Paper 3

Summary of the GDPR and Google Controversy

The European Union’s (EU’s) General Data Protection Regulation (GDPR) is a consumer

data protection law which covers all companies which do business in the EU or with EU

citizens.1 The law compels those companies which collect information on Europeans to give their

users broader discretion in the kinds of data they can collect and keep. Google ran afoul of the

GDPR by failing to adequately disclose how it uses personal data to send out targeted

advertisements to its users.2

The Case for a U.S. GDPR

A data privacy law similar in scope and breadth to the GDPR is needed in the U.S.

Currently, there is “no single, comprehensive federal law regulating the collection and use of

personal data.”3 There are numerous federal laws that deal with consumer privacy, but there is no

single agency or process established for individuals to raise privacy violation claims like under

the GDPR. Many states have their own privacy laws, only some of which are preempted by

federal laws, which further confound the regulatory space. The U.S. should adopt its own

equivalent to the GDPR because this current mish-mash of regulation is inconsistent and

inadequate in protecting consumer data privacy.

The first reason why the federal government should adopt a law similar to the GDPR is

because the current consumer data privacy regime, constituted by a mosaic of federal and state

laws, is inconsistent. This inconsistency is a problem for both consumers and businesses. It can

be difficult for consumers to understand and assert their rights because there is no one standard

for data privacy across services and jurisdictions. For example, privacy rights are more stringent

1
Hern, “What is the GDPR and How Will It Affect You?”
2
Satarino, “Google is Fined $57 Million Under Europe’s Data Privacy Law”
3
Ieuan Jolly and Loeb & Loeb, “Data protection in the United States: overview”
Paper 3

in healthcare, where the federal Health Insurance Portability and Accountability Act of 1996

(HIPAA) governs, than in the terms of use for social media websites, in which there is no single

regulatory scheme, even though individuals have a vested privacy interest in both their health

information and their social media use.4 Businesses also suffer from this inconsistency. Just as

the inconsistency in state and federal privacy laws may be confusing to individuals, they can also

prove confusing to businesses who face repercussions for noncompliance.5 Take data privacy

breach laws, for example, which create requirements for how soon companies have to publicly

disclose that they have been hacked and that their customers’ privileged data has been released

as an example.6 States can set their own reporting requirements, creating a race to the bottom as

each state outdoes the others by setting stricter standards. While companies may be in

compliance in one state, that does not assure they will be in compliance in another state.

One might hope that this patchwork of privacy laws, with all their redundancies, creates

strong privacy protections for consumers. But this is not the case. Because there is no single law

which protects consumer privacy, there is also no single enforcement method for making sure

that violations don’t happen in the first place. The federal government’s consumer privacy beat

cop, the Federal Trade Commission (FTC), was never designed with protecting consumer

privacy in mind. The FTC therefore suffers from a lack of jurisdiction and resources to actually

enforce the FTC Act.7 For consumers to be better protected, regulatory enforcement needs to be

more systematic.

The Advantages and Disadvantages of State Consumer Privacy Regimes

Advantages

4
Findlaw, “Social Media Privacy Laws”
5
O’Connor, “Reforming the U.S. Approach to Data Protection and Privacy”
6
Embry, “State Data Breach Notification Laws Just Got Even Crazier”
7
Confessore and Kang, “Facebook Data Scandals Stoke Criticism That a Privacy Watchdog Too Rarely Bites”
Paper 3

State privacy laws provide a great advantage for residents of states that adopt them by

ensuring better and more up-to-date data privacy protections. California, for example, recently

passed its own comprehensive consumer privacy law which is modeled on the GDPR.8 Residents

of that state will benefit by having the rights to opt-out of having their data sold to third-parties

and to request that their personal information be deleted at any time. Allowing states to enact

sweeping consumer privacy laws where the federal government has failed ensures that

Americans who greatly care about their privacy have their interests met. State policy may also

serve as a model for future federal consumer privacy reform, as states often act as the

“laboratories of democracy.”9 Theoretically, states can preview new consumer privacy policies

before they go nationwide.

Disadvantages

However, while the states may make fine laboratories in other policy experiments, they

are not well suited to fill that role for data privacy regulation. As I have already stated, the

patchwork of privacy laws in the U.S. make it harder for companies to remain in compliance.

This lack of a universal standard means that some companies with inevitably take the risk of

being in noncompliance, potential risking user privacy and the consumers’ rights. But the

objection to state consumer privacy regimes is not just practical—it’s fundamentally an issue of

federalism. Interstate consumer protections typically fall under the province of the federal

government. The Commerce Clause exists to allow the federal government to harmonize

interstate trade for the economic benefit of the nation. Indeed, the first draft of the Commerce

Clause presented at the Constitutional Convention read that Congress could “legislate in all

8
McCreary, “The California Consumer Privacy Act: What You Need to Know”
9
Wiseman and Owen, “Federal Laboratories of Democracy”
Paper 3

cases…to which the States are separately incompetent, or in which the harmony of the United

States may be interrupted by the exercise of individual legislation.”10

While allowing state legislatures to create their own privacy laws may seem democratic,

it can actually undermine democracy at the national scale. Highly populous states like California

could end up setting national privacy standards as companies rush to ensure compliance with its

laws, effectively preempting the laws passed by other state legislatures. California consumers

may have different concerns and interests than consumers in other states, and the California

legislature can certainly not be said to represent the country as a whole. Consumer privacy

regulation is clearly an area where the federal government, and not the states, must reign

supreme.

GDPR’s Shadow

Formally, GDPR only protects EU citizens, but because the EU makes up a great deal of

the global market share, companies have found it easier to update their privacy policies

worldwide, so Americans have also benefitted from updated privacy policies issued by

international firms. And because nearly all companies have an online presence, even companies

which do not intentionally do business in Europe could have to comply with GDPR if their

websites collect information on the users who visit them.11 Therefore, while the GDPR is a

European law, it is effectively international in scope. That being said, Americans lack access to

the enforcement methods European citizens have in their countries. GDPR requires that member-

states create enforcement regimes domestically to facilitate complaint processes for alleged

violations of the law. Neither the FTC or any other U.S. agency is empowered to do the same in

10
Barnett and Koppelman, “Interpretation: The Commerce Clause”
11
Faitelson, “Yes, the GDPR Will Affect Your U.S.-Based Business”
Paper 3

the U.S. The GDPR may therefore spur international corporations to be more privacy conscious,

but it cannot directly protect U.S. consumers.

Bibliography

Barnett, Randy E., and Andrew Koppelman. "Interpretation: The Commerce Clause." The

National Constitution Center. Accessed March 15, 2019.

https://constitutioncenter.org/interactive-constitution/interpretations/section8-

commerce.

Confessore, Nicholas, and Cecilia Kang. "Facebook Data Scandals Stoke Criticism That a

Privacy Watchdog Too Rarely Bites." The New York Times. Last modified March

13, 2019. https://www.nytimes.com/2018/12/30/technology/facebook-data-privacy-

ftc.html.

Embry, Stephen. "State Data Breach Notification Laws Just Got Crazier." American Bar

Association. Last modified June 27, 2017.

https://www.americanbar.org/news/abanews/publications/youraba/2016/may-

2016/state-data-breach-notification-laws-just-got-crazier/.

Faitelson, Yaki. "Yes, The GDPR Will Affect Your U.S.-Based Business." Forbes. Last

modified December 4, 2017.

https://www.forbes.com/sites/forbestechcouncil/2017/12/04/yes-the-gdpr-will-affect-

your-u-s-based-business/#46ef5ccc6ff2.

Findlaw. "Social Media Privacy Laws." Findlaw. Accessed March 15, 2019.

https://consumer.findlaw.com/online-scams/social-media-privacy-laws.html.
Paper 3

Hern, Alex. "What is GDPR and How Will It Affect You?" The Guardian. Last modified

August 2, 2018. https://www.theguardian.com/technology/2018/may/21/what-is-

gdpr-and-how-will-it-affect-you.

Ieuan Jolly, and Loeb & Loeb. "Data protection in the United States: overview." Westlaw.

Last modified October 1, 2018. https://content.next.westlaw.com/6-502-

0467?transitionType=Default&contextData=(sc.Default)&firstPage=true&bhcp=1.

McCreary, Mark G. "The California Consumer Privacy Act: What You Need to Know." New

Jersey Law Journal. Last modified December 1, 2018.

https://www.law.com/njlawjournal/2018/12/01/the-california-consumer-privacy-act-

what-you-need-to-know/.

O'Connor, Nuala. "Reforming the U.S. Approach to Data Protection and Privacy." Council

on Foreign Relations. Last modified January 30, 2018.

https://www.cfr.org/report/reforming-us-approach-data-protection.

Satariano, Adam. "Google Is Fined $57 Million Under Europe's Data Privacy Law." The

New York Times. Last modified January 22, 2019.

https://www.nytimes.com/2019/01/21/technology/google-europe-gdpr-fine.html.

Wiseman, Hannah J., and Dave Owen. "Federal Laboratories of Democracy." SSRN

Electronic Journal, 2017. doi:10.2139/ssrn.3076066.