Question

The European Union recently passed a comprehensive set of data privacy laws. For more information, check the website of the EU. How will these laws affect laws in the US? Will they affect international trade? How so? Describe each of your answers clearly using complete sentences. Your response should be in the form of a paragraph or multiple paragraphs. Do not just list answers or give one-word answers. If you referenced any websites or other materials in formulating your response, please include them in your post. There is no need to retype the question. You will not be able to see anyone else's post until you create your own post. Make sure you reply to or comment on other posts to receive full credit for the discussion.

Answer 1

European Union's Data Privacy Laws

The EU General Data Protection Regulation (GDPR), which governs how personal data of individuals in the EU may be processed and transferred, went into effect on May 25, 2018. GDPR is a comprehensive privacy legislation that applies across sectors and to companies of all sizes. It replaces the Data Protection Directive 1995/46. The overall objectives of the measures are the same – laying down the rules for the protection of personal data and for the movement of data.

EU data protection rules:

Stronger rules on data protection mean people have more control over their personal data and businesses benefit from a level playing field.

GDPR is broad in scope and uses broad definitions. “Personal data” is any information that relates to an identified or identifiable living individual (data subject) such as a name, email address, tax ID number, online identifier, etc. “Processing” data includes actions such as collecting, recording, storing and transferring data.

The most important and talked about change in data protection regulation in Europe in the last twenty years, the GDPR has set off a race for compliance among companies big and small weary of its punitive powers. Businesses guilty of discarding its key principles or suffering major data breaches due to poor data security measures will face hefty fines of up to 4% of their annual global turnover or €20 Million, whichever is greater.

Replacing the EU Data Protection Directive 95/46/EC that was felt no longer adequately addressed the tremendous technological growth of recent years, the GDPR aims to harmonize data privacy laws across Europe, while not only protecting EU citizens’ sensitive data, but also empowering them to better control their data. It introduces, among other requirements, the need for privacy by default and by design, stricter controls over cross-border data transfers and cements EU citizens’ right to be forgotten, essentially allowing them to request the deletion of their data.

In Europe, privacy and data protection appear as fundamental freedoms under the European Union Charter so it is therefore no wonder that the GDPR was shaped into a ground-breaking legislation in defence of these rights.

Changes that bring Data Privacy Laws:

1. Clear Language:

Present Situation:

Often businesses explain their privacy policies in lengthy and complicated terms.

Future Changes:

Privacy policies will have to be written in a clear, straightforward language.

2. Consent from User:

Present Situation:

Businesses sometimes assume that the user’s silence means consent to data processing, or they hide a request for consent in long, legalistic, terms and conditions that nobody reads.

Future Changes:

The user will need to give an affirmative consent before his/her data can be used by a business. Silence is no consent.

3. More Transparency:

Present Situation:

The user might not be informed when his/her data is transferred outside the EU.

Sometimes businesses collect and process personal data for different purposes than for the reason initially announced without informing the user about it.

Businesses use algorithms to make decisions about the user based on his/her personal data (e.g. when applying for a loan); the user is often unaware about this.

Future Changes:

Businesses will need to clearly inform the user about such transfers.

Businesses will be able to collect and process data only for a well-defined purpose. They will have to inform the user about new purposes for processing.

Businesses will have to inform the user whether the decision is automated and give him/her a possibility to contest it.

4. Stronger Rights:

Present Situation:

Often businesses do not inform users when there is a data breach, for instance when the data is stolen.

Often the user cannot take his/her data from a business and move it to another competing service.

It can be difficult for the user to get a copy of the data businesses keep about him/her.

It may be difficult for a user to have his/her data deleted.

Future Changes:

Businesses will have to inform users without delay in case of harmful data breach.

The user will be able to move his/her data, for instance to another social media platform.

The user will have the right to access and get a copy of his/her data, a business has on him/her.

Users will have a clearly defined “right to be forgotten” (right to erasure), with clear safeguards.

5. Stronger Enforcement:

Present Situation:

Data protection authorities have limited means and powers to cooperate.

Authorities have no or limited fines at their disposal in case a business violates the rules.

Future Changes:

The European Data Protection Board grouping all 28 data protection authorities, will have the powers to provide guidance and interpretation and adopt binding decisions in case several EU countries are concerned by the same case.

The 28 data protection authorities will have harmonised powers and will be able to impose fines to businesses up to 20 million EUR or 4% of a company’s worldwide turnover.

Data Protection Regulations in the US

The United States has opted for a different approach to data protection. Instead of formulating one all-encompassing regulation such as the GDPR, it chose to implement sector specific data protection laws and regulations that work together with state-level legislation to safeguard American citizens’ data. These include:

• The Health Insurance Portability and Accountability Act (HIPAA), a set of standards created to secure protected health information (PHI) by regulating healthcare providers.
• NIST 800-171, a special publication released by the National Institute of Standards and Technology aimed at protecting Controlled Unclassified Information (CUI) in non-federal information systems and organizations.
• The Gramm-Leach-Bliley Act (GLB Act or GLBA), also known as the Financial Modernization Act of 1999, that seeks to protect the personal information of consumers stored in financial institutions.
• The Federal Information Security Management Act (FISMA), a federal law part of the larger E-Government Act of 2002, that made it a requirement for federal agencies to develop, document, and implement an information security and protection program.

While states such as California have a security breach notification law in place from as early as 2002, not all states have one. Therein lies the problem with US data protection legislation. Given the number of laws in existence and their differences at state-level, some may be up to GDPR standards, while others may not.

There is also the question of the importance of privacy underlined in the GDPR. While US legislation addresses data security and the importance of private records, privacy is often absent from the discussion, appearing in separate and just as segmented privacy laws. These are enforced through government bodies such as the Federal Communication Committee (FCC) and privacy organizations such as the American Civil Liberties Union (ACLU) or the Electronic Frontier Foundation (EFF) which provide a legal framework for them.

Data protection is also addressed by the Federal Trade Commission (FTC), which has the power to act against unfair and deceptive practices perpetrated by a large range of companies. In the case of data protection, these include failures to implement reasonable data security measures and apply privacy policies as well as unauthorized disclosures of personal information.

The EU-US Privacy Shield Framework

When talking about data protection and privacy practices between the EU and the US, a word must be said about the EU-US Privacy Shield Framework. Designed by the European Commission and the US Department of Commerce to facilitate transatlantic exchanges of personal data for commercial purposes between the European Union and the United States, it replaced the previous Safe Harbor Privacy Principles which were declared invalid by the European Court of Justice in 2015. US companies wanting to transfer sensitive data to Europe and vice versa, must be self-certified under the Privacy Shield.

However, while the EU-US Privacy Shield is meant to ensure that businesses maintain high data protection standards, it is an agreement, not a regulation. The US Department of Commerce and the FTC support the monitoring and enforcement of the Privacy Shield, but companies found not to meet standards are simply excluded from doing business with the EU. They are liable to fines only if they choose to violate the administrative orders or court orders sought by the FTC.

The Privacy Shield also fails to address the individual privacy rights vouchsafed by the GDPR. The right to be forgotten as well as the mandatory appointment of data protection officers by processors of large quantities of personal information of EU data subjects are only some of the GDPR requirements the EU-US Privacy Shield does not include.

Implementing GDPR

Many U.S. firms have made changes to comply with the GDPR, such as revising and clarifying user terms of agreement and asking for explicit consent. While it creates more requirements on companies that collect or process data, some experts contend that the GDPR may simplify compliance for U.S. firms because the same set of data protection rules apply across the EU. Also, companies established in the EU that engage in cross-border data processing primarily only have to liaise with the DPA of the EU country where the firm is based (the “lead” authority), possibly decreasing administrative costs. However, a firm is still subject to oversight and enforcement by the DPA of every country where it does business. Some member states and privacy activists have criticized the system as many of the largest digital firms are based in a few countries and overseen by those states’ DPAs, creating enforcement delays and logjams due to limited resources.

U.S. firms have voiced several concerns about the GDPR, including the need to construct a compliance bureaucracy and possible high costs for adhering to the GDPR’s requirements. While large firms have the resources to hire consultants and lawyers, it may be harder and costlier for small and mid-sized enterprises (SMEs) to comply, possibly deterring them from entering the EU market and creating a de facto trade barrier. Some U.S. businesses, including several newspaper websites and digital advertising firms, opted to exit the EU market rather than confront the complexities of GDPR. Some industry surveys show that GDPR’s restrictions on the use and sharing of data may be limiting the development of new technologies and deterring potential mergers and acquisitions.

Although the GDPR is directly applicable in EU member states, implementing legislation is required to enact certain parts of the GDPR (e.g. appointment of a supervisory authority; ability to levy penalties). Critics note that the GDPR permits diverging national legislation in specified areas (e.g. employment data) and contend that this could lead to uneven implementation or enforcement.

Towards more data secure in the future:

The GDPR, with its broad considerations and at times vague definitions, may seem to American policy makers as a far too general tool to address particular use cases. Accustomed to compartmentalized data protection, they can find it daunting to consider applying the same regulations to such diverse sectors and mediums as those found in today’s commercial landscape.

The EU’s goal in developing the GDPR, however, was precisely that. To provide a universal data protection legislation that would supersede all the previous, fragmented laws that existed at national level, across different sectors and jurisdictions in Europe. Seen in this way, the GDPR is the next step that follows the micro-management model of data protection regulations.

The essential difference between the US and EU when it comes to data protection, is their point of focus. The US seems more concerned with integrity of data as a commercial asset, while the EU, with the GDPR, has firmly put individual rights before the interest of businesses. In the EU, it will be companies that will be held liable in the eyes of the law and pay if they fail to protect EU data subjects’ data.

Whether the balance will shift towards the protection of individuals’ data in the US as well in the future, for now, any US business that wants to continue processing the data of EU citizens, will have to adhere to the GDPR’s strict requirements. If it will have a positive influence on the way data protection is viewed in the United States will depend entirely on how effective the GDPR will prove itself to be in real world circumstances.

References:

1. International Trade Administration.

2. Congress Research Service. In Focus 2020

3. European Union Website.