European privacy protection raises questions about optimal level of regulation.
The Subcommittee on Commerce, Manufacturing and Trade within the House Commerce & Energy Committee held a hearing last week on the impact of European Union (EU) privacy and data collection policy on US internet companies.
I do not believe industry has proven that it’s doing enough to protect American consumers, while government, unfortunately, tends to overreach every time it gets involved in the marketplace. From my perspective, there’s a sweet spot between too much regulation and no regulation at all. My goal is to find that sweet spot.
The EU’s data protection and online privacy directives obligate EU member states to pass online privacy legislation that satisfies the directives’ privacy principles. According to an internal memo of the subcommittee, the EU’s directives have created “inconsistent regulatory regimes throughout the EU and has created problems for American multinational firms.”
The US Department of Commerce has negotiated a “safe harbor” with the EU, under which American firms are deemed in compliance with the directives, and the national legislation of all EU member states, if they adopt an agreed-upon set of privacy principles. While the Commerce Department’s Nicole Lamb-Hale defended the safe harbor’s efficacy, a subcommittee memo argued that corporations continue to face challenges under the safe harbor, such as from EU member states that do not comply fully with the safe harbor.
The subcommittee heard mixed views about the EU privacy regime from those who testified at the hearing.
Professor Catherine Tucker of MIT’s business school testified that her research on EU online privacy regulations shows that those regulations are associated with a 65 percent decrease in effectiveness of online advertising, as measured by the number of randomly selected people who, after seeing an ad, expressed an intent to purchase the advertised product or service. She advocated for a lighter approach to privacy regulation than that adopted by the EU to protect “the advertising supported internet.”
Professor Peter Swire of Ohio State University’s law school said that while he has “written criticisms of many aspects of European privacy law,” he would acknowledge that “the European regime has also made vital contributions to improving practices in the U.S. and globally” to meet the needs of both businesses and individual privacy.