European Data Protection Laws Enshrine Many Rights That Americans Should Expect of Their Own Government

Hugo Roy:

[…] There are, already, strong protections for the privacy of Americans in the US Constitution. And access to electronic communications content and data by US authorities has received increased protection by US courts, in particular the US Supreme Court in the Carpenter case recently. Some of these safeguards were ahead of their time, while some are reminiscent of the EU top court’s own case law. There is, however, still no GDPR-equivalent data protection law at the federal level in the US. Although it seems that, with the CCPA (and maybe others), some states like California are pushing in this direction.

In 1973, a US official committee submitted the “Records, computers and the rights of citizens” report. The title of this report is almost identical to the French data protection law of 1978 (on computing, records and freedoms). What also strikes me is that the recommendations of this report share strong similarities with the GDPR in many ways (see the list of data subject rights, the main principles, and the obligations on data controllers in the “Summary and Recommendations”).

So, what happened? How’s this permitted?

There are strong U.S. Constitutional protections for individual privacy rights with respect to the interaction between citizens and government, but there are few regulations that restrict the collection, storage, and use of any information by private companies. This has created a loophole for law enforcement where, instead of surveilling someone directly, they can simply subpoena any number of big advertising companies for granular information about someone’s browsing history and geographic location.