The privacy smokescreen

Tech companies appear to be bowing to new privacy rules springing up in Europe, California and elsewhere, putting in place processes to show they're complying.

Yes, but: Some of these moves are smokescreens that allow the companies to avoid making big, painful changes, some legal experts argue — enabled by a legal system that offloads enforcement onto the very companies being regulated.

The big picture: Companies are painting over existing practices with a veneer of rule-following, argues NYU law professor Ari Waldman in an upcoming article for the Washington University Law Review.

• "Mere symbols of compliance are standing in for real privacy protections," he writes.
• Companies that are meant to be constrained by privacy law are able to "recast and reframe it to benefit themselves," Waldman tells Axios.

The stand-ins, according to Waldman, include privacy policies, impact assessments, trainings, audits and paper trails.

• "These things have all the trappings of systems but instead are really just window dressing," he says.
• In surveys and interviews with privacy professionals, Waldman turned up a check-the-boxes approach to privacy.

What's happening: As privacy laws in Europe and California kick in, companies are setting up new internal structures to comply with them, says Dominique Shelton Leipzig, a privacy attorney at Perkins Coie.

The other side: "To conclude that assessments aren't working, I think, is a false conclusion," says Al Gidari, a longtime privacy lawyer now at the Stanford Center for Internet and Society.

• "Those processes work really well in companies because if they don't, people go to jail, employees get fired, companies get prosecuted," he tells Axios. But it's up to companies to prioritize privacy and implement effective systems.
• Gidari argues that internal assessments are necessary at big tech companies like Google, which he represented when it was investigated by the Federal Trade Commission in 2011. It's not possible to formally audit dozens of products and services on a regular basis, he says.

The bottom line: The offloading of enforcement to companies is a result of vague, toothless laws and weakened agencies like the FTC that would otherwise be in charge of enforcement.

• "Procedure is not enough," says Waldman. Laws should require a substantive change like a ban on sharing certain data, rather than a process like assessments of whether or not the data is being dealt with correctly.
• And penalties should be much higher for wrongdoing, Gidari argues. When the FTC fined Facebook $5B for a privacy violation earlier this year, the company's stock went up. "It's awfully hard to see how that alone is sufficient," Gidari says.

"When you have companies setting the rules, my biggest concern is that it's just going to be streamlined toward the most efficient process for them — but not necessarily the most efficient process for users or the fairest process for users," says Frank Pasquale, a law professor at the University of Maryland.

Go deeper: The global shortage of privacy experts