#PrivSecNY: Tim Wu on GDPR and data privacy practices in the US

Data Protection Authority

Earlier this month, Tim Wu, Columbia Law School professor and contributing opinion writer for The New York Times discussed the EU’s General Data Protection Regulation (GDPR), state laws and future US federal laws.

At PrivSec New York, Wu emphasised that “the level of public desire for privacy is very, very high.”

In an exclusive interview, Wu spoke more about data privacy practices, and the need for a blanket legislation similar to the EU GDPR in the United States.

What are the attitudes among consumers and corporates about data privacy practices in the US?

That’s a good question. I think things have moved from a sort of indifference to a concern. There’s been a lot of high-profile scandals mostly involving big tech – mainly involving Facebook, and I think there’s a strong popular will that someone will do something about it. You know people aren’t exactly clear on the details.

As for the corporate sector, I think they are kind of caught in the middle, and not really sure what they should want. Obviously, most corporations don’t want to be over-regulated; on the other hand they don’t want to be involved in privacy scandals, so they basically are asking for clear guidelines on what they’re supposed to do.

We have CCPA, but do you think the US as a whole needs a blanket legislation like the EU GDPR?

I personally do. I don’t think that GDPR is the right model for the United States. I think it’s overly consent-driven and doesn’t change enough. But I am, yes, in favour of personally of a new privacy law in the United States.

What’s the reason why you GDPR is not the right model?

I think we’re trying GDPR now, and I think it just for most people is more stuff to click on, and it’s not clear that it’s really protecting them. Parts are very good – the rights to be forgotten, the rights to access your information – but I just feel that actually people don’t think it’s strong enough, or does enough to actually protect privacy, stop people from collecting data and sending it around.

How significant is the arrival of CCPA, in terms of evolving attitudes of privacy in the US?

It means the US has a de facto privacy law, because California is so influential. So it’s sort of transformed the bane. It has become less about will the US have a law, and more what kind of law should the US have; should it be California’s law, should it be a federal law, that’s what it has done to the conversation. 

How aware are US organisations of GDPR and what it stands for?

I think it depends on who you are hanging out with. I think you’re average member of an American company has no idea what GDPR is, but if you get to the compliance department, the general counsel’s office, they know. The public also doesn’t know the words GDPR in the United States, I mean why would they – it’s European law, but it doesn’t mean it doesn’t affect them. 

Edward Snowden said this at the Web Summit “I think GDPR is not the solution, but the problem is with data collection not data use. It gives a false sensation of reassurance.” What are your thoughts on this?

I think he has a point…that’s what my criticism of GDPR is. It doesn’t actually stop anyone from doing anything. Collect all you want…and I think that’s where the problem starts. I think he’s onto something.

I feel that this might be a big change in the American approach if it comes around – it actually might be stronger. It might just say listen you just can’t randomly collect data at all times, and you’re seeing it in some other things. The bans on facial recognition, for example, there are a collection of bans….they are just like ‘no, don’t take this stuff’. Personally, I think that’s the direction to go.


Registration now OPEN for PrivSec Global
Taking place across four days from 30 Nov to 3 Dec, PrivSec Global, will be the largest data protection, privacy and security event of 2020.

Reserve your place before 2nd October, and receive VIP access to PrivSec Global which includes priority access to limited space sessions, workshops, networking opportunities and exclusive content.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.