Sign up for our daily briefing
Make your busy days simpler with Axios AM/PM. Catch up on what's new and why it matters in just 5 minutes.
Catch up on the day's biggest business stories
Subscribe to Axios Closer for insights into the day’s business news and trends and why they matter
Stay on top of the latest market trends
Subscribe to Axios Markets for the latest market trends and economic insights. Sign up for free.
Sports news worthy of your time
Binge on the stats and stories that drive the sports world with Axios Sports. Sign up for free.
Tech news worthy of your time
Get our smart take on technology from the Valley and D.C. with Axios Login. Sign up for free.
Get the inside stories
Get an insider's guide to the new White House with Axios Sneak Peek. Sign up for free.
Catch up on coronavirus stories and special reports, curated by Mike Allen everyday
Catch up on coronavirus stories and special reports, curated by Mike Allen everyday
Want a daily digest of the top Denver news?
Get a daily digest of the most important stories affecting your hometown with Axios Denver
Want a daily digest of the top Des Moines news?
Get a daily digest of the most important stories affecting your hometown with Axios Des Moines
Want a daily digest of the top Twin Cities news?
Get a daily digest of the most important stories affecting your hometown with Axios Twin Cities
Want a daily digest of the top Tampa Bay news?
Get a daily digest of the most important stories affecting your hometown with Axios Tampa Bay
Want a daily digest of the top Charlotte news?
Get a daily digest of the most important stories affecting your hometown with Axios Charlotte
Illustration: Eniola Odetunde/Axios
Tech companies appear to be bowing to new privacy rules springing up in Europe, California and elsewhere, putting in place processes to show they're complying.
Yes, but: Some of these moves are smokescreens that allow the companies to avoid making big, painful changes, some legal experts argue — enabled by a legal system that offloads enforcement onto the very companies being regulated.
The big picture: Companies are painting over existing practices with a veneer of rule-following, argues NYU law professor Ari Waldman in an upcoming article for the Washington University Law Review.
- "Mere symbols of compliance are standing in for real privacy protections," he writes.
- Companies that are meant to be constrained by privacy law are able to "recast and reframe it to benefit themselves," Waldman tells Axios.
The stand-ins, according to Waldman, include privacy policies, impact assessments, trainings, audits and paper trails.
- "These things have all the trappings of systems but instead are really just window dressing," he says.
- In surveys and interviews with privacy professionals, Waldman turned up a check-the-boxes approach to privacy.
What's happening: As privacy laws in Europe and California kick in, companies are setting up new internal structures to comply with them, says Dominique Shelton Leipzig, a privacy attorney at Perkins Coie.
The other side: "To conclude that assessments aren't working, I think, is a false conclusion," says Al Gidari, a longtime privacy lawyer now at the Stanford Center for Internet and Society.
- "Those processes work really well in companies because if they don't, people go to jail, employees get fired, companies get prosecuted," he tells Axios. But it's up to companies to prioritize privacy and implement effective systems.
- Gidari argues that internal assessments are necessary at big tech companies like Google, which he represented when it was investigated by the Federal Trade Commission in 2011. It's not possible to formally audit dozens of products and services on a regular basis, he says.
The bottom line: The offloading of enforcement to companies is a result of vague, toothless laws and weakened agencies like the FTC that would otherwise be in charge of enforcement.
- "Procedure is not enough," says Waldman. Laws should require a substantive change like a ban on sharing certain data, rather than a process like assessments of whether or not the data is being dealt with correctly.
- And penalties should be much higher for wrongdoing, Gidari argues. When the FTC fined Facebook $5B for a privacy violation earlier this year, the company's stock went up. "It's awfully hard to see how that alone is sufficient," Gidari says.
"When you have companies setting the rules, my biggest concern is that it's just going to be streamlined toward the most efficient process for them — but not necessarily the most efficient process for users or the fairest process for users," says Frank Pasquale, a law professor at the University of Maryland.
Go deeper: The global shortage of privacy experts