The United States was not always a data protection laggard. In 1974, Congress passed a law, the Privacy Act, regulating how federal agencies handled personal information. It was based on a credo, known as fair information practices, that people should have rights over their data. The law enabled Americans to see and correct the records that federal agencies held about them. It also barred agencies from sharing a person’s records without their permission.
Congress never passed a companion law giving Americans similar rights over the records that private companies have on them. Historically, Americans have feared big government more than big business. The European Union, by contrast, established a directive in 1995 governing the fair processing of personal data by both companies and government agencies.
Today, the European Union has an even more comprehensive law, the General Data Protection Regulation, and each member state has a national agency to enforce it. Those agencies in Belgium, France, Germany and other European countries have recently acted to curb data exploitation at Facebook, Google and other tech giants.
It’s not just the European Union. Australia, Canada, Japan and New Zealand have also established stand-alone data agencies. By contrast, American consumers have to rely largely on the F.T.C. to safeguard their personal information, a data protection system that privacy advocates consider as airtight as Swiss cheese.