Or CALIFORNIA, EUROPE ET AL. V. GOOGLE, FACEBOOK ET AL.
Since its origin, the Internet was intended to be both borderless and global in nature.1 The Internet allows and simplifies the circulation of information all throughout the planet with the snap of a finger (or the click of a mouse), thereby melting geographical limits between nations.2 These late innovative developments have furnished for-profit businesses, non-profit organizations and governments with easy and low cost such that it facilitates the flow of data all throughout the planet at an extremely quick rate.3 Accordingly, these entities used these advances to adapt and build up associations with clients and organizations situated in various countries where services are provided in exchange for private data, increasing economic and monetary globalization.4
That resulted in a “nearly constant flow of information across national borders,” with that information including individual’s names, addresses, races, ages, and can span to extremely sensitive information such as dating preferences and sexual orientations.5 As a result, nations around the world moved to stop the privacy infringements that were happening at the hand of Big-Tech by collecting and selling personal information. Nearly every jurisdiction in the world has implemented a privacy law to limit the prerogatives of Big-Tech and to protect its citizens. California’s CCPA, Europe’s GDPR, Virginia’s VCDPA, and Japan’s APPI are but a few. This has created significant challenges to companies wishing to stay compliant, since the costs related to implementation do quickly add up: to comply with the GDPR alone, $7.8 billion dollars were spent by the world’s biggest 500 companies.6 For someone looking at the situation from an outside perspective, it almost felt like jurisdictions like Europe and the United States were launching a war on businesses that handle personal information.
These facts lead us to an impasse: the right to privacy shall be protected at all costs. Laws discussing privacy around the globe are multiplying and are incoherent and inconsistent. Big-Tech companies are global hubs that serve citizens from every corner of the planet. Implementation of all these laws is significantly high and can lead to non-compliance.
In this paper, we will be discussing thoroughly all these issues before explaining our proposed solution: Firstly, we are going to recapitulate the reality of international privacy law by discussing California’s Consumer Privacy Act, Europe’s General Data Protection Regulation, and other legislative efforts in the United States of America. Secondly, we are going to deliberate the ambiguity that is being created by all these different laws using a two prong approach: the key differences highlighted between the CCPA and the GDPR, and the cost of compliance incurred by businesses. Thirdly, we are going to explain why we think that drafting an international convention on privacy, agreed upon and ratified by all jurisdictions, would be the ultimate solution to the problem at hand.
How did privacy law come to be the way we know it today? In 1789, the U.S. constitution entered into effect and gave citizens of the United States the right to privacy in the first, third, fourth and fifth amendments, according to the Supreme Court of the land. In 1890, the Harvard Law Review published an article by Justice Louis Brandeis titled “the Right to Privacy or the right to be let alone”; it is considered to be the first publication to argue for a right to privacy. In 1914, the Federal Trade Commission was established and has been involved in privacy issues ever since. In 1917, Solicitor General Judge William Lamar ruled for the protection of sealed mail. In 1948, George Orwell published 1984, where he describes a world void of privacy and filled with microphones and cameras. In the same year, the U.N declaration of human rights safeguarded the right to privacy in its 12th article. In 1960, William L. Prosser published a very influential article titled Privacy. In 1967, Alan Westin described privacy as “the claim of individuals … to determine for themselves when, how and to what extent information about them is communicated.” In 1965 the U.S. Supreme court ruled on Griswold v. Connecticut, and in 1967, it ruled on Katz v. United States, two cases in which the right to privacy is safeguarded. In 1974, the FERPA student privacy act was passed, alongside the Privacy act of 1974 that was enforced on federal agencies. In 1986, the TCPA and the National Do Not Call registry was established. In 1995, the European Union adopted the Data protection directive. In 1996, HIPAA was passed. In 1998, the Children’s online privacy protection act was passed. In 1999, the Gramm Leach Bliley Act was passed. In 1999, the first Chief Privacy Officer was appointed in Acxiom. In 2002, congress passed the e-government act. In 2003, California implemented data breach notification laws. In 2010, the red flag rules were created by the FTC and the NCUA. In 2018, the EU passed the GDPR, in 2020, California passed the CCPA, in 2021, Virginia passed the CDPA, and somehow, everything went wrong from that point on. In this paragraph, we are going to be diving deeper in the meticulosity of the CCPA and the GDPR.
California Consumer Privacy Act
Effective as of January the 1st, 2020, the California Consumer Privacy Act (hereafter referred to as “CCPA”) is a state-wide data privacy law, the first of its kind in the United States of America that regulates how businesses all over the world are allowed to handle the personal information of people domiciled in California.7 Under that law, Californians are empowered with the right to opt-out of the sale of their data to third parties, the right to request the disclosure of their data, amongst many other rights.8
The expanded disclosure right gives consumers the right that a business discloses (1) the sources from which the PI (Personal Information) is collected, (2) the business or commercial purpose of collection, and (3) with whom the collected PI is shared.12
If requested to do so, under the CCPA the business must disclose and deliver specific pieces of information collected in the 12 months preceding the request free of charge within 45 days of receiving the verifiable.13Additionally, businesses must implement at least two methods designated for consumers to submit requests of PI, including a minimum of toll-free telephone number and website address. The expanded disclosure right gives consumers the right that a business discloses (1) the sources from which the PI is collected, (2) the business or commercial purpose of collection, and (3) with whom the collected PI is shared.14
Consumers domiciled in California have the right to opt-out of the sale of their Data to third parties.15 Additionally, a business cannot sell the PI of a child under the age of 13 without acquiring the child’s parent or guardian’s consent, or the PI of a child between the ages of 13 and 16 without acquiring their consent.16
Not only that but also, whenever a business receives a verifiable request to delete the PI of a consumer domiciled in California, the business has to comply.17
Most importantly, consumers exercising their rights under the CCPA should not be discriminated against: for instance, consumers cannot be denied goods or services.18
Finally, an additional obligation that the CCPA has imposed on companies is to train their employees in handling inquires on rights related to the CCPA.19 The business must ensure that employees know how to direct consumers to exercise their rights under the CCPA.
General Data Protection Regulation
The General Data Protection Regulation 2016/679 (hereinafter referred to as “GDPR”) is the core of European privacy law, published in the Official European Journal on May the 4th, 2016, and entered into force on May the 25th, 2016.20 This regulation harmonizes European law and mandates the safeguard and protection of the personal data of people domiciled in the economic zone of the European Union.21
The regulation pushes every organization that collects, processes, and uses personal data belonging to a person domiciled in the EU to adhere to this new law.22
Experts believe that the GDPR is considered to be one of the most restrictive privacy laws in the world that strictly aims to protect the individual, rather than the corporation. One of the reasons that incentives these experts to believe so is because the European Union sent controllers and processors to countries around the world to monitor the collection and management of personal data owned by individuals domiciled in Europe, thus raising the bar and somehow coercing international technology giants into compliance.23
The right to information is safeguarded in article 13 and article 14 of the GDPR. 24 Article 15 of the GDPR safeguards the right to access, meaning that every data subject has the right to access their personal data from the data collector.25 Under article 16, every European data subject has the right to request the modification of their data if they believe that the data inaccurate or out-of-date, noting that these changes must be made “without undue delay.”27 Under this provision, the data subject has the right to request, without undue delay that the data controller erases their data.28 Under article 18, the GDPR’s legislator outlines the data subject’s right to request the restriction of processing under specific conditions, meaning that the data collector would have to stop processing data temporarily.29
Additionally, whenever there is relevant grounds, article 21 of the GDPR gives data subjects the right to object to data processing and profiling.30
Other Legislative Efforts in the United States of America
Alabama’s HB 216 bill (Alabama Consumer Privacy Act), Alaska’s SB 116 bill (Consumer data Privacy Act), Arizona’s HB 2865 bill, Connecticut’s SB 893 bill, Florida’s HB 1735 bill (Florida Privacy Protection Act), Illinois’ HB 3910 bill (Consumer Privacy Act), Kentucky’s HB 408 bill, Minnesota’s HF 1492 (Minnesota Consumer Data Privacy Act), New Jersey’s ab3283 bill (New Jersey Disclosure and Accountability Transparency Act), Washington’s HB 1433 bill (People’s Privacy Act), West Virginia’s HF 3159 bill, New York’s A 680 bill (New York Privacy Act) and A 6042 bill (Digital fairness act) are in committee.
Colorado’s SB 190 bill, Maryland’s SB 0930 (Maryland Online Consumer Protection Act), Massachusetts’ SD 1736 bill (Massachusetts Information Privacy Act), and Texas’ HB 3741 bill have been introduced.
Oklahoma’s HB 1602 bill (Oklahoma Computer Data Privacy Act) is in cross chamber.
Mississippi’s SB 2612 bill (Mississippi Consumer Privacy Act), North Dakota’s HB 1330 bill, and Utah’s SB 200 (Consumer Privacy Act) have failed.
The Ambiguity of Privacy Laws
For the purposes of this academic paper, we are going to be focusing our study on the key differences found between two of the major privacy laws found out there in the world: California’s CCPA and Europe’s GDPR.
Key Differences Between the CCPA and the GDPR
At first glance, the CCPA and the GDPR have a lot in common: these laws are in place in order to protect consumers’ data by targeting big corporations. However, as soon as we look closer into these laws, high degrees of differences and inconsistences emerge with regard to the rationale, core, scope, and application of the provisions considered.
When it comes to the personal scope, businesses, public bodies, institutions, and non-profit organizations are subject to the GDPR, but only for-profit businesses are subject to the CCPA.31 When it comes to consumers, the GDPR states that a data subject is “an identified or identifiable natural person,” and the recitals clarify that the data subject should not necessarily reside in the EU.32 However, the CCPA clarifies that a consumer is “a natural person who is a California resident,” meaning that the consumer should necessarily be residing in California.33
When it comes to the territorial scope, the GDPR applies to entities and organizations whether established inside or outside the European Union, if they offer goods or services to, or monitor the behavior of, data subjects located in the EU.34 However, the CCPA applies to organizations “doing business in California.” This difference creates great ambiguity for companies trying to comply because of the software that should be put in place to detect foreign IPs in order to apply the suitable law.35
When it comes to the material scope, the GDPR applies to the “processing of personal data” regardless of the type of processing operation and regardless of the category of personal data being processed.36 However, the CCPA excludes categories of personal information such as medical information, personal information under the Gramm-Leach-Bliley Act, publicly available information, and others.37
When it comes to the definition of personal data, the GDPR does not allow the processing of certain types of personal data such as data that reveals racial or ethnic background.38Under the CCPA however, biometric data including an individual’s deoxyribonucleic acid can be collected and used by corporations.39
When it comes to pseudonymization, under the GDPR, the only instance where the controller has to reidentify a database is whenever data subjects provide additional information enabling identification so that the controller can comply with requests for the rights of the data.40 Under the CCPA, the business is business is not required to reidentify or otherwise link information that is not maintained in a manner that would be considered personal information.41
Under both laws, consumers have the right to request their data, however, under the GDPR that request must be fulfilled within 1 month,44 and under the CCPA it should be fulfilled within 45 days.45 When it comes to the right to be informed, the scope of the GDPR is larger than the CCPA, since the GDPR provides a list of 10 elements that should be transferred to the consumer,46 and under the CCPA tit is enough to disclose the category of personal information only.47
When it comes to the right to opt-in, the GDPR gives consumers the right to opt-in of the processing of their data, meaning that they have to consent to the processing of their data first.48 However, in contrast, the CCPA gives consumers the right to opt-out of the sale of information and does not impact collection or usage.49
When it comes to the right to access, the GDPR applies that right to all personal data ever collected by the business,50 however, the CCPA only applies it to personal information collected in the 12 months prior to the request.51
And finally, when it comes to the right to data portability, the GDPR considers that the right to data portability only applies to personal data that has been provided by the data subject when processing is carried out in an automated way.54 For the CCPA, the right to data portability is extended to the right to access and is subject to the same limitations.55
Cost of Compliance for Businesses
Europe and the United States of America (namely California) are two of the five world’s largest economies, and yet they have developed very robust policies when it comes to privacy, which companies have to follow in order to do business. Businesses commonly start by doing a Data Protection Impact assessment, followed by implementing technological defenses such as spam filters, access controls, cloud storage and multifactor authentication. From there, businesses will generally train their employees on handling the new technology safely and correctly, and they would appoint the data protection officer.
In order to understand the size of this problem, we will be explaining in this paragraph the costs that were associated with GDPR compliance by worldwide businesses, back in 2017.
In order to comply with the GDPR, $7.8 billion dollars were spent by the world’s biggest 500 companies. Because of how strict the GDPR is, these businesses had to appoint a representative in the EU to act as a liaison with regulators, on top of assigning a data protection officer in their offices.
Shockingly enough, Microsoft Corp. employs 300 engineers that exclusively work on GDPR compliance. Krones AG, the German company has 60 people working on compliance, or in other terms, 0.5% of its workforce.
In the United Kingdom, the costs of GDPR implementation for FTSE100 companies in 2018 were the following: 66 million GBP for the banking sector, 20 million GBP for the tech sector, 19 million GBP for the energy sector, 15 million GBP for the retail sector, and 11 million GBP for the health sector.
Some businesses thought of not-complying with the GDPR, thinking that it would be less costly; they could not be more wrong: fines from supervisory authorities in the EU for non-compliance can reach 20 million euros, or 4% of the annual global revenues.
The issue at hand is that without a unified framework, smaller companies will lack the resources to adapt, implement and comply with every privacy law relative to every jurisdiction in the world. We recognize that bilateral recognition agreements between countries such as the EU-US Privacy Shield Framework is a great advancement in the world of privacy. However, other countries do exist, and tech companies tend to extend their business to every corner of the world, meaning that expenses are still going to be incurred for multiple implementation cycles no matter how many bilateral agreements are ratified.
When looking for possible solutions to the issue of privacy law in today’s world, we shall look at all the elements that make up the equation: (1) the consumer, (2) the businesses, and (3) the jurisdictions. Here are the hypotheticals we propose:
Firstly, the consumers are everyday people that take part in transactions on the internet (that is now recognized as a medium of commerce). In these transactions, consumers hand down their private information ranging from name, date of birth, nationality, profession, biometric identifiers, and others. These consumers are looking for a law that protects their private information from misuse that could lead to identity theft or financial fraud. They are also looking for more privacy when navigating the web, and they are generally demanding mediums to give consumers the last say in data collection.
Secondly, the businesses affected by privacy law are mainly companies that conduct their activity online: from social media giants to e-commerce, the list of businesses switching online grows bigger by the day. These businesses are looking to maximize their profits that mainly come from selling consumers’ private information to third party companies. They also make significant profit from advertisement that targets their consumers by using their private information. However, these businesses will need to conform to what is becoming the new normal: the inherent right to privacy that every human being possess as per article 12 of the UDHR: “No one shall be subjected to arbitrary interference with his privacy, family, home, or correspondence, nor to attacks upon his honor and reputation. Everyone has the right to the protection of the law against such interference or attacks.” Accordingly, these businesses will be invited to spend millions of dollars to comply with laws enacted by every jurisdiction in the world. These companies would want to comply with general principles of privacy law but would rather lower the expenses related to compliance.
Thirdly, the jurisdictions are countries and states all around the world that are enacting privacy laws in response to the demands made by citizens. Each jurisdiction would want to protect its sovereignty by imposing a law on companies handling private information related to the jurisdiction’s citizen. Not only that, but countries will strive to legislate laws that reflect the needs of their specific society, leaving businesses with hundreds of inconsistent and incoherent laws.
Based on that, AT&T, Google, Amazon, Twitter, and Apple testified in the United State’s Senate hearings in favor of a unified privacy law. A sentiment is shared between the technology giants: compliance would not be an issue if standards were set in place. Without a unified definition of private information, an agreement on whether the opt-in regime is better than the opt-out regime, and other basic necessities when it comes to compliance, these technology giants will continue to face significant burdens. Hypothetically, big companies netting billions of dollars every fiscal year would have the means to comply by employing more data officers and engineers, but small companies barely making ends meet will be put at an unfair disadvantage.
Therefore, our proposed solution to resolve the worldwide privacy issue at hand can be limited to one word: convention. We have all heard of Lex Mercatoria, the set of common law standards that were able to resolve international commerce in the medieval period:56 in light of globalization and modernization the world needs a Lex Secretum. In other terms, the world needs to agree on a set of standards that ought to be considered the new normal in the world of privacy, inspired by what the writers of the International Declaration of Human Rights intended when they drafted article 12. By establishing these standards that are not limited by country borders, companies around the world will be able to provide consumers with a calibrated experience anywhere in the world, regardless of nationality, location, or age.
In this proposed convention, countries from all around the world should agree on a plethora or factors, namely:
- Personal scope: the convention shall determine what entities will be held to the highest standard of privacy under the convention. We propose that all for-profit businesses, non-profit organizations, and public bodies collecting private information from consumers shall be subject to the convention. We propose that a consumer shall be defined as “identified or identifiable natural or moral person,” because we believe that moral persons just like natural persons deserve privacy protection. The scope of protection shall be extended to all consumers around the globe, regardless of location or age.
- Territorial scope: for-profit businesses, non-profit organizations, and public bodies located in countries that have ratified the convention will be subject to the standards set forth by the convention. Additionally, citizens of these countries will enjoy the protection provided by the convention.
- Material scope: we believe that the convention shall adopt the standard set forth by the GDPR, meaning that standards of privacy shall to personal data processing regardless of the type of processing operation and regardless of the category of personal data being processed.
- Definition of personal data: a uniform definition of personal data shall be adopted to procure for-profit businesses, non-profit organizations, and public bodies working with personal data a clear delimitation of the scope. Personal data should be defined as information that relates to an identified or identifiable individual including but not limited to biometric information, and information revealing ethnic and racial background.
- Opt-out regime: Consumers shall be given the right to opt-out of the collection and sale of their private information; and that right shall be communicated to them as soon as they come in contact with for-profit businesses, non-profit organizations, and public bodies.
- Right to request data or the right to delete data: Consumers shall have the right to request their data or to delete their data from for-profit businesses, non-profit organizations, and public bodies working with personal data, and the request shall be fulfilled within 30 business days. This right shall apply to data ever collected by the entities and shall not be limited to data collected lately.
- Children: for-profit businesses, non-profit organizations, and public bodies working with personal data related to children shall be held to a higher standard of privacy. They shall implement internal operations that would facilitate the recognition of minors in order to give them the right to opt-in the sale of their personal information.
- Discrimination: Consumers shall not be discriminated against for exercising their rights under the convention.
- Other rights such as the Right to Know, and the Right to Correct Inaccuracies: The scope of privacy law is very wide, but we believe that keeping standards minimal would lead to the best results in application.
A convention ratified by all or a majority of countries around the world will give entities working with private information (specially businesses) with a guide that they will be able to follow to assure that their consumers are protected equally around the world. This convention will also minimize the costs relative to compliance, since the proposed convention resembles fairly the GDPR; a convention has businesses have complied to in the past two years. Not only that, but this convention will give consumers the protection they need and will give them the rights that are inherently theirs. Finally, jurisdictions will also be advantaged with such a convention because they will have protected their citizens from privacy violations and will have provided courts will a clear standard to follow.
As proven in this paper, privacy law is a field that will keep on growing since it tightly relates to globalization and the digitalization of today’s world. Takeaways from this study would be that the individual efforts being put by countries all around the world are a great advancement that ultimately helps and protects the consumer. However, the diversity of laws is creating a problem on the business level since corporations are spending millions of dollars in order to comply with laws that serve the same purpose. For that reason, we believe that a universal convention on privacy law is key to resolve these global issues and attain the common goal.
However, we already know that laws of a country are inspired by the traditions and customs of the people of that country; that fact leads to a diversity of laws all around the globe when it comes to the same topic. Each country will see fairness and justice in a different lens and will implement what “feels good” and “seems right.” Therefore, in the event where a universal convention on privacy is being drafted, which standard should be adopted? Should it be a westernized liberal standard, or rather an eastern conservative standard? Should the market be given the upper hand or that privilege should rather be vested with consumers? Should privacy be considered an inherent human right, whose infringement leads to capital punishments such as dissolution of entities, or should be deemed a privilege that the modern man is trying to seek back? These are questions that we shall reflect upon in hopes of getting a response back from The United Nations Office of the High Commissioner for Human Rights.
- Lothar Determann & Karl T. Guttenberg, On War and Peace in Cyberspace: Security, Privacy, Jurisdiction, 41 HASTINGS CONST. L.Q. 875, 891 (2014).
- Id. at 892.
- Id. at 1032-33.
- Consultants Ernst & Young.
- Cal. Civ. Code § 1798.
- Cal. Civ. Code § 1798.140 (c)(1)
- Cal. Civ. Code § 1798.130 (1)(5)
- Cal. Civ. Code § 1798.100 (b)
- Cal. Civ. Code § 1798.110 (a)
- Cal. Civ. Code § 1798.110(b); Cal. Civ. Code § 1798.130(a)(2).
- Cal. Civ. Code § 1798.130(a)(1); Cal. Civ. Code § 1798.140(i).
- Cal. Civ. Code § 1798.120(a).
- Cal. Civ. Code § 1798.120(c)-(d).
- Cal. Civ. Code § 1798.105 (a).
- Cal. Civ. Code § 1798.125(a)(1)(A).
- Cal. Civ. Code Section 1798.130(a); Cal. Civ. Code Sections 1798.140(i), (w)(2)(A).
- P. Voigt, A. von dem Bussche, The EU General Data Protection Regulation (GDPR): A Practical Guide, Springer, 2017.
- NALC, Reform of data protection legislation and introduction of the General Data Protection Regulation, Legal Briefing L03-17, 2017.
- EU General Data Protection Regulation (GDPR): Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ 2016 L 119/1, Article 13 and 14.
- General Data Protection Regulation (2016) Official Journal, article 15.
- General Data Protection Regulation (2016) Official Journal, article 16. [/efn-note] This right emphasizes on one of the core principles of the GDPR: data accuracy, because consent is essential, and a consumer can never consent to false data.
The right to erasure, better known as the right to be forgotten is protected under article 17 of the GDPR.26General Data Protection Regulation (2016) Official Journal, article 17.
- General Data Protection Regulation (2016) Official Journal, article 18.
- General Data Protection Regulation (2016) Official Journal, article 21.
- General Data Protection Regulation (2016) Official, Article 3.
- Cal. Civ. Code § 1798.140 (c).
- General Data Protection Regulation (2016) Official, Article 4(1) and Recitals 2, 14, 22-25.
- Cal. Civ. Code § 1798.145(a)(6).
- General Data Protection Regulation (2016) Official, Article 3.
- General Data Protection Regulation (2016) Official, Articles 2, 4(1), 4(2), 4(6).
- Cal. Civ. Code § 1798.140(e),(o),(t),(q), 1798.145.
- General Data Protection Regulation (2016) Official, Articles 4(1), 9, Recitals 26 – 30.
- Cal. Civ. Code § 1798.140(b), (o).
- General Data Protection Regulation (2016) Official, Articles 4(5), 11, Recitals 26, 28.
- Cal. Civ. Code § 1798.100(e), 1798.140(r), 1798.145(i).
- General Data Protection Regulation (2016) Official, Articles 6, 8, 12, 40, 57, Recitals 38, 58, 75.
- Cal. Civ. Code § 1798.120(c).
- General Data Protection Regulation (2016) Official, Articles 12, 17, Recitals 59, 65-66.
- Cal. Civ. Code § 1798.105, 1798.130(a), 1798.145 (g)(3).
- General Data Protection Regulation (2016) Official, Articles 5, 12, 13, 14, Recitals 58 – 63.
- Cal. Civ. Code § 1798.100(b), 1798.130(a), 1798.135.
- General Data Protection Regulation (2016) Official, Articles 12, 21, Recital 70.
- Cal. Civ. Code § 1798.120, 1798.135.
- General Data Protection Regulation (2016) Official, Articles 12, 15, 20, Recitals 59, 63, 64.
- Cal. Civ. Code § 1798.100, 1798.110, 1798.130, 1798.145 (g)(3).
- Cal. Civ. Code § 1798.125.
- General Data Protection Regulation (2016) Official, Articles 5, 22, Recitals 39, 71-73.
- General Data Protection Regulation (2016) Official, Articles 12, 20, Recital 68.
- Cal. Civ. Code § 1798.100, 1798.110, 1798.130, 1798.145 (g)(3).
- Johnson, David R.; Post, David (May 1996). “Law and Borders: The Rise of Law in Cyberspace.