Is it Time for an American GDPR?
During a Women in Security chat at the Enfuse 2017 conference, former White House CIO Theresa Payton was asked if the United States would ever consider a bill like the EU’s General Data Protection Regulation (GDPR). At the time of the conference, GDPR was entering its one-year countdown to implementation and was a hot topic of conversation at the event. Payton didn’t hesitate in her response. No, she said, she couldn’t foresee a federal law like GDPR. Instead, she expected GDPR’s reach would affect so many companies there would be some American compliance, but anything more in-depth would come from the individual states.
A year has passed since that talk, GDPR is now in effect, American companies are paying attention, and California quickly passed its Consumer Privacy Act, which is scheduled to go into effect in 2020. Yet, Americans don’t have the same data privacy protections as EU residents.
The Age of Big Data
The amount of data collected, collated and stored today is overwhelming. According to a Forbes article, 90 percent of all the world’s data was generated in just the past two years — 2.5 quintillion bytes of data are produced each day – and this promises to only increase, thanks to the Internet of Things, mobile and wearable devices, and whatever new technologies lie on the horizon.
Much of that data generated is personal information belonging to individual citizens, who have no control over how that data is used or the security in which it is stored. GDPR, of course, has given EU citizens some say over the use and storage of their personal information, but Americans are constantly at risk for identity theft or worse.
“While this data is often accompanied by the provision of technologies that improve our lives and make use more efficient, more discussion needs to be had around the value and risk of that data,” said Jordan L. Fischer, Esquire, Managing Partner with XPAN Law Group.
Consider IoT and how much it has improved our lives: we can remotely answer a doorbell ring or adjust the thermostat in our homes, our doctors can monitor medical devices without us ever having to visit the office, and computers in our cars make our commute more comfortable.
“But,” said Fischer, “with each new technology, there is a risk of a nefarious actor gaining access to that data or the device and using it to exploit the end-user.”
Is GDPR Protecting Americans?
The goal of any data privacy regulation should be to strike a balance between innovation and entrepreneurship and the recognition that someone’s life may be drastically impacted by the way data and technology is used and stored.
“Regardless of if you are an EU data subject or a US data subject, or any other country, this is a conversation that should be had because all individuals have privacy concerns that need to be protected,” said Fischer.
Some companies recognize that all citizens, no matter their home country, have a right to privacy, and they are ensuring that GDPR enforcement covers them. The reasons why these companies have decided to take this action are varied. Some simply find it easier to provide the privacy protections across the board because their data isn’t process or stored in a way that allows for easy segmenting between EU and non-EU. Others do it because it is a good PR.
“However, for some companies that already segment data between regions, or have the infrastructure to segment data, they may decide to only offer the GDPR protections to EU data subjects,” said Fischer. “Complying with the GDPR can be a costly endeavor, both in becoming compliant and in remaining compliant. By limiting the data that is afforded these protections, companies can potentially limit the amount of resources needed to maintain GDPR compliance.”
We Do Have Some Privacy Regulations
While there is no sweeping legislation like GDPR to cover American data privacy, there have been some steps. At the federal level, data privacy laws tend to be industry driven, including healthcare (HIPAA and HiTech), financial (GLBA), children (COPPA), and some FTC/SEC enforcement in this space. However, these laws do little to turn over control of personal data to citizens.
While California’s privacy act has garnered the most attention, it isn’t the only effort out there by individual states to ensure that Americans see improved privacy efforts, although perhaps not at the same level as GDPR. Illinois has a law on the books, the Illinois Biometric Information Privacy Act, that sets the national standard for protections of biometric identifiers. Unfortunately, there is a push to weaken that law by exempting employers from having to follow those standards.
Vermont passed a new law regulating companies who buy and sell personal data, i.e., data brokers. “Many U.S. companies buy consumer personal data from data brokers for use in their business and some U.S. companies even have a side business selling personal data they collect from their customers and potential customers, including visitors to the company’s website, to other companies including data brokers,” explained Linda V. Priebe, Deputy General Counsel to the White House Office of Drug Policy and Ethics Advisor to the White House Office of the Counsel to the President.
The Vermont data broker law goes into effect in January 2019. Possessing personal data relating to a Vermont resident triggers the law, much like the GDPR applies to personal data of any one located in the EU, but will affect data brokers based anywhere nationally or internationally.
U.S. consumers don’t usually know how their data is used to create shadow profiles that can be used for anything from credit ratings to job notices to targeted ads. “Very much like the EU’s GDPR, the Vermont law is intended to protect consumers from this kind of online profiling without their knowledge,” said Priebe.
GDPR is the gold standard of privacy acts right now, but slowly, individual states are taking action. And it’s about time. All data has value on the dark web and on the black market. Americans deserve to have someone looking out for their personal privacy interests, just as they are doing in the EU.
Enjoy this piece? Check out our previous piece: Sweet 16 Privacy Policies: Part 2