Due to the fractured nature of privacy legislation, privacy enforcement authority is also divided among different entities, including the Department of Health and Human services (for HIPAA), the Department of Education (for FERPA), State Attorneys General (for respective state laws), and the Federal Trade Commission (FTC). The FTC, as the U.S. consumer protection agency, has a prominent privacy enforcement role [Solove and Hartzog, 2014], including the investigation of deceptive and unfair trade practices with respect to privacy, as well as statutory enforcement (e.g., for COPPA). The FTC further has enforcement power with respect to Privacy Shield, the U.S.–European agreement for cross-border transfer. Due to its consumer protection charge, the FTC can also bring privacy-related enforcement actions against companies in industries without a sectoral privacy law [Solove and Hartzog, 2014], such as mobile apps, online advertising, or smart TVs. In addition to monetary penalties, FTC consent decrees typically require companies to submit to independent audits for 20 years and to establish a comprehensive internal security or privacy program. The FTC’s enforcement creates pressure for industries to adhere to their self-regulatory privacy promises and practices.
In addition to federal and state laws, civil privacy lawsuits (i.e., between persons or corporations) are possible. Prosser [1960] documented four distinct privacy torts common in US law,11 i.e., ways for an individual who felt their privacy has been violated to sue the violator for damages:
• intrusion upon seclusion or solitude, or into private affairs;
• public disclosure of embarrassing private facts;
• adverse publicity which places a person in a false light in the public eye; and
• appropriation of name of likeness.
In summary, privacy is protected in the U.S. by a mix of sector-specific federal and state laws, with self-regulatory approaches and enforcement by the FTC in otherwise unregulated sectors. An advantage of this sectoral approach is that resulting privacy laws are often specific to the privacy issues, needs, and requirements in a given sector, a downside is that laws are often surpassed by the advancement of technology, thus requiring periodical amendments.
Privacy Law and Regulation in the European Union
On the other side of the Atlantic, a more civil-libertarian perspective on personal data protection prevails. Individual European states began harmonizing their national privacy laws as early as the mid-1970s. In 1973 and 1974, the European Council12 passed resolutions (73)22 and (74)29, containing guidelines for national legislation concerning private and public databases, respectively [Council of Europe, 1973, 1974]. In 1985, the “Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data” (108/81) went into effect, providing a normative framework for national privacy protection laws of its member states [Council of Europe, 1981]. Convention 108/81 is open to any country to sign (i.e., not only CoE members), and has since seen countries like Uruguay, Mauritus, Mexico, or Senegal join.13 While the convention offered a first step toward an international privacy regime, its effect on national laws remained relatively limited [Mayer-Schönberger, 1998].
It was the 1995 Data Protection Directive 95/46/EC [European Parliament and Council, 1995] (in the following simply called “the Directive”) that achieved what Convention 108/81 set out to do, namely a lasting harmonization of the various European data protection laws and providing an effective international tool for privacy protection even beyond European borders.
The Directive had two important aspects that advanced its international applicability. On the one hand, it required all EU member states14 to enact national law that provided at least the same level of protection as the Directive stipulated. This European harmonization allowed for a free flow of information among all its member states, as personal data enjoyed the same minimum level of protection set forth by the Directive in any EU country.
On the other hand, the Directive’s Article 25 explicitly prohibited the transfer of personal data into “unsafe third countries,” i.e., countries with data protection laws that would not offer an adequate level of protection as required by the Directive. After European officials made it clear that they intended to pursue legal action against the European branch offices of corporations that would transfer personal data of EU residents to their corresponding headquarters in such unsafe third countries, a large number of non-European countries around the world began to adjust their privacy laws in order to become a “safe” country with regards to the Directive, and thus become part of the European Internal Information Market. Eventually, a dozen countries were considered “safe” third-countries with respect to personal data transfers: Andorra, Argentina, Canada, Switzerland, Faeroe Islands, the British Channel Islands (Guernsey, Jersey, Isle of Man), Israel, New Zealand, the U.S.,15 and Uruguay.
However, despite its significant impact, the 1995 Directive was woefully ignorant of the rapid technological developments of the late 1990s and early 2000s. It was created before the Web took off, before smartphones appeared, before Facebook and Twitter and Google were founded. It is not surprising then that many criticized it for being unable to cope with those realities [De Hert and Papakonstantinou, 2012]. While the Directive was specifically written to be “technology neutral,” it also meant that it was unclear how it would apply to many concrete technical developments, such as location tracking, Web cookies, online profiling, or cloud computing. In order to bring the European privacy framework more in line with the realities of mobile and pervasive computing, as well as to create a single data protection law that applies in all EU member states, an updated framework was announced in 2012 and finally enacted in early 2016—the General Data Protection Regulation (GDPR). The GDPR then went into effect on May 25, 2018. Its main improvements over the 1995 Directive can be summarized as follows [De Hert and Papakonstantinou, 2012, 2016].
1. Expanded Coverage: As per its Article 3, the GDPR now also applies to companies outside of the EU who offer goods or services to customers in the EU (“marketplace rule”)—the 1995 Directive only applied to EU-based companies (though it attempted to limit data flows to non EU-based companies).
2. Mandatory Data Protection Officers (DPO): Article 37 requires companies whose “core activities… require regular and systematic monitoring of data subjects on a large scale” to designate a DPO as part of their accountability program, who will be the main contact for overseeing legal compliance.
3. Privacy by Design: Article 25 requires that all data collection and processing must now follow a “data minimization” approach (i.e., collect only as much data as absolutely necessary), that privacy is provided by default, and that entities use detailed impact assessment procedures to evaluate the safety of its data processing.
4. Consent: Article 7 stipulates that those who collect personal data must demonstrate that it was collected with the consent of the data subject, and if the consent was “freely given.” For example, if a particular piece of data is not necessary for a service, but if the service is withheld from a customer otherwise, would not qualify as “freely given consent.”
5. Data Breach Notifications: Article 33 requires those who store personal data to notify national data protection authorities if they are aware of a “break-in” that might have resulted in personal data being stolen. Article 34 extends this to also notify data subjects if the breach “is likely to result in a high risk to the rights and freedoms of natural persons.”
6. New Subject Rights: Articles 15–18 give those whose data is collected more explicit rights, such as the right to object to certain uses of their data, the right to obtain a copy of the personal data undergoing processing, or the right to have personal data being deleted (“the right to be forgotten”).
How these changes will affect privacy