Chilling effects and transatlantic privacy

• DOI: http://doi.org/10.1111/eulj.12315
• Date: 01 March 2019
• Published date: 01 March 2019
• Author: Jonathon Penney

SPECIAL ISSUE ARTICLE

Chilling effects and transatlantic privacy

Jonathon Penney*

Abstract

Can the European and American privacy divide be bridged? Bilyana Petkova, in this issue, offers

compelling reasons to be sceptical. One recent solution, advanced by Pierluigi Perri and David Thaw,

is that common concerns about chilling effects can bridge that divide. However, their discussion of

chilling effects was narrow and their analysis limited to procedural transatlantic convergence. This

essay explores this idea with a more systematic and sustained discussion of chilling effects theory

and research, while arguing that chilling effects does, in fact, provide possibilities for substantive

transatlantic privacy. I argue that “chilling effects”is often treated as an ahistorical singular idea

but there are, in fact, three separate paradigms of chilling effects theory, research and understand-

ing: (1) speech; (2) privacy and autonomy; and (3) collectivist. I set out each and argue that the con-

ceptualisation of chilling effects exemplified by the second paradigm—focused on privacy‐related

chilling effects—offers a shared normative and theoretical foundation to bridge the transatlantic pri-

vacy divide. I also explore how new chilling effects theory and research can impact substantive and

procedural transatlantic privacy efforts, including re‐thinking consent; empowering stronger judicial

enforcement of privacy claims; and balancing competing claims in substantive proposals like the

Right to be Forgotten (RTBF).

1|INTRODUCTION

A number of commentators have recently offered various proposals and foundations for transatlantic privacy

approaches and cooperation.

1

Joel Reidenberg has argued that the common challenge of data surveillance necessi-

tates American and European convergence on privacy.

2

Deirdre Mulligan and Kenneth Bamberger have heralded a

“new American story”, wherein US regulators have drawn on European data protection to address new privacy chal-

lenges.

3

And Paul Schwartz and Karl‐Nikolaus Peifer, for their part, argue that new institutions and processes, like

*Research Fellow, The Citizen Lab, Munk School of Global Affairs and Public Policy, University of Toronto; Research Associate, Center for InformationTech-

nology Policy, Princeton University; Associate Professor and Director of the Law and Technology Institute, Schulich School of Law, Dalhousie University.

1

P. Schwartz and K. Peifer, ‘Transatlantic Data Privacy Law’(2017) 106 Georgetown Law Journal, 115; P. Perri and D. Thaw, ‘Ancient Worries and Modern

Fears: Different Roots and Common Effects of US and EU Privacy Regulation’(2017) 49 Connecticut Law Review, 1621; N. Richards, ‘Four Myths of Privacy’,

in A. Sarat (ed.), A World Without Privacy: What the Law Can and Should Do (Cambridge University Press, 2015), at 1–2; J.R. Reidenberg, ‘The Data Surveil-

lance State in the United States and Europe’(2014) 49 Wake Forest Law Review, 583, 583–584; K.A. Bamberger and D.K. Mulligan, ‘Privacy in Europe: Initial

Data on Governance Choices and Corporate Practices’(2013) 81 George Washington Law Review, 1521.

2

Reidenberg, above, n. 1, at 583–584.

3

Bamberger and Mulligan, above, n. 1, at 1561–1562.

Received: 16 December 2018 Revised: 22 February 2019 Accepted: 22 February 2019

DOI: 10.1111/eulj.12315

122 © 2019 John Wiley & Sons Ltd. Eur Law J. 2019;25:122–139.wileyonlinelibrary.com/journal/eulj

those established under the General Data Protection Regulation (GDPR),

4

offer a foundation for cooperation.

5

In this

issue, Bilyana Petkova offers compelling reasons to be sceptical of such proposals.

6

She argues that privacy is emerg-

ing as a unifying constitutional value for Europe comparable to America's First Amendment culture founded on free

speech.

7

In light of that divide, she foresees future clashes with a more internationalist privacy discourse remaining

largely rhetorical.

8

Petkova's argument, which builds upon past works illustrating the important normative and con-

ceptual differences between European and American privacy,

9

sets out clearly the challenges for transatlantic

privacy.

To bridge this continental divide, Pierluigi Perri and David Thaw recently suggested common European and Amer-

ican concerns about “chilling effects”—how privacy threats may chill or deter people from acting freely or exercising

their fundamental rights—might offer a basis for transatlantic privacy.

10

Indeed, with internet surveillance and censor-

ship on the rise,

11

the amount of data available online unprecedented,

12

and states and businesses increasing their

technological capacity to track, process, analyse and leverage it,

13

concerns about chilling effects have taken on

greater urgency and public importance internationally.

14

Moreover, though the chilling effects concept has American

origins, similar concerns about the impact of data collection and relating practices have long been considered part of

the broader European data protection project.

15

Nevertheless, Perri and Thaw offer only brief definition of the notion

of “chilling effects”,with no systematic exploration of chilling effects theory and research and how it has evolved over

time.

16

And, being conscious of the American/European conceptual divide on privacy, they limit their discussion to

procedural forms of transatlantic harmonisation and cooperation on privacy.

17

This is unfortunate because I believe

4

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Pro-

cessing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC [2016] OJ L 119/1.

5

Schwartz and Peifer, above, n. 1, at 1–2.

6

See B. Petkova, ‘Privacy as Europe's First Amendment’(2019) European Law Journal (this issue).

7

Ibid., at 1.

8

Ibid., at 1.

9

See, for example, J.Q. Whitman, ‘TheTwo Western Cultures ofPrivacy: Dignity versus Liberty’(2004) 113 Yale Law Journal, 1151; R.C. Post, ‘Three Con-

cepts of Privacy’(2001) 89 Georgetown Law Journal, 2087; Perri and Thaw, above, n. 1. See, also, N.A. John and B. Peters, ‘Why Privacy Keeps Dying: The

Trouble with Talk about the End of Privacy’(2017) 20(2) Information, Communication, & Society, 284.

10

Perri and Thaw, above, n. 1, at 1624.

11

D. Volz, ‘Global Internet Surveillance, Censorship on Rise: Report’,Reuters,28 October 2015, available at https://www.reuters.com/article/us‐cybersecu-

rity‐report‐idUSKCN0SM1M220151028; A. Fiscutean, ‘Internet Censorship: It's on the Rise and Silicon Valley Is Helping It Happen’,ZDNet, 28 November

2017, available at https://www.zdnet.com/article/internet‐censorship‐its‐on‐the‐rise‐and‐silicon‐valley‐is‐helping‐it‐happen/. See, also, J.W. Penney, ‘The

Cycles of Global Telecommunication Censorship and Surveillance’(2015) 36 University of Pennsylvania Journal of International Law, 693, 693–694.

12

V. Boehme‐Neßler, ‘Privacy: A Matter of Democracy: Why Democracy Needs Privacy and Data Protection’(2016) 6 International Data Privacy Law, 222,

222; C. Kuner, Transborder Data Flow Regulation and Data Privacy Law (Oxford University Press, 2013), 4ff.

13

B. Wagner, J. Bonowicka, C. Berger and T. Behrndt, ‘Surveillance and Censorship: The Impact of Technologies on Human Rights’, Policy Department,

Directorate‐General for External Policies Report (European Parliament, 2015), at 6–12, available at http://www.europarl.europa.eu/RegData/etudes/

STUD/2015/549034/EXPO_STU(2015)549034_EN.pdf; S.A. Cohen and M.W. Granade, ‘Models Will Run the World’,Wall Street Journal (Opinion),19

August 2018, available at https://www.wsj.com/articles/models‐will‐run‐the‐world‐1534716720.

14

Penney, above, n. 11; B. van der Sloot, D. Broeders and E. Schrijvers, ‘Introduction: Exploring the Boundaries of Big Data’, in B. van der Sloot, D. Broeders

and E. Schrijvers (eds.), Exploring the Boundaries of Big Data (Amsterdam University Press, 2016), at 11; F.J. Zuiderveen Borgesius, ‘Singling Out People with-

out Knowing their Names—Behavioural Targeting, Pseudonymous Data, and the New Data Protection Regulation’(2016) 32 Computer Law & Security

Review, 256, 267; Y. Hermstrüwer and S. Dickert, ‘Sharing Is Daring: An Experiment on Consent, Chilling Effects and a Salient Privacy Nudge’(2017) 51

International Review of Law and Economics, 38; C. Quelle, ‘Not just User Control in the General Data Protection Regulation’, in A. Lehmann, D. Whitehouse,

S. Fischer‐Hübner, L. Fritsch and C. Raab (eds.), Privacy and Identity 2016 (Springer, 2016), 140, 154; M. Oostveen and K. Irion, ‘The Golden Age of Personal

Data: How to Regulate an Enabling Fundamental Right?’, in M. Bakhoum, B. Conde Gallego, M.‐O. Mackenordt and G. Surblyte (eds.), Personal Data in Com-

petition, Consumer Protection and IP Law—Towards a Holistic Approach? (Springer, 2017); R. van Brakel, ‘Pre‐emptive Big Data Surveillance and its (Dis)

empowering Consequences: The Case of Predictive Policing’in B. van der Sloot, D. Broeders and E. Schrijvers (eds.), Exploring the Boundaries of Big Data

(Amsterdam University Press, 2016), 117; F.J. Zuiderveen Borgesius, S. Kruikemeier, S.C. Boerman and N. Helberger, ‘Tracking Walls, Take‐It‐or‐Leave‐It

Choices, the GDPR, and the ePrivacy Regulation’(2017) 3 European Data Protection Law Review, 353.

15

See, for example, J. van Hoboken, ‘From Collection to Use in Privacy Regulation? A Forward‐Looking Comparison of European and US Frameworks for

Personal Data Processing’, in van der Sloot et al. (eds.), above, n. 14, 231, at 243; B. van der Sloot, ‘The Individual in the Big Data Era: Moving towards

an Agent‐Based Privacy Paradigm’, in van der Sloot et al. (eds), above, n. 14, 177; Quelle, above, n. 14, at 154. See, generally, Perri and Thaw, above, n. 1.

16

Perri and Thaw, above, n. 1, at 1626, 1633–1634.

17

Ibid.

PENNEY 123