Discussions regarding privacy and data protection are already part of our daily lives – especially after the so called “Snowden incident”. And why should they not? The friction between legitimate intelligence gathering and privacy protection as well as data protection are highly controversial. Within the discussions the inherent systematic differences among nations are often unearthed.
In this context this paper wants to introduce different perspectives on privacy and especially data protection within a descriptive assessment. Thus a short definition of privacy is necessary. Furthermore an overview on different approach methods is introduced. Finally the regulatory frameworks regarding these issues within the United States of America and the European Union as well the subsequent frictions are presented.
The scope of the Right to Privacy and Data Protection within the UN-System
The Right to Privacy is widely considered one of the cornerstones of democratic societies due to the safeguarding function in regards to fundamental principles like honour and personal dignity. It encompasses all aspects of personal and family life as well as personal, religious, sexual, political and social preferences or beliefs. Furthermore it protects personnel communication and data. Therefore Data Protection is a fundamental part of the Right to Privacy.
This protection is codified in Article 12 of the United Nations Declaration of Human Rights of 1948 which states: “No one shall be subjected to arbitrary interference with his privacy, family home or correspondence, nor to attack upon his honor and reputation. Everyone has the right to the protection of the law against such interference or attacks.” Additionally, the Right to Privacy is reflected in Article 17 of the International Covenant on Social and Political Rights as well as Article 16 of the United Nations Convention on the Rights of the Child.
In a latest attempt to further the Right to Privacy the General Assembly passed a resolution for “The right to privacy in the digital age”. Within this resolution the Member States reaffirm the right to privacy and deems it necessary of protection within a wider scope. Still the resolution faces criticism due to the lack of more proactive and distinguished policies. In the face of the recent “Snowden incident”, that revealed systematic surveillance of foreign governments as well as economic players by the United States, especially Brazil and Germany called upon the General Assembly for more comprehensive measures – subsequently struggling against the opposition of the USA. Thus the finally passed resolution while being a first step in the right direction is – in the eyes of many critics – still just an approach that is considerably watered down
Systems and Traditions – different approaches to data protection
The origin of data protection in its various appearances dates back more than a century. It was as early as 1890, that Warren and Brandeis already contextualised the advancing technological changes with the right to privacy or as they called it the right “to be let alone” in their ground breaking publication The Right to Privacy. Hence, various models and approaches to privacy and data protection were developed. Four of them deserve closer introduction.
First of all the protection through comprehensive laws: Within this approach laws are used to create a legislative framework for collecting, processing and using personnel data. Additionally official institutions are bestowed with the purpose of enforcing the compliance with the set framework. It is considered a more proactive approach.
Thus the protection through comprehensive laws is fundamentally different from the protection through sectoral laws. While the first is to be considered a proactive one, protection through sectoral laws is more of a reactive approach. It deals with specialised or problematic singular aspects of privacy and data protection.
Another very prominent approach is the protection through industrial self-regulation. It is considered the most flexible and opportunistic approach. The reason for that is the self imposition of rules by members of the economic system.
Finally privacy-enhancing technologies are considered an approach for themselves. They encompass cryptographic encoding, digital currencies as well as similar technologies.
The transformation of these methods into national legislation occurs in a variety of combinations – seldom a legislator solely relies on only one protective approach. The design, chosen by the individual legislator, is greatly influenced by the perception and interpretation of privacy and data protection.
The United States of America – a liberal approach to data protection
Traditionally the United States of America apply a rather liberal approach to data protection. The perceived dangers are generated by the government rather than the private sector. In this context, data protection is categorised as manifestation of the individual ownership rights that are at the free disposal of the inherent owner. In accordance with the ruling of the Supreme Court, this manifestation is only limited in regard to public surveillance. This specific design gives rise to friction between data protection and the Freedom of Speech that is constituted by the First Amendment. Additionally, the design is in conflict with European approaches and even legislation and court rulings – as the recent Google ruling of the European Court of Justice reveals.
The USA chose an approach of protection through sectoral laws, that is expressed in a multitude of state as well as federal statutes and doctrines. The following statuses are mentioned just exemplary: Intelligence Surveillance Act, Children Online Privacy Protection Act, Protect IP Act and Health Insurance Portability and Accountability Act. It is apparent through the names that this approach is rather reactive. The individual statues deal with specialized problems. Additionally the customer protection is one of the main focuses of the data protection framework. The protection through sectoral laws is supported by a strong self-regulatory element. Thus a certain extend of flexibility and responsiveness in regards to the ever changing and ever evolving Internet is secured. At the same time this combination results in the lack of any enforcing institution or body. Thus the Federal Trade Commission (FTC) needs the cooperation and willingness of companies in the field of privacy and data protection.
The European Union – data protection in a supranational system
In contrast to the US-Approach, the European Union founded its data protection tradition within a supranational system and thus a system of harmonization. The main focus of EU-Policy is the uniformity of data protection frameworks throughout Europe; to the extend that barriers between Member States and inequalities resulting from these barriers are diminished. The goal is a common standing in data protection legislation that encompasses the essential regulations and regulatory positions of every Member States. Within this system, the European Community is obliged to protect the individual – or more precisely the EU-citizen – against economic players.
To achieve this, the EU makes use of comprehensive laws within a legislative framework with the Data Protection Directive at its core. Within the Data Protection Directive Article 25 constitutes an obligation for a case to case analysis whenever the personal data of EU-Citizen are involved. This leads to a strongly proactive approach to privacy and data protection.
The Clash of Approaches
Within the interconnected world of the 21th century, approaches, like the two presented just now, that clash so fundamentally due to their overall focus in either liberal or conservative processes are bound to create friction in the day-to-day life. Problems like consumer protection and market regulation are self-evident. Additionally, conflict over jurisdiction ensues.
The Classic Public International Law dictates that jurisdiction is determined by State Sovereignty. This general principle ensures the independence and equality among interacting and interconnected sovereign nations. Still the determination is far from clear. Thus both the USA and the EU have – yet again – different approaches. The USA – in accordance with the “Zippo” ruling – determine jurisdiction on a case-to-case basis, while differentiating a mere exchange of information and a factual economic transaction. The EU on the other hand determines jurisdiction in regards to the collection and processing of EU citizens.
In conclusion, the different approaches are based upon a fundamentally different legislative histories and are therefore leading to seemingly unsolvable friction. This is to a significant disadvantage to the world economy. While businesses in need of data collection and processing – e.g. for market research or consumer friendly advertising – are faced with restrictions and potentially dangerous market insecurities due to the different data protection policies, the consumer is facing infringement of his fundamental right to privacy as well as a more than questionable protection of his data. This leads, logically, to the necessity of a combined effort in privacy and data protection. As independent approaches are failing the demands of the modern society, a combined effort of the legislative authorities of both the USA and the EU, but ultimately the whole UN Member States, is needed. And for the sake of the protection of fundamental rights, it is needed sooner then later.
 Warren/Brandeis, ‘The Right to Privacy’, Harvard Law Review, No. 4, 1890, p. 2f.
 Long/Pang Quek, Personal data privacy protection in an age of globalization: The US-EU safe harbor compromise, Journal of European Public Policy, 9:3, p. 325-44.
 Katz v. United States, 386 U.S. 954, 1967.
 Bennett, The „Right To Be Forgotten“: Reconciling EU and US perspectives, Berkeley Journal of International Law, 2012, p. 4f.
 Long/Pang Quek, (fn 1), Seite 332f.; Korbin, Safe harbours are hard to find: the trans-Atlantic data privacy dispute, territorial jurisdiction and global governance, Review of International Studies (2004), 30, p. 115.
 Reding, Rede Washington/Brüssel, 19 März 2012, „Towards a new „Gold Standard“ in Data Protection?“, http://ec.europa.eu/commission_2010-2014/reding/pdf/speeches/20120319speech-data-gold-standard_en.pdf (visited 08-03-2014).
 Simitis, (1998) quoted in Long/Pang Quek, (fn 5), p. 333.
 Korbin, (fn 5), Seite 116.
 Long/Pang Quek, (fn 1), p. 334.
 Korbin, (fn 5), p. 111–131.
 Hope, Einführung in das Völkerrecht, p. 37.
 Bennett, (fn 4), p 5.
 Long/Pang Quek, (fn 2), p. 334; Bennett, (fn 4), p. 5.