The United States’ sectoral approach to privacy is often compared to the European Union’s (EU) comprehensive, ex ante approach to privacy.357 In the EU, data collection must be limited in scope and
retention, and data is subject to consumer consent, review, and correction.358 Data subjects also have the right not to be subject to
355. Crawford & Schultz, supra note 48, at 125.
356. See Jason Parkin, Adaptable Due Process, 160 U. PA. L. REV. 1309, 1331 (2012)
(summarizing critiques of fair hearing rights, including that “[f]air hearings do not address barriers that prevent eligible individuals from applying for welfare in the first instance”); Rebecca E. Zietlow,
Giving Substance to Process: Countering the Due Process Counterrevolution, 75 DENV.U.L.REV. 9, 26 (1997) (“formal procedural rights may hurt rather than help poor people because they serve to mask substantive injustice”); Michael Herz, Parallel Universes: NEPA Lessons for the New Property, 93 COLUM. L. REV. 1668, 1710 (1993) (due process in public benefits regimes has “contributed to routinization, alienation, and abuse”).
357. See generally James Q. Whitman, The Two Western Cultures of Privacy: Dignity Versus Liberty, 113 YALE L.J. 1151 (2004).
358. For a summary of EU data protections, see Marc Rotenberg & David Jacobs, Updating the
2017] PRIVACY, POVERTY, AND BIG DATA 121
decisions with legal effects generated from automated processing.359 In 2016, the EU passed the General Data Protection Regulation, which provides even stronger privacy protections, including a “right to be forgotten,” strict consent requirements that place the burden of proof on the collector, and increased sanctions for violations.360 The Regulation also tightens restrictions on the processing of particularly sensitive information, such as race, political opinions, and religion.361 In addition, the Regulation gives people the right not to be subject to decisions solely based on algorithms, including profiling, and to contest such decisions.362 Almost
all commentators acknowledge that the United States, with its emphasis on personal liberty and corporate innovation, is very unlikely to adopt an omnibus privacy statute in the style of the EU, with its emphasis on personal dignity.363
Accordingly, a range of policymakers, business leaders, and privacy advocates have argued for comprehensive privacy legislation in the more limited sphere of online consumer activity.364 For instance, in 2012, the
Obama White House issued a proposed Consumer Privacy Bill of Rights based on seven principles of individual control: transparency, respect for context, security, access, accuracy, focused collection, and
POL’Y 605, 615–622 (2013). 359. Id. at 619.
360. See Stephen Gardner, EU Parliament Finalizes Landmark Data Privacy Reg, BLOOMBERG
LAW (April 28, 2016), https://perma.cc/L6XT-K873. For detailed descriptions of the new regulation,
see Rotenberg & Jacobs, supra note 358, at 630–36; Paul M. Schwartz, The EU-U.S. Privacy Collision: A Turn to Institutions and Procedures, 126 HARV.L.REV. 1966, 1992–2003 (2013).
361. See Schwartz, Privacy Collision, supra note 360, at 1996. For a comparison of U.S. and EU
perspectives with regard to protections against discrimination, see generally Raymond Shih Ray Ku,
Data Privacy as a Civil Right: The EU Gets It?, 103 KY.L.J. 391 (2014–2015).
362. See Bryce Goodman & Seth Flaxman, European Union Regulations on Algorithmic
Decision-Making and a “Right to Explanation,” OXFORD INTERNET INST., https://arxiv.org/pdf/1606. 08813.pdf (describing Article 22 and the challenges and opportunities inherent in this new provision.). The EU approach is not a panacea, as it is complex and raises challenging enforcement issues. See
Michiel Rhoen, Beyond Consent: Improving Data Protection Through Consumer Protection Law, 5
INTERNET POL’Y REV. (2016), https://policyreview.info/articles/analysis/beyond-consent-improving- data-protection-through-consumer-protection-law.
363. There is a debate over whether the federal government or the states are better sites for
privacy law. Compare Schwartz, Preemption and Privacy, supra note330, at 916-17 (arguing against
comprehensive federal regulation), with Patricia L. Bellia, Federalization in Information Privacy Law,
118 YALE L.J. 868 (2009) (arguing that Schwartz overstates the risks of omnibus federal regulation).
Several states are more protective of online personal data.
364. See Schwartz, Preemption and Privacy, supra note 321, at 904 (describing calls for comprehensive privacy legislation and arguing such an approach is misguided).
122 WASHINGTON UNIVERSITY LAW REVIEW [VOL.95:53
accountability.365 This set of baseline protections would give consumers the right to determine what data companies collect about them and how those data are used, although it envisions a combination of industry self- regulation and government enforcement.366 Relatedly, the FTC recommended in 2014 that Congress enact legislation to regulate the data broker industry so that consumers would know about the industry’s activities and have access to information held about them by data brokers.367 In recent years, Congress has considered, but failed to pass, a variety of data privacy bills.
Almost any of these proposals would enhance data privacy while providing companies with greater guidance as to their obligations. For low-income consumers in particular, the effectiveness of these laws would hinge upon the existence of meaningful sanctions, rigorous oversight by governmental or third-party entities of data collection and processing, clear notice and consent policies optimized for mobile devices, and a legal commitment to identifying and ameliorating harmful and unjustified disparate impacts.