Illustration: Eniola Odetunde/Axios

Tech companies appear to be bowing to new privacy rules springing up in Europe, California and elsewhere, putting in place processes to show they're complying.

Yes, but: Some of these moves are smokescreens that allow the companies to avoid making big, painful changes, some legal experts argue — enabled by a legal system that offloads enforcement onto the very companies being regulated.

The big picture: Companies are painting over existing practices with a veneer of rule-following, argues NYU law professor Ari Waldman in an upcoming article for the Washington University Law Review.

  • "Mere symbols of compliance are standing in for real privacy protections," he writes.
  • Companies that are meant to be constrained by privacy law are able to "recast and reframe it to benefit themselves," Waldman tells Axios.

The stand-ins, according to Waldman, include privacy policies, impact assessments, trainings, audits and paper trails.

  • "These things have all the trappings of systems but instead are really just window dressing," he says.
  • In surveys and interviews with privacy professionals, Waldman turned up a check-the-boxes approach to privacy.

What's happening: As privacy laws in Europe and California kick in, companies are setting up new internal structures to comply with them, says Dominique Shelton Leipzig, a privacy attorney at Perkins Coie.

The other side: "To conclude that assessments aren't working, I think, is a false conclusion," says Al Gidari, a longtime privacy lawyer now at the Stanford Center for Internet and Society.

  • "Those processes work really well in companies because if they don't, people go to jail, employees get fired, companies get prosecuted," he tells Axios. But it's up to companies to prioritize privacy and implement effective systems.
  • Gidari argues that internal assessments are necessary at big tech companies like Google, which he represented when it was investigated by the Federal Trade Commission in 2011. It's not possible to formally audit dozens of products and services on a regular basis, he says.

The bottom line: The offloading of enforcement to companies is a result of vague, toothless laws and weakened agencies like the FTC that would otherwise be in charge of enforcement.

  • "Procedure is not enough," says Waldman. Laws should require a substantive change like a ban on sharing certain data, rather than a process like assessments of whether or not the data is being dealt with correctly.
  • And penalties should be much higher for wrongdoing, Gidari argues. When the FTC fined Facebook $5B for a privacy violation earlier this year, the company's stock went up. "It's awfully hard to see how that alone is sufficient," Gidari says.

"When you have companies setting the rules, my biggest concern is that it's just going to be streamlined toward the most efficient process for them — but not necessarily the most efficient process for users or the fairest process for users," says Frank Pasquale, a law professor at the University of Maryland.

Go deeper: The global shortage of privacy experts

Go deeper

Updated 12 mins ago - Politics & Policy

Ohio Gov. Mike DeWine tests negative for coronavirus after positive result

Photo: Justin Merriman/Getty Images

Ohio Gov. Mike DeWine (R) tested negative for the coronavirus after initially testing positive earlier Thursday, his office announced.

Why it matters: 73-year-old DeWine was set to meet President Trump Thursday on the tarmac at an airport in Cleveland and was tested as part of standard protocol.

Updated 22 mins ago - Politics & Policy

Coronavirus dashboard

Illustration: Eniola Odetunde/Axios

  1. Global: Total confirmed cases as of 9:30 p.m. ET: 18,996,008 — Total deaths: 712,476— Total recoveries — 11,478,835Map.
  2. U.S.: Total confirmed cases as of 9:30 p.m. ET: 4,877,115 — Total deaths: 159,990 — Total recoveries: 1,598,624 — Total tests: 59,652,675Map.
  3. Politics: Pelosi rips GOP over stimulus negotiations: "Perhaps you mistook them for somebody who gives a damn" — Ohio Gov. Mike DeWine tests positive.
  4. Public health: Majority of Americans say states reopened too quicklyFauci says task force will examine aerosolized spread Study finds COVID-19 antibodies prevalent in NYC health care workers.
  5. Business: The health care sector imploded in Q2More farmers are declaring bankruptcyJuly's jobs report could be an inflection point for the recovery.
  6. Sports: Where college football's biggest conferences stand on playing.

Trump issues order banning TikTok if not sold within 45 days

Illustration: Aïda Amer/Axios

Americans and U.S. companies will be banned from making transactions with ByteDance, the Chinese owner of TikTok, in 45 days, according to a new executive order President Trump issued Thursday evening.

The big picture: Last week Trump announced his intention to ban TikTok but said he'd leave a 45-day period for Microsoft or other U.S.-based suitors to try to close a deal to acquire the popular video-sharing app.