4.1 Why We Need Privacy Laws

If privacy is a fundamental value, why do we need laws to protect it? The answer lies in a basic problem of markets and power: left unregulated, the incentives push in exactly the wrong direction.

The market failure argument

Companies that collect personal data face a structural incentive to collect more, not less. More data means better advertising targeting, better product personalisation, and more commercial opportunities. The costs of collection — privacy intrusions, risks of breach, harm to individuals — are borne by users, not by the collecting company. Economists call this an externality: a cost imposed on others that the actor dös not pay. Without legal intervention, the market systematically over-produces data collection and under-produces privacy protection (Acquisti, Taylor & Wagman, 2016, Journal of Economic Literature).

Adding to this is a profound information asymmetry: companies know exactly what they collect and how it is used; individuals typically do not. Long, opaque privacy policies — averaging over 2,500 words — are rarely read and rarely understood (McDonald & Cranor, 2008). The result is not a genuine market for privacy but a take-it-or-leave-it exchange that most people cannot meaningfully evaluate.

Power asymmetry

Beyond economics, there is a power imbalance. A single individual cannot negotiate meaningful privacy terms with a platform serving a billion users. Collective action — law — is the instrument societies use to rebalance structural power asymmetries. Employment law protects workers who individually have little bargaining power. Consumer law protects buyers against information advantages held by sellers. Privacy law dös the same for data subjects.

Historical lessons: unregulated data causes real harm

History offers clear evidence of what happens when powerful institutions have access to personal data without restraint. The McCarthyism era in the United States (1950s) saw FBI files on political associations used to destroy careers and intimidate dissidents — without any legal process. More gravely, Nazi Germany used census data, including religious affiliation recorded in the 1939 Reich census, to identify and persecute Jewish, Roma, and other populations (Seltzer & Anderson, 2001). The census data itself was not collected to enable genocide — but in the hands of a totalitarian government, it became a tool for it. These examples are not historical curiosities. They explain why Germany's post-war constitution (the Basic Law, 1949) places human dignity and privacy at its core, and why European privacy law has a rights-based character that reflects lived experience of data misuse.

Two approaches: rights-based vs. harm-based

Modern privacy law divides broadly into two philosophies. Europe takes a rights-based approach: privacy is a fundamental right (enshrined in the EU Charter of Fundamental Rights, Art. 8), and any data processing must be justified against that baseline right. The GDPR is the instrument of this approach.

The United States takes a sectoral, harm-based approach: there is no federal omnibus privacy law. Instead, privacy is protected sector by sector — health data under HIPAA, financial data under GLBA, children's data under COPPA — with legal action triggered when demonstrable harm occurs. Critics argue this leaves large gaps; advocates argue it offers flexibility and innovation.

Your takeaway

Privacy law exists not because regulators enjoy paperwork, but because market incentives, power imbalances, and historical evidence all point to the same conclusion: without law, privacy loses to commercial and political interests, consistently and predictably.