In 1999, Sun Microsystems CEO Scott McNealy shocked a group of reporters and analysts by telling them that consumer privacy issues were a red herring - "you have zero privacy anyway - get over it". Four years prior to that statement, the European Parliament passed the Data Protection Directive which would become the bedrock of Europe's information privacy laws. Over the years, common perceptions of transatlantic privacy values have followed a well-worn narrative: European privacy standards are overly stringent and bureaucratic while US privacy laws are lax, laissez-faire and offer minimal protection for individuals. The reality is somewhat more nuanced.
The impending General Data Protection Regulation (the "GDPR") and the negotiations over the draft ePrivacy Regulation have once again brought into sharp focus the perceived differences between European and US privacy standards. This is being acutely felt in Ireland which is home to some 16 of the top 20 software companies in the world. Post-Brexit, Ireland is also on course to be the only common law country left in the EU.
Common law and civil law traditions have tended to approach privacy from different angles. Europe's privacy regime is largely a civil law concept. The first modern, comprehensive information privacy law was passed by the Hessian Parliament in Germany in 1970. The two common law jurisdictions in the European Union - the UK and Ireland - did not fully follow suit until the 1995 Data Protection Directive was fully transposed locally in 1998 and 2003 respectively. Countries with common law traditions (including the US, Ireland and the UK) have traditionally tended to focus more on decisional privacy (this posits privacy as a right which individuals can rely on to defend themselves against the actions of the state). Ireland's privacy regime prior to the adoption of the 1995 Directive was closer to the US right of privacy usually found in the Fourth Amendment of the US Constitution.
European data privacy law focuses on achieving information privacy by the horizontal application of principles-based regulations. The processing of all types of data is regulated in more or less the same way (save for additional protections for certain categories of sensitive personal data etc.). The principles which underpin the GDPR are intended for application across the whole economy - the same provisions which govern processing by public bodies will also govern social media companies and ad-tech...