Relative to the European Union, the U.S. has spent the last two decades on the defensive regarding privacy. General acceptance of three major contentions has facilitated this defensive posture:

• U.S. privacy laws are generally directed at sectors—particular industries or groups—whereas EU privacy law covers all personal information in all contexts. And everyone knows that omnibus laws are superior.
• The U.S. has “inadequate” privacy laws.
• And more recently, the National Security Agency (NSA) uniquely, and in an unchecked fashion, is vacuuming up an enormous amount of personal information.

Many in the U.S. believe the nation’s privacy laws should be modified to guard against over-zealous corporate and governmental abuse of personal information. But does this necessitate the conventional wisdom that actual privacy levels are greater in the EU than in the U.S.—a conclusion that even many in the U.S. accept as Gospel? Perhaps it is time to make an objective assessment of the accuracy of each of the three contentions above and whether conventional wisdom is correct.

Omnibus Is Superior to Sectoral, Right?

Is it written in the stars that an omnibus privacy regime is generally superior to a regime where each law is generally directed at a particular sector? And if so, does it remain so even for a sectoral regime that is context-focused, concentrates on personal information for which abuse would likely lead to harm and fits its protection to that information as the hand fits the glove?  Does an omnibus law protect health information better than a statute explicitly directed only to health information; e.g., HIPAA? Does an omnibus law better protect financial information—a category not even deemed particularly sensitive by the EU—better than a statute explicitly directed at financial information; e.g., the Gramm-Leach-Bliley Act? And does information regarding trade union membership really merit protection on the same level as health information, as required by EU law?

It is true that the U.S. sectoral regime does not cover the entire privacy umbrella. For example, there is no U.S. law specifically directed at data brokers, a sector that some believe should be covered.

Uncovered sectors result when legislatures deem certain personal information undeserving of protection, can’t agree on how to protect it, have been lobbied not to protect it or simply haven’t gotten around to protecting it.

But the possibility that protection-worthy data may not be covered must be balanced against the relative quality and appropriateness of protection provided by the two regimes and the burden of “overkill” inherent in the omnibus scheme. On balance, it is unclear why or whether omnibus privacy protection is better overall than sectoral protection.

The U.S. Privacy Regime Is Inadequate, Right?

Because the EU has the more pervasive privacy regime, many jump to the conclusion that the EU must therefore have better privacy in practice. After all, compared to the U.S., not only does the EU have a more universal privacy law but also has thousands more bureaucrats running around to see that every privacy “i” is dotted and every privacy “t” crossed. But where is the evidence that the EU has more actual privacy? More pervasive laws and bureaucrats do not necessarily conflate to better privacy. Indeed, in its attempt to close every privacy loophole, the EU sometimes inadvertently diminishes privacy. For example, the EU requires that every database containing personal information be registered with the government; in some EU nations, the registration must include extensive information about data in that database. Does this enhance privacy or does it facilitate Big Brother?

For several years, the only reasonably thorough study comparing actual EU and U.S. privacy levels was conducted in 2006 by the Ponemon Institute and sponsored by White & Case, this author’s former law firm. That study found privacy levels on the whole to be somewhat higher in the U.S. than in the EU. It’s about to be joined by Privacy on the Ground: Governance Choices and Corporate Practice in the U.S. and Europe, by Kenneth Bamberger and Deirdre Mulligan, who, after extensive study, also seem to believe it is not a foregone conclusion that the EU has the superior regime. See also IAPP Vice President of Research and Education Omer Tene’s Privacy Perspectives post, “The U.S.-EU Privacy Debate: Conventional Wisdom Is Wrong.”

U.S. Intelligence Surveillance Is Uniquely Out of Control, Right?

U.S. intelligence surveillance undertakes the collection of bulk telephony metadata regarding U.S. phone calls, bulk Internet messaging content outside the U.S. and certain other communications. NSA surveillance may greatly exceed that of any other free-world intelligence agency, and the NSA allegedly has diminished security by covertly inducing the use of “back doors” in communications products and systems.

But there are a few inconvenient points that critics in the EU overlook or relegate to the footnotes.

And by the way, the FTC may just be the world’s best privacy cop. Among its other accomplishments, it has required Google and Facebook to submit to independent privacy audits every two years for 20 years, something no EU authority has come close to doing.

First, the body of law they view as rendering the EU privacy regime superior to the U.S. regime does not apply to matters of national security. In the EU, such matters are dealt with at the national level. Hogan Lovells has produced a series of papers comparing the national security surveillance laws of the U.S. and a number of other countries, including several EU nations. The conclusion: “… the United States imposes at least as much, if not more, due process and oversight on foreign intelligence surveillance than other countries afford in similar circumstances … The extensive judicial approval and legislative oversight procedures built into the (Foreign Intelligence Surveillance Act) actually exceed what would typically be expected in a country conducting foreign intelligence surveillance … Few countries provide for the kind of judicial authorization and oversight of foreign intelligence/counterterrorism investigations built into the American framework…. The EU critics of U.S. privacy protections would be well-advised to take stock of their own countries’ national security access to personal data.”

Indeed, an interesting phenomenon occurred after the initial Snowden allegation of bulk NSA acquisition of non-U.S. e-mail content. The heads of Germany and France instantly released sharp, kneejerk criticisms. But immediately thereafter, their level of criticism toned down substantially.

One can almost see the intelligence service head in each of those states tapping the head of state on the shoulder and whispering, “Um, you know, we’ve gotten some helpful information from that American surveillance. Oh, and by the way, we do some of that stuff, too.” Thus, when a foreign official criticizes NSA surveillance, one must ask whether the comment is similar to that of Police Chief Louis Renault, who, in the movie Casablanca, said he was “shocked, shocked, to find that gambling is going on in here,” while pocketing his winnings.

So, Down with Safe Harbor

One ramification of the Snowden revelations has been a greatly intensified call to limit data transfer from the EU to the U.S. For some reason, in a classic non sequitur, this call seems primarily focused on the Safe Harbor program. Safe Harbor is one of several means by which export from the EU to qualified U.S. importers is permitted. In effect since 2000, it now boasts more than 4,000 U.S. data importers that have self-certified to the mechanism’s privacy principles. It’s difficult to see why Snowden’s allegations should affect Safe Harbor any more than they affect other transfer mechanisms. The underlying EU fear is that personal information transferred to the U.S. will be grist for the NSA mill. But if true, it would be true no matter what transfer method is used.

Nevertheless, an influential committee of the European Parliament has called for Safe Harbor’s termination, and others in the EU are highly critical of it. They claim that the Federal Trade Commission (FTC)—the program’s main U.S. enforcer—is doing very little to see that companies actually comply with the Safe Harbor principles. Self-certifying to Safe Harbor requires conducting a privacy audit, adopting a privacy policy in light of the seven Safe Harbor principles and agreeing to adhere to those principles. The very act of going through this exercise has heightened actual privacy levels in a majority of these companies. Thus, even if one were to credit the contention that the FTC does little to enforce Safe Harbor, it is undeniable that many companies self-certifying to it have thereby enhanced their levels of privacy. Is that such a bad thing?

And, by the way, the FTC may just be the world’s best privacy cop. Among its other accomplishments, it has required Google and Facebook to submit to independent privacy audits every two years for 20 years, something no EU authority has come close to doing. Not to mention that, in the U.S., state attorneys general and class-action lawyers also add substantially to privacy enforcement.

The Future

The differences between EU and U.S. privacy law may be about to narrow in some respects and expand in others with the draft regulation to replace existing EU privacy law, released in January 2012; it may, in some form, become law in the next few years. It has some excellent points in principle; e.g., requirements for data security breach notification, and for internal corporate and governmental privacy officers—both of which would bring the EU closer to the U.S. regime. But certain of its provisions are more extreme than present EU law. One section embodies a “right to be forgotten.” This would impose obligations to delete content from the Internet, including possibly substantial downstream deletion, on request of a data subject. It is being vigorously promoted by its proponents despite the fact that the EU Agency for Network and Information Security, the EU governmental agency specifically created to advise other elements of the EU government, issued a report in November 2012 concluding, “Enforcing the right to be forgotten is impossible in an open, global system, in general.”

Another provision many view as extreme relates to sanctions. The initial draft regulation would impose a maximum penalty of two percent of a company’s worldwide gross revenues. A subsequent draft raised the ante to five percent. For example, based on 2013 revenues, Apple would be looking at a maximum penalty of $8.7 billion. Per violation. Notwithstanding that current maximum fines may be too low, critics question whether it makes sense to set them anywhere near these levels.

If one were to seek to identify the major factors that have enhanced actual privacy, a plausible argument might be made that the three most influential have been inclusion of privacy officers in companies and governmental agencies, enactment of data breach notification laws and Privacy by Design. The significant implementation of all three took place initially on this side of the Atlantic. And, as to at least the first two, there is still far more evidence of them in the U.S. than in the EU.

The assumption that the EU privacy regime has resulted in more actual privacy than the U.S. privacy regime might profit from reexamination.

David Bender formerly headed the global privacy practice at White & Case, LLP, and is the author of Bender on Privacy and Data Protection (LexisNexis 2012) and Computer Law (LexisNexis 2013). He is an adjunct professor at the University of Houston Law Center, where he teaches privacy law. He can be reached at dbender4@verizon.net.