What happens when sensitive information— from employment history and financial transactions to medical conditions and dating preferences— becomes digital data? How can individuals be protected from potential abuses of this data? And what kinds of rights do individuals have to determine its collection, storage, and use? Since the early 2000s, these questions have generally found different answers in Europe and the United States. However the Cambridge Analytica scandal and other data-related incidents are inspiring renewed attention to data privacy on both sides of the Atlantic, including questions about the potential relevance of the European Union’s (EU) landmark General Data Protection Regulation (GDPR) in the United States (U.S.).
The EU recognizes privacy and personal data protection as fundamental rights. These rights are safeguarded by data protection laws, including the GDPR. The GDPR is a comprehensive personal data protection framework that impacts not only EU member states but also the broader global community that interacts with them. All organizations that collect personal data on EU residents are subject to the GDPR’s rules and regulations. Among them, EU residents must give active consent to personal data collection. They also have the right to revoke their consent at any point and have the ‘right to be forgotten’. For example, if an EU resident decides to revoke their consent to personal data collection by an online merchant, that organization is required to remove all of the individual’s data from their systems. Since it went into effect in May 2018, the costs of GDPR compliance have been high— prompting organizations to spend billions of dollars to interpret and implement these regulations in order to avoid extensive fines from the EU. Compliance with the GDPR has also been controversial, particularly around the implementation of the ‘right to be forgotten’, which resulted in a dispute between Google and France’s National Commission for Information Technology and Civil Liberties.
Unlike the EU, the U.S. government has no overarching data privacy laws or institutional frameworks equipped to handle personal data protection issues. At the federal level, general privacy protections exist under the U.S. Constitution and the Privacy Act of 1974. There are broad references to data privacy in the Federal Data Strategy and the Foundations for Evidence-Based Policymaking Act but no clear federal mandates surrounding personal data protection. There are also examples of sector-specific data privacy legislation, such as the Health Insurance Portability and Accountability Act of 1996, which protects sensitive medical information. Lastly, there is a patchwork of data privacy legislation at the state level, such as the California Consumer Privacy Act, which will become effective in January 2020. Altogether, the American approach to privacy presents a complicated environment that is not only difficult to navigate but also vulnerable to data privacy abuses given its many gaps and grey areas.
American lawmakers are now contemplating the need for a U.S. federal data privacy law. Recent attempts have included the American Data Dissemination Act, the Consumer Data Protection Act, and the Data Care Act. However, none have gained enough momentum in Congress to become federal law. Major American technology companies like Amazon and IBM are also calling for a comprehensive data privacy law at the federal level, largely to avoid further regulatory fragmentation at the state level. If more states follow the example of California and develop their own data privacy legislation, this could result in dozens of different rules and regulations in the U.S. market, ultimately increasing financial and operational costs of compliance.
Could the GDPR be a model for the U.S. to follow? During his April 2018 testimony before Congress following the Cambridge Analytica scandal, Facebook CEO Mark Zuckerberg noted that Facebook is working to comply with GDPR in the EU and would support something similar in the United States. Interestingly, U.S. residents already benefit from the GDPR. As the editorial board of the New York Times points out: ‘Although Americans cannot legally avail themselves of specific rights under GDPR, the fact that the biggest global tech companies are complying everywhere with the new European rules means that the technocrats in Brussels are doing more for Americans’ digital privacy rights than their own Congress.’
Whilst there is growing support for more comprehensive data privacy legislation in the U.S., a GDPR-inspired approach is unlikely to succeed in the current U.S. context. Firstly, the GDPR is rooted in the notion that privacy and personal data protection are fundamental rights. This position has not been embraced in the United States. Secondly, the EU has a number of institutions dedicated to privacy and personal data protection that the U.S. does not. This includes the European Data Protection Board and Data Protection Authorities (DPAs) in each EU member state. The European Commission recently expanded the role of its Commissioner for Competition, who will continue to coordinate a range of data and technology issues, such as GDPR compliance. There is also judicial capacity for enforcing the GDPR, including the Court of Justice of the European Union and the European Court of Human Rights, which are both equipped to make decisions related to privacy and personal data protection. Lastly, the GDPR is the product of decades worth of debate and discussion in the EU, building on its predecessor, the 1995 Data Protection Directive. Adopting a GDPR-style framework would be an extreme change for the U.S. government, which has no existing data privacy framework.
Instead of making the drastic leap to its own version of the GDPR, the U.S. government should create a federal ‘floor’ for data privacy that empowers individuals with more information and more choices about how organizations collect, store, and use their personal data. These basic protections should be accompanied by financial incentives and penalties for organizations across all sectors that collect personal data on U.S. residents. Then, the U.S. government should focus on harmonizing existing data privacy laws at the federal and state level, removing redundancies and adding more layers of protection where needed. In order to do so, however, the U.S. must first build institutional capacity to handle complex privacy and data protection issues. Without it, the American data privacy patchwork system will continue to weaken under the pressure of each new data-related incident and scandal.