Our data has never before been more shared, more sought after, and more valuable to corporations than it is today. We might consider ourselves to be cautious when it comes to sharing personal information online. But our daily habits — like using a credit card to buy our morning coffee, liking posts on social media, and allowing our phones to track our movements — all contribute to us making available a trove of information about who we are and how we tick every single day. 

In March, Anu Bradford, the Henry L. Moses Distinguished Professor of Law and International Organization at Columbia Law School, and Michael Hahn, executive vice president and general counsel at the Interactive Advertising Bureau, joined Chris LaSala, professor of practice at Columbia Business School and a longtime Google executive, to disentangle some of the complexities of consumer privacy in the media. 

At an event organized by the School’s Digital Future Initiative, “Consumer Privacy in Media: Goliath vs. Goliath — Global Regulation and Media's Response,” the panelists concluded that it’s a tradeoff: While consumers are generally aware of the risks of making their personal information obtainable, they’re also prepared to do so if that results in convenience. This, in turn, introduces a challenge: How can consumers be protected from the risks they might not fully understand, and who’s responsible for leading the charge on this? 

There are no straightforward answers, of course, but here are three key takeaways from the conversation:

1. Users are becoming more discerning about their personal data. 

Although different people have different attitudes toward the risks associated with personal data being made available for corporations to leverage, there’s a trend toward individuals becoming more aware and discerning about data privacy. In different parts of the world, there are different reasons for this.

“I think Europeans generally care more about privacy than Americans do,” said Anu Bradford, whose 2020 book, The Brussels Effect, explains how regulations crafted in Europe have shaped the world. “But I would say that ... if we had asked this question a decade ago, we would answer it differently. And I would say today, users around the world care about privacy more than they used to.” 

She added, “I think we have a better understanding of what privacy means and what is at stake, how we are being tracked online, and what are the downsides when we lose our  privacy.”

Bradford also noted that high-profile privacy scandals have exacerbated our collective sensitivities and that, increasingly, we also have a sound understanding of what can go wrong. Look no further than the Facebook-Cambridge Analytica scandal, she said, in which personal information was extracted through Facebook and used in political campaigns. 

2. Europe might be a model of what could happen in America. But not a perfect one. 

“Europeans have very obvious historical reasons to care about privacy because Europeans understand what can happen when you lose privacy,” said Bradford. “If you go back to the Second World War and the Holocaust, the Nazis gained  access to private data to identify who was Jewish. Later, in Germany, because of the East German intelligence agency — the Stasi — people were under constant surveillance. Again, [this was] a major infringement of privacy. So the Europeans understand what it means when the population does not have privacy and people lose their personal autonomy.”

Bradford acknowledged that, of course, not all situations are as high stakes as those historical examples in which people’s lives were at stake. Nonetheless, she said, “there are so many ways that data in the wrong hands, [and] with the wrong motivations, can be used in a way that can be harmful.”

Michael Hahn broadly agreed that Europe has set a valuable standard and offers a reference point. “Europe did an amazing thing [by] taking the lead to develop a generally applicable privacy law. And while it is, I would say, something that has inspired laws around the globe, lessons have been learned and not everyone is doing exactly what Europe is doing,” he said. 

In May 2018, countries of the European Union and the European Economic Area implemented the General Data Protection Regulation, or GDPR, designed to give individuals better privacy protections and force companies to make significant changes to the way they collect data and consent from their users. 

Hahn applauded European efforts to promulgate the first generally applicable privacy law but explained that one of the problems with an opt-in model like GDPR is that its hyper-specific consent requirements challenges users’ desire for a seamless online experience. This makes an opt-in model (except for sensitive personal information) less appealing in the United States, where there is a different historical experience with privacy and a different set of consumer expectations relative to Europe. 

Hahn agreed that US regulation, particularly in some states, has explicitly been inspired by European regulation, but he noted that an opt-out model — under which the use of personal data continues until the individual explicitly opts out — might be more realistic in this cultural context. 

3. Partnership is key.

Historically, the United States has adhered to a model of self-regulation. It’s cultural: A belief in free markets is — to a large extent— enshrined in the principles of capitalism that govern the economic fabric of the country. But given the extent to which the world is changing, it might be time to reexamine self-regulation as a mechanism of governance. 

“We tried self-regulation, and we noticed that there are limits to it,” said Bradford. “The trust is not there anymore for the tech companies to self-govern.” 

But regulating data privacy is complicated. Because of the complexity and the volume of data involved, regulation often requires partnership between corporations and the government. Government needs to establish the parameters, but that process can benefit from collaboration and partnership with tech companies.

Note: quotes have been edited for brevity and clarity.


Watch the full panel discussion here: