The Problem with Obama's "Let's Be More Like Europe" Privacy Plan

This article originally appeared in Forbes

Should America model its privacy laws and regulations after Europe, which has a tradition of top-down “data directives” and sweeping claims regarding privacy rights? That seems to be the direction the Obama Administration is taking us with today’s release of its new 50-page privacy framework, Consumer Data Privacy in a Networked World.

The problem with that approach is that it could have serious costs for consumers and the competitiveness of America’s Internet sector. The better approach to protecting online privacy relies on increased consumer education and awareness, industry self-regulation, and greater personal and corporate responsibility.

Background & Basis for Regulation

The Administration’s new framework calls for Congress to pass legislation that enshrines a “Consumer Privacy Bill of Rights” into law. These “rights” are designed to mimic “Fair Information Practice Principles” (FIPPs) that Europe and others have adopted. Those principles include: enhanced consumer control over what personal data companies collect from them and how they use it, new transparency and data security practices, limits on what data is collected, and other requirements related to data accuracy and accountability.

These amorphous principles would be governed by a “multistakeholder process” (although it remains unclear who or what that entails) and stepped-up enforcement, most notably by the Federal Trade Commission (FTC). The Department of Commerce’s National Telecommunications and Information Administration (NTIA) would steer the process and help develop “an enforceable code of conduct” for online privacy and data collection practices.

The Administration says increased privacy regulations are essential for “maintaining consumer trust in network technologies” and “sustaining the trust that nurtures Internet commerce and fuels innovation.” They offer no evidence, however, to substantiate the claim that a lack of consumer “trust” is holding back online participation, digital technology adoption, or ecommerce, which are all growing steadily. It’s particularly hard to reconcile the Administration’s argument that expanded privacy controls are needed to ensure greater “participation in democratic society” when over 845 million people have flocked to Facebook in just eight years.

While the Administration’s privacy framework is not yet as regulatory as Europe’s, it does chart a new course for America and one that will entail a significant increase in government oversight of the Internet and online commerce. Congress should think through the implications of a “let’s-be-more-like-Europe” approach to privacy before making the leap the Obama Administration recommends.

Understanding Trade-offs

As noted in this column before, no matter how well-intentioned regulatory proposals may be, they can often have unforeseen, unintended consequences. This is equally true for privacy controls.

For example, the Children’s Online Privacy Protection Act of 1998 (COPPA) is a law that imposes certain online privacy protections for children under the age of 13 and requires parental consent before kids visit certain websites or share personal information online. Unfortunately, a recent study of COPPA’s impact found that the law has encouraged many kids—often with the help of their parents—to lie about their ages online and evade age-based restrictions. The authors of that report also concluded that COPPA “inadvertently undermines parents’ ability to make choices and protect their children’s data.”

All the best intentions in the world can’t stop individuals and institutions from adjusting their behavior in response to laws and rules they find unwise, unworkable, or costly (both in terms of money and time). That’s why policymakers should always carefully weigh the costs and benefits of new rules to ensure intervention is worth the effort and whether alternative or less costly approaches to addressing the supposed problem exist.

Which brings us back to the Obama Administration’s new privacy plan. There’s plenty to like in the general principles found in the new framework but, as always, the devil is in the details and many unintended consequences likely await if it is imposed through regulation.

Regulation Could Raise Prices or Limit New Services

One unintended consequence of stepped-up privacy regulation could be higher prices for sites and services that we currently enjoy largely free of charge. Even though generations of economists have taught us that there is no such thing as a free lunch, advertising has made the Internet and digital services seem like the exception that makes the rule. Social networking sites are free. Searches are free. Review sites are free. In fact, it’s hard to find many online services we pay for these days.

But there is no free lunch. Advertising and data collection are the fuel that powers the digital economy. By collecting a little information about us or our web-surfing interests, online sites can tailor ads to our liking, which helps keep online prices low or even at zero. They can also use that data to develop new and better services that make our online lives more rewarding.

Most consumers gladly accept this deal since it keeps the free and innovative digital goodies flowing. However, critics who say such data collection is “creepy” raise privacy concerns and call for regulation. But they won’t likely have as many online choices if a new regulatory regime steps in and slays the goose (advertising and data collection) that lays the Internet’s free golden eggs (“free” sites and services).

Regulation Could Impact U.S. Competitiveness

Another unintended consequence of Obama’s privacy plan is that it could undermine the competitiveness of U.S. firms relative to other nations.

While many privacy advocates seem determined to move the U.S. in the direction the European Union has charted with its data directives and more stringent privacy controls, America’s refusal thus far to follow that regulatory path might help explain why so many U.S. online firms are leaders in the global digital marketplace. A 2010 study by economists Avi Goldfarb and Catherine Tucker found that “after the [European Union’s] Privacy Directive was passed [in 2002], advertising effectiveness decreased on average by around 65 percent in Europe relative to the rest of the world.” Because regulation decreases ad effectiveness, “this may change the number and types of businesses sustained by the advertising-supporting Internet.” Again, there’s no free lunch.

This may also help explain why America’s online operators are household names in Europe while most of us struggle to name a leading global social media company based in Europe.

The Specter of Greater Internet Control

A final unintended consequence to consider is how increased privacy controls might lead to greater governmental meddling with the Net more generally. At root, privacy regulation is just another form of Internet information controland we can expect that efforts to control the flow of digitized bits will onlybecome more complicated in coming years.

In this regard, we can draw an analogy to copyright and child safety debates. Top-down directives in those contexts have proven challenging to enforce, to put it mildly. Critics lambast heavy-handed copyright enforcement efforts like the recent “Stop Online Piracy Act” (SOPA) and mandatory Internet filters aimed at controlling online pornography or other objectionable material. Beyond being unworkable or “breaking the Net,” critics correctly claim that such controls can censor much legitimate speech or commerce.

The same critique largely applies to efforts to regulate privacy and personal information flows. It’s not to say that privacy and data security aren’t important, but, as an empirical matter, information control in this context is going to be every bit as difficult as information control in the copyright or pornography context. Yet, the same “information-wants-to-be-free” crowd of people that decries those other forms of Net regulation are now hoping to control the flow of information online in the name of protecting privacy.

No matter how well-intentioned, a privacy police force isn’t likely to work—at least not without continuous governmental interventions to try to put the digital genie back in its bottle. Such efforts will be costly, increasingly intrusive, and likely to open the door to many other forms of Internet regulation. In particular, the enhanced regulatory role envisioned for the NTIA and FTC threatens to create a “Mother, May I” permissions-based regulatory regime for online privacy considerations. If every new service has to get the blessing of these agencies or even a “multistakeholder process,” it could stifle new forms of digital innovation.

We shouldn’t forget that when Google released its GMail service to the world back in 2004, over 30 privacy advocates demanded that the service be immediately suspended and investigated. Luckily, that highly innovative and free new service wasn’t blocked and today 350 million people worldwide use it. Had the regulatory paradigm the Obama Administration now favors been in place eight years ago, things might have turned out differently.

The Alternative Approach

With such concerns in mind, many congressional lawmakers may be reluctant to embrace Obama’s “let’s-be-more-like-Europe” approach to privacy and will instead continue to seek out a constructive alternative that balances privacy, digital commerce, and Internet freedom.

The good news is that America already has a pretty good privacy framework that accomplishes that. The primary focus should continue to be on improved education, user empowerment, and self-regulatory efforts.

For those consumers who are hyper-sensitive about data collection and online privacy, many solutions exist already. For example, AdBlock Plus, which blocks ads and data collection, is one of the most-downloaded add-ons for both the Firefox and Chrome web browsers. A host of other available tools block or limit various types of data collection, and every major browser has privacy control tools and anonymous surfing modes to help users limit data flows. It’s a consumer’s choice whether to use all these tools, and many don’t care enough to bother.

Also, with prodding from the Obama Administration, a browser-based “Do Not Track” mechanism is now taking hold. It allows the most sensitive web-surfers to essentially opt-out of third-party data collection and advertising. If enough users flip the Do Not Track switch, however, many “free” sites and services could begin migrating to paywall or pay-per-use models.

For those online operators that commit particularly egregious privacy or data security violations, it’s important to realize that America already has a sweeping consumer protection law: Section 5 of the Federal Trade Commission Act. It gives the FTC broad authority to go after “unfair or deceptive” business practices and sanction companies that break promises they make to consumers or the public. Meanwhile, states already have layers of privacy rules and many state attorneys general use them to go after bad actors.

Personal Responsibility Matters

Of course, there’s a final component of the American tradition: personal responsibility. Generally speaking, whether we’re talking about online safety or privacy, the first admonition should be: Think before you click!

More education is needed to help consumers know how to better control their privacy and reputations online in an age of ubiquitous information sharing. “The use of personal data begins with individuals’ decisions to choose privacy settings and to share personal data with others,” the Obama Administration’s privacy framework correctly notes, and “in such contexts, consumers should evaluate their choices and take responsibility for the ones that they make.”

In a sense, America’s approach to privacy protection shouldn’t be any different than the model we use for online child protection. In that context, America’s traditional approach—guided by an appreciation for freedom of speech and free flow of information—is to first rely on individual (or parental) responsibility. We have “multistakeholder processes” and industry “codes of conduct” for many online safety matters, but they are truly voluntary and not enforced in a top-down fashion or used as the basis of broad-based federal oversight or control of the Net. It’s not a perfect model, but it works well enough.

While more can be done to protect user privacy in the U.S., it remains vital that we not impose a heavy-handed, innovation-killing model of information control on the Internet.