Anyone who has to address international cross-border discovery issues cannot help but be struck by the different cultural values that attach to privacy in the United States versus Europe and the UK, where privacy is considered a fundamental right. For example, court records in the U.S. are mostly open to the public and the U.S. allows the broadest litigation discovery of any country in the world. As a result, our civil litigation system is too expensive for individuals to resolve most disputes, and companies involved in disputes often favor alternative dispute resolution mechanisms (where available) or may be forced to spend millions of dollars on litigation discovery. In contrast, most of the rest of the civilized world manages to resolve both individual and business disputes with no discovery at all.
One only need look to social media platforms for numerous examples of people, especially U.S. citizens, undervaluing personal privacy. As Redgrave attorney Martin Tully noted at The Master’s Conference in Chicago last week, U.S. citizens jealously guard their personal privacy — until someone offers them $3 off of a pizza to disclose their personal data. Unfortunately, the negative consequences include increased susceptibility to identify theft, computer hacking, and manipulation by computer algorithms — among other evils.
The GDPR, in my humble opinion, goes too far by including requirements that are, at best, difficult and expensive for businesses to comply with and, at worst, completely unrealistic — often beyond what is necessary for reasonable personal privacy protection. Various elements of compliance are highly subjective, potential penalties for non-compliance are disproportional, enforcement is sporadic/selective, enforcement mechanisms concentrate too much power and discretion in too few people, and the regulations are open to abuse for unintended purposes. Yet, there are elements to like about the GDPR, which was certainly a well-intentioned attempt to protect personal privacy. Various privacy laws that have followed in the footsteps of the GDPR — including legislation in some U.S. states — have mimicked some of the best elements, while toning down some of the worst. The California Consumer Protection Act (CCPA) and California Privacy Rights Act (CPRA) are examples.
Other states are also coming on board when it comes to protecting individual privacy rights. According to the IAPP US State Privacy Legislation Tracker, privacy laws will become effective in four additional states — Colorado, Connecticut, Virginia, and Utah — at various points in 2023. Nine other U.S. states (LA, MA, MI, NJ, NY, NC, OH, PA, and RI) have privacy legislation currently under consideration. Still, even if all of those states pass such legislation (which is unlikely) that adds up to fewer than 1/3 of all U.S. states. Our federal government has successful passed federal legislation dealing with limited types of data, such as the Health Insurance Portability and Accountability Act (HIPAA) of 1996, the Gramm-Leach-Bliley Act (GLBA) of 1999, and the Children’s Online Privacy Protection Act (COPPA) of 2000. However, it has now been more than 20 years since we have had significant advances in federal privacy law. In that time, private data exploitation risks have increased substantially and the U.S. has become more of an outlier in providing limited privacy protection, as other countries have moved forward with stricter protections. A comprehensive U.S. federal privacy law could help protect individuals, while preempting a patchwork of differing state laws and easing the path to compliance for businesses. It is about time that U.S. citizens and their elected representatives make that more of a national priority.