Union in 1995 and are now being updated. Among other things, the privacy directive prohibits “secondary” release of personal information. This is the sharing of such data for purposes other than those for which they are originally provided — in the course of retail sales, for example, or medical care delivery or charitable giving.
American privacy law, by contrast, establishes no such broad rights.
A number of American privacy advocates have proposed creating some form of residual right over commercial reuse of personal data so that data provided in one setting (online sales, for example, or website visits) could not be sold or traded for further use without permission. Such new rights would resemble an author's copyright over her work or a property right over commercial exploitation of personal data or a fiduciary obligation binding on parties entrusted with such data.
Celebrities already enjoy rights something like this over the commercial use of their names and images. No one may open a restaurant named after a sports hero or movie star without permission from (and, normally, compensation to) that athlete or actor.
The European model is feasible. But only if ordinary Americans grasp that dramatic alternatives exist to current, privacy-eroding practices, and demand strong, comprehensive privacy rights.
James B. Rule, a researcher at the Center for the Study of Law and Society at UC Berkeley, is the author of “Privacy in Peril: How we are Sacrificing a Fundamental Right in Exchange for Security and Convenience.”