Europe touts its data protection rules as the “gold standard.” But when it comes to enforcement, it’s got nothing on the U.S.
Since May 2018 — when the European Union’s new data protection standards came into force — the U.S. has raked in almost $6 billion in privacy fines, including hefty penalties for some of the biggest names in tech. The EU, meanwhile, has collected just $329.8 million.
That’s down to the Federal Trade Commission, the U.S. regulator in charge of enforcing the country’s privacy rules as well as a portfolio of other powers that includes consumer protection and antitrust enforcement.
“The FTC is a superior enforcement regime,” said Jessica Rich, a former director of consumer protection at the FTC. “It comes down to focus. GDPR [the EU’s General Data Protection Regulation] is more about regulation, the U.S. approach is more enforcement-focused.”
Washington’s stance could be about to get a whole lot tougher.
Under the administration of President Joe Biden, the U.S. watchdog will swing to the Democrats — a party historically more eager to rein in big business than the Republicans, which controlled the FTC under former President Donald Trump. Potential candidates to fill one of the FTC commissioner roles include Lina Khan, an antitrust expert and staunch Big Tech critic, though nominations have yet to be made public.
Evidence of American toughness on privacy, at least regarding enforcement, may come as a shock to those used to hearing that Washington is miles behind Brussels. EU officials have been eager to trumpet the bloc’s privacy regime as the world’s strictest and a model for countries from Brazil to South Korea.
That image has been reinforced by European courts repeatedly ruling that the U.S. isn’t safe enough to store European data. But for eagle-eyed observers of privacy on both continents, that’s a false framing of the transatlantic divide.
“This narrative that Europe is leading way ahead of the U.S. is ridiculous. Europe has privacy on the books, but the U.S. has a lot of privacy on the ground,” said Omer Tene, vice president of the International Association of Privacy Professionals (IAPP).
The stats back up his assessment.
The FTC handed Facebook a $5 billion levy in 2019 for its role in the Cambridge Analytica scandal — its biggest ever fine. By comparison, the biggest privacy fine issued in the EU is €50 million — 100 times smaller — by the French regulator against Google for failing to gather sufficient user consent when displaying targeted ads.
Regulating Big Tech bigly
In Europe’s defense, many national regulators did not have enforcement powers until the new privacy rules came into effect in 2018. Now, a series of investigations into the likes of Apple, Facebook and Google are underway across the bloc. WhatsApp, the messaging app owned by Facebook, is on deck for a privacy fine of between €30 million and €50 million from Ireland’s data protection agency in a decision expected by the late summer.
Still, the FTC’s hit list since 2018 dwarfs Europe’s.
Alongside the Facebook fine, YouTube paid $170 million in 2019 for violating children’s privacy, and Equifax, the credit-checking company, was fined $575 million in the same year for a nationwide data breach. Even Chinese-owned app TikTok coughed up $5.7 million for illegally collecting children’s online information.
The U.S. watchdog has also been quick to target companies that have become household names during the coronavirus pandemic, like videoconferencing app Zoom, which it ordered to improve data security in late 2020. There are limits to the FTC’s fining powers, including how it can only sanction companies for a second violation to U.S. law. Plenty of Silicon Valley critics also note Facebook’s fine hasn’t stopped many of its data-hungry practices.
But even when the Washington watchdog can’t hit companies directly in the pocket — there are limits to its fining powers — the FTC has forced wholesale changes to the way organizations deal with data, something that has so far largely eluded Europe’s agencies.
“They require companies to proactively change their practices, create new internal policies, procedures, controls and have in place internal and external audits, checks and balances,” said Markus Heyder, a former FTC official and now vice president of the Centre for Information Policy Leadership, a Washington-based think tank. “These changes are much more effective, have larger impact on organizations and are ultimately more privacy-protective going forward than fines alone. They effectuate real change.”
The FTC’s enforcement has often been at the cutting edge of how tech is being used.
In a case earlier this year, the U.S. agency forced a facial-recognition company to delete not only training data like photos and videos, but also the “face embeddings,” a technical term for features used for facial recognition, as well as the relevant algorithms and models used.
The case was praised across Europe, with Dutch privacy expert Mireille Hildebrandt saying it could be a watershed moment in tackling invasive tech — and a wake-up call to the 27-country bloc’s own privacy enforcers.
“We should not be complacent about our legal framework,” Hildebrandt said, referring to Europe’s privacy rules. “The GDPR is far more effective, because it does not depend on [terms of service] but on the law itself. However, I do believe that civil society in the U.S. is more vigilant and the U.S. may actually move ahead of us precisely because they are in many ways far behind.”
The lack of a federal privacy law in the U.S. — at the root of many unfavorable comparisons with the EU — could also be about to change. The pandemic has pushed privacy up the agenda, prompting states like Virginia, New York and Washington to press ahead with state-based privacy frameworks.
But action at the state level, which is only expected to pick up momentum, could also prompt Congress to move faster on its own privacy framework, although issues around how national legislation would work alongside U.S. state rules still need to be hammered out. Speaking to POLITICO, Democratic Senator Ron Wyden highlighted privacy as a key priority for U.S. lawmakers.
“We’re seeing these shady data brokers and governments practically every week finding new ways to get the personal information and put at risk the well-being of Americans without complying with the constitution. You shouldn’t be able to buy your way around the constitution,” he said.
Obstacles in Congress remain. Unless Democrats eliminate the filibuster — which requires a 60-vote majority to pass most legislation in the U.S. Senate — advancing any digital legislation is an uphill battle even though they now control the upper chamber.
Early indications suggest that privacy could be a higher priority in Biden’s administration than it was for Trump. Other issues, notably the COVID-19 pandemic and associated economic recession, may still make it tough to get data protection proposals onto the legislative agenda.
The new U.S. president moved quickly to nominate a lead negotiator for a privacy deal with Europe. Vice President Kamala Harris has first-hand experience tackling consumer privacy issues from when she was California’s attorney general. Her successor in that role, Xavier Becerra, who’s been enforcing California’s recently enacted GDPR-like law, is also joining the new administration.
A shift in the balance of power at the FTC — Democrats will eventually have three commissioners to the Republican’s two — could also see it ramp up privacy enforcement. Yet, as Washington has turned against Big Tech, both sides of the aisle have taken up the call for beefed-up privacy standards.
“Privacy is not a partisan issue, but the Democrats have more regulatory zeal,” said the IAPP’s Tene.
Cristiano Lima contributed reporting from Washington.
Want more analysis from POLITICO? POLITICO Pro is our premium intelligence service for professionals. From financial services to trade, technology, cybersecurity and more, Pro delivers real time intelligence, deep insight and breaking scoops you need to keep one step ahead. Email [email protected] to request a complimentary trial.
View original post