Privacy: US, full marks, Europe, null points – study
Free-market axes grind, we grind back...
a brief contextualisation digression. Privacy in the US relies on industry self-regulation, whereas European legislation requires companies to adhere to minimum standards. This difference in approach has led to a certain amount of transatlantic friction, because it means that US companies holding data on European citizens could - were it not for a series of dubious compromises - find themselves in hot water with Brussels. The US won't change its stance, Europe won't change its stance, so it's either the dubious compromises or the trade war.
Nevertheless US industry naturally wishes to establish that the approach it's taking to privacy is perfectly adequate, proactive even, good for the economy, no need for anybody to intervene, etc etc. This seems to be precisely what AEI-Brooking concludes by comparing the US and the UK.
The study "compares US and UK e-commerce Web sites' notice and disclosure practices, their adherence to promises about secondary uses of e-mail addresses, and the state of the market for privacy assurance programs in the two countries." So far so good. And it finds that US e-commerce sites provide more, and more accessible, privacy notices. Which is nice. US and UK sites are pretty much equal when it comes to adhering to the commitments they make, but the countries differ in that there is a market for privacy assurance services in the US, whereas in the UK "the market for web-seals does not exist."
AEI-Brookings takes a deal of space to come to these conclusions, but as far as we can see, that's it. US sites let you click through to their long, tedious and self-protecting privacy policies quicker than UK ones, everybody's about evens on how good they are at keeping what promises they made, and there's a market for rubber stamps of doubtful value in the US, whereas there isn't elsewhere.
Did we miss something? Harper elaborates: "Privacy in the US is protected by a number of subtle processes [obviously, we did]. Foremost, consumers harness commercial information practices by rewarding good actors with their dollars and shunning bad actors who might invade privacy. Privacy statements provide US consumers a contractual basis to sue if businesses do not adhere to privacy claims. And the common law torts allow anyone to sue a person or business that has wrongfully publicized embarrassing private facts."
Meanwhile in Europe: "Eleven of the 15 EU Member states missed the 1998 deadline for adopting the [Data Protection] Directive's terms in their national laws. Significant differences in the way Member states have implemented the Directive are impeding information flows in Europe, and internationally as well. Despite requests from four Member countries, the European Commission recently declined to propose simplifying or harmonizing changes to the Directive."
So there you go, everything in the corporately self-regulating garden is lovely (and US readers will no doubt have noticed the continual feeling of wellbeing) while Europe is as usual going down the pan by State-regulating itself back into the stone age. We hadn't heard from Simon Davies of Privacy International for a while, so we ran it by him for a quick soundbite:
"Well, why stop here. How about arguing that vigilantism is more efficient that the justice system. Or that nationalisation of industry is the best remedy for corporate insolvency. The fact is that privacy invasion is a boom industry in the US and the report reflects this reality. US industry simply wants to load the burden onto the consumer. That's the wrong way to respect peoples rights."
On fine song, as always, Simon. More background on the US and European approaches to privacy, and much else, is available chez Simon at Privacy International. ®
Sponsored: The Nuts and Bolts of Ransomware in 2016