Privacy in Europe and the United States: I Know It When I See It
This post is part of “CDT Fellows Focus,” a series that presents the views of notable experts on tech policy issues. This week, CDT Fellow Omer Tene is our guest contributor. Posts featured in “CDT Fellows Focus” don’t necessarily reflect the views of CDT; the goal of the series is to present diverse, well-informed views on significant tech policy issues.
There is a great deal of cross-Atlantic harmony with respect to fundamental legal concepts. A contract is a contract in both the United States and France; it is formed by offer and acceptance, and awards specific performance or damages upon breach. Likewise, a tort is a breach of a civil duty; and a corporation a distinct legal entity. Yet when it comes to privacy, the cross-Atlantic harmony breaks down. While the psychological need for and social value of privacy are universal, legal and societal privacy norms diverge to the extent that we must ask whether we are speaking about the same thing.
There are many anecdotal examples of the varying cultural perceptions of privacy. In the United States, for example, it is not uncommon to discuss one’s salary or even net-worth over dinner. This would surely be considered highly inappropriate in France; yet the French casually discuss sex and intimate relations in a way that would make even liberal Americans blush. In the United States, the monitoring of employees’ electronic communications and Internet use in the workplace is commonplace and considered to be part of the employer’s prerogative. Such monitoring would constitute a blatant infringement of privacy in several Continental jurisdictions; yet those same jurisdictions require their citizens to carry with them at all times identity cards sometimes containing biometric information. This, in turn, would have American civil liberties groups up in arms. It is not simple, then, to determine whether there is “more” privacy East or West of the Atlantic. But let’s turn to more conceptual differences.
In the United States, privacy law begins with the iconic 1890 Warren and Brandeis article “The Right to Privacy.” In their article, which has been praised as “the most influential law review article of all” (“all” meaning not only privacy but other areas of the law!), Warren and Brandeis famously characterize privacy as “the right to be let alone.” Hence, an individual seeking privacy protection in the United States asks “leave me alone.” Conversely, in Europe, an individual seeking privacy demands: “respect me.” As James Whitman demonstrated in his wonderful article “The Two Western Cultures of Privacy: Dignity Versus Liberty” (2004), privacy regulation in Continental Europe is derived from 17-18th century laws of honor and insult, originally settled by dueling. Interestingly, in Israel, which is influenced by both common law and civil law traditions, the constitutional right to privacy is established in Basic Law: Human Dignity and Liberty; the Hebrew word for “dignity” (caved) also meaning “respect.”
Whitman contrasts European privacy law, which he characterizes as an aspect of dignity, with American privacy law, which he characterizes as an aspect of liberty. According to Whitman, the two main rivals of the right to privacy in Europe are the press (typically infringing celebrities’ privacy with racy stories and photos) and the market (constantly seeking to monetize individuals’ personal data). Not coincidentally, the two fundamental values of American liberty are free speech and private property, which propel the operation of the press and the market. In the United States, in contrast, the main perceived threat to privacy comes from government; whereas free speech and property typically trump privacy in cases of direct conflict (see recently Sorrell v. IMS Health). (Notice that Europe is not homogenous: strong principles of freedom of information in Scandinavian countries may allow individuals to review their neighbors’ tax reports; and the United Kingdom can still teach the United States a lesson or two on free press and private property).
This is somewhat ironic, since in Europe, privacy law was shaped by lessons drawn from the horrors of World War II and the Communist era, when totalitarian regimes terrorized their citizens by decimating their right to privacy in order to create a fearful, docile, confirming society. Yet in Europe today, individuals trust government more than the private sector with their personal data, and actually rely on regulatory protection for their privacy rights. Europeans largely follow Bob Dylan’s saying that “privacy is something you can sell, but you can’t buy it back”. Meanwhile in the United States, the land of big business and small government, individuals appear to be concerned more with government intrusion into their seclusion than with business transgressions. Indeed, in America, the mere thought that a government agency will protect individuals’ privacy from business appears bizarre.
An additional forceful articulation of the right to privacy in American law is found in the 1967 Supreme Court decision in Katz v. United States. In a celebrated concurring opinion, Justice John Harlan introduced the “reasonable expectation of privacy” test, which essentially means that privacy is what you think it is. Justice Harlan’s test, perhaps the most useful and universally applicable legal threshold to date, has both a subjective prong (an actual expectation of privacy) and an objective prong (a reasonable expectation of privacy). The objective prong of the test had the unfortunate consequence of paving the way for the development in the United States of what is known as the “third party doctrine”. According to the third party doctrine, one loses one’s reasonable expectation of privacy in data voluntarily turned over to a third party, such as a telecom company (for call traffic data) or bank (financial records). This is based on the saying attributed to Benjamin Franklin that “three can keep a secret only if two of them are dead.” Hence, in the United States, informational privacy ends where a third party is involved. Conversely, in Europe, this is precisely the point where privacy law begins, imposing a plethora of obligations on third parties that collect, store or transfer individuals’ personal data.
While the Katz decision frames privacy as “what you think it is,” European law often regards privacy as what we tell you it is; “we” being policymakers, politicians or regulators. Consider, for example, European regulators’ willingness to overrule individual consent with respect to employee monitoring or consumer protection. Users may trust Facebook with their data and be bullish about services like Google Street View. Regulators beg to differ; and have no qualms telling individuals what they should or should not be thinking. This approach is mandated by the conception of privacy as a societal value, not merely an individual right. Individuals that agree to the collection and use of their personal data may ignore the full social cost of their decisions, imposing a negative externality on society. Overruling individual choices about privacy could be justified by the landmark 1983 decision of the German Supreme Court in the national census case. The German Supreme Court, while establishing what is now known as “the right to informational self-determination,” stated that privacy is not only an important fundamental right but also a precondition to a democratic society. Clearly, these are not values that may be taken lightly and left to individual decision-making.
Whether it’s “leave me alone” (in the United States) or “respect me” (in Europe); “what you think it is” (in the United States) or “what we tell you it is” (in Europe); privacy remains an important social and legal value across the globe. Regardless of location and background, we have strong intuitions about it, echoing Justice Potter Stewart’s famous threshold test for pornography “I know it when I see it.” This may explain why despite broad conceptual differences, the frameworks for regulating privacy are on the path to convergence, with the United States seeking to implement omnibus measures, such as the introduction of fair information practice principles, and the EU seeking to relax bureaucratic burdens and improve enforcement.
