EU vs US: How Do Their Data Privacy Regulations Square Off?
The EU’s new General Data Protection Regulation (GDPR) is coming into effect on 25 May 2018 and will have wide-ranging consequences on a global scale, affecting all businesses that trade with the European Union, from within or outside its borders. From among non-EU countries, US businesses in particular have been actively taking steps to ensure that they comply with the new regulation.
With the United States having a number of regulations in place for data protection itself, does that mean companies already compliant with national regulations will find it easier to adjust to GDPR requirements? Let’s have a look at data protection regulations on both sides of the Atlantic to find out.
The European Union under the GDPR
The most important and talked about change in data protection regulation in Europe in the last twenty years, the GDPR has set off a race for compliance among companies big and small weary of its punitive powers. Businesses guilty of discarding its key principles or suffering major data breaches due to poor data security measures will face hefty fines of up to 4% of their annual global turnover or €20 Million, whichever is greater.
Replacing the EU Data Protection Directive 95/46/EC that was felt no longer adequately addressed the tremendous technological growth of recent years, the GDPR aims to harmonize data privacy laws across Europe, while not only protecting EU citizens’ sensitive data, but also empowering them to better control their data. It introduces, among other requirements, the need for privacy by default and by design, stricter controls over cross-border data transfers and cements EU citizens’ right to be forgotten, essentially allowing them to request the deletion of their data.
In Europe, privacy and data protection appear as fundamental freedoms under the European Union Charter so it is therefore no wonder that the GDPR was shaped into a ground-breaking legislation in defense of these rights.
Data Protection Regulations in the US
The United States has opted for a different approach to data protection. Instead of formulating one all-encompassing regulation such as the GDPR, it chose to implement sector specific data protection laws and regulations that work together with state-level legislation to safeguard American citizens’ data. These include:
- The Health Insurance Portability and Accountability Act (HIPAA), a set of standards created to secure protected health information (PHI) by regulating healthcare providers.
- NIST 800-171, a special publication released by the National Institute of Standards and Technology aimed at protecting Controlled Unclassified Information (CUI) in non-federal information systems and organizations.
- The Gramm-Leach-Bliley Act (GLB Act or GLBA), also known as the Financial Modernization Act of 1999, that seeks to protect the personal information of consumers stored in financial institutions.
- The Federal Information Security Management Act (FISMA), a federal law part of the larger E-Government Act of 2002, that made it a requirement for federal agencies to develop, document, and implement an information security and protection program.
While states such as California have a security breach notification law in place from as early as 2002, not all states have one. Therein lies the problem with US data protection legislation. Given the number of laws in existence and their differences at state-level, some may be up to GDPR standards, while others may not.
There is also the question of the importance of privacy underlined in the GDPR. While US legislation addresses data security and the importance of private records, privacy is often absent from the discussion, appearing in separate and just as segmented privacy laws. These are enforced through government bodies such as the Federal Communication Committee (FCC) and privacy organizations such as the American Civil Liberties Union (ACLU) or the Electronic Frontier Foundation (EFF) which provide a legal framework for them.
Data protection is also addressed by the Federal Trade Commission (FTC), which has the power to act against unfair and deceptive practices perpetrated by a large range of companies. In the case of data protection, these include failures to implement reasonable data security measures and apply privacy policies as well as unauthorized disclosures of personal information.
The EU-US Privacy Shield Framework
When talking about data protection and privacy practices between the EU and the US, a word must be said about the EU-US Privacy Shield Framework. Designed by the European Commission and the US Department of Commerce to facilitate transatlantic exchanges of personal data for commercial purposes between the European Union and the United States, it replaced the previous Safe Harbor Privacy Principles which were declared invalid by the European Court of Justice in 2015. US companies wanting to transfer sensitive data to Europe and vice versa, must be self-certified under the Privacy Shield.
However, while the EU-US Privacy Shield is meant to ensure that businesses maintain high data protection standards, it is an agreement, not a regulation. The US Department of Commerce and the FTC support the monitoring and enforcement of the Privacy Shield, but companies found not to meet standards are simply excluded from doing business with the EU. They are liable to fines only if they choose to violate the administrative orders or court orders sought by the FTC.
The Privacy Shield also fails to address the individual privacy rights vouchsafed by the GDPR. The right to be forgotten as well as the mandatory appointment of data protection officers by processors of large quantities of personal information of EU data subjects are only some of the GDPR requirements the EU-US Privacy Shield does not include.
Towards a More Data Secure Future
The GDPR, with its broad considerations and at times vague definitions, may seem to American policy makers as a far too general tool to address particular use cases. Accustomed to compartmentalized data protection, they can find it daunting to consider applying the same regulations to such diverse sectors and mediums as those found in today’s commercial landscape.
The EU’s goal in developing the GDPR, however, was precisely that. To provide a universal data protection legislation that would supersede all the previous, fragmented laws that existed at national level, across different sectors and jurisdictions in Europe. Seen in this way, the GDPR is the next step that follows the micro-management model of data protection regulations.
The essential difference between the US and EU when it comes to data protection, is their point of focus. The US seems more concerned with integrity of data as a commercial asset, while the EU, with the GDPR, has firmly put individual rights before the interest of businesses. In the EU, it will be companies that will be held liable in the eyes of the law and pay if they fail to protect EU data subjects’ data.
Whether the balance will shift towards the protection of individuals’ data in the US as well in the future, for now, any US business that wants to continue processing the data of EU citizens, will have to adhere to the GDPR’s strict requirements. If it will have a positive influence on the way data protection is viewed in the United States will depend entirely on how effective the GDPR will prove itself to be in real world circumstances.