GDPR & CCPA as Role Models?

When it comes to existing supranational or even state-level privacy protections, there are two prominent regulatory frameworks that have shown success in enhancing consumer protections in their jurisdictions, namely the California Consumer Privacy Act (CCPA) and Europe’s General Data Protection Regulation (GDPR). These regulatory frameworks can serve as role models for many other nations and specifically the U.S. in creating their own system that would protect privacy rights and allow consumers to better protect their personal data and interactions with technology. While some might argue that the GDPR and CCPA can surely be a role model across the globe, others note that cultural and ideological differences across countries make it either really hard or impossible to emulate these privacy protection policies in their jurisdictions. In respect to GDPR and CCPA, several key points of discussion are whether privacy is even important from an academic and societal standpoint and whether we should be focusing on data versus data usage.

GDPR and CCPA as Role Models

Many academics argue that the GDPR and CCPA provide great role models for the United States and would offer more advantages than disadvantages for consumers, businesses and government. Large companies would be pleased to have consistent legislation that works nicely with other global frameworks, such as GDPR. After all, this will allow globalized and international businesses and conglomerates to exercise similar business practices across the globe without having to drastically alter business models, data collection and usage policies. A consistent set of privacy policies, especially on the federal level, seem overdue. One key notion that Professor Zittrain of the Harvard Law School shared with us is that it is more important that we implement standards and not rules in order to be flexible when it comes to the evolving technology space and privacy issues. One downside he noted to GDPR and CCPA are the most likely large implementation costs that come with introducing, executing and enforcing these policies.

Incompatibility with the Current U.S. System

While emulating GDPR or CCPA on a federal level might certainly have its benefits and usher in a long-awaited privacy policy framework, some academics doubt that these models will be fitting for our current U.S. system and domestic models of innovation. Professor Waldo of the Harvard John A. Paulson School of Engineering and Applied Sciences notes that these regulations simply focus too much on the collection of data and data control and not on the usage of this data, which seems all the more important. Concentrating on the collection of data in these regulatory frameworks will simply create an incoherent foundation as data is all relational – we shouldn’t be building a system around an incoherent system. Privacy policies and regulations should be centered around how the data is used, not on what is collected, hence ushering in a system where we have the notion of a data fiduciary.

The Role of Government in Privacy Regulation

Others argue that government should have no place in deciding on or implementing any sort of privacy regulations. Professor Miron of the Harvard Department of Economics, a libertarian, explains that many libertarians believe that privacy is not a fundamental right and that you need to pay for it if you want it. If the economic equilibrium in a laissez-faire situation results in you giving up your privacy or data in order to get something else that is more important to you, such as access to free email services or social media platforms, then government should not be interfering in this process or equilibrium. There should essentially be very limited government interference when it comes to the free market and private individuals. After all, private individuals know better about their private preferences and needs.