The full text of this Article may be found here.
30 Fordham Intell. Prop. Media & Ent. L.J. 139 (2019).
Article by Erdem Büyüksagis*
ue to ever-growing big data and the ease with which information can be transmitted over the Internet, it has become more complicated for individuals to enjoy their rights to access, to rectify and erase personal information, and for the judiciary to apply conventional privacy law rules, such as consent, transparency, and purpose limitation. On both sides of the Atlantic, this phenomenon has motivated legislatures and courts to extend protective measures in data privacy. Nevertheless, data protection standards in the United States and the European Union (“EU”) appear to many observers to be radically different and even mutually incompatible. The European Court of Justice’s ruling in Google Spain led many to assume that EU law gives more importance to data protection than does U.S. law.
In this Article, I argue that the United States and the EU do in fact give similar levels of legal and regulatory protection to private data. Despite the Google Spain decision, the absence of an explicit reference to privacy or data protection in the U.S. Constitution, and cultural differences regarding the value placed on privacy between these jurisdictions, critics have not offered any convincing arguments to show that either the perception of privacy or the consequences of its violation are radically different in the United States and in Europe. First, when assessing whether private data gathered by governments agencies or private businesses ought to be made available to the general public, courts in both jurisdictions take into account the nature of the information in question, its sensitivity for the data subject’s privacy, the data subject’s identity, the reasons behind the storage and disclosure of the information, and the public’s interest in the information. My point is illustrated by the fact that courts in the United States and the EU rely upon similar tests to deal with potential data breaches. Second, particularly since the adoption of the General Data Protection Regulation, data protection is on the agenda of a number of state legislatures in the United States. The adoption of the California Consumer Privacy Act constitutes a non-negligible shift in the nation’s data privacy regime, since its effective territorial reach will not be limited to California, but will involve all the states given as the headquarters of hundreds of high technology companies that are based in the region commonly known as “Silicon Valley.”
My analysis leads me to the conclusion that the regulatory and case law developments on both sides of the Atlantic hint at a harmonization process of data protection standards because of the ever-growing recognition of the need for specific data protection laws and their substantive convergence.
* Full Professor of Law, Antalya Bilim University; Professor of Law, University of Fribourg. While writing this paper, I have been fortunate to benefit from a Fulbright grant, for which I am thankful. I owe a debt of gratitude to Professor Deborah Hensler for inviting me as a Fulbright Visiting Professor to Stanford Law School for a productive one-year sabbatical during the 2018–2019 academic period. The opportunities she provided throughout my stay at Stanford have meant a lot to me. I also thank Professor Dorothy Glancy of Santa Clara University Law School for her generous and insightful comments on a draft of this paper. Finally, I would like to thank Marta Infantino, Assistant Professor at the University of Trieste, for her help with the Italian sources, and Lotte Meurkens, Assistant Professor at Maastricht University, for her help with the Dutch sources.