Data Protection in the U.S.

The priority for safety of private information was a major concern long before the digital age. More often than not, governments prefer to limit their citizens’ privacy by justifying their actions with counter terrorism practices and dangers of war, or simply because the country’s regime allows such restrictions. IDM is a next step in data protection; powered by its own patented data protection technology called SIZE, we are preparing to launch a global decentralised ecosystem that connects users who want to store information safely and miners who provide memory on their devices to generate income. In this series of articles, we will introduce you to the development of data security through the ages. This week’s feature is — data protection in the USA.

The USA is widely considered and globally recognised as a state, where absolute freedom and respect for human rights reigns supreme. So, data privacy should be one of the main concerns and some kind of a unified federal law should exist in order to protect citizens. Surprisingly that is not the case ─ some fields are protected by separate laws, others are not, laws overlap and contradict each other, authorities don’t understand who is responsible for what. Add some separate state laws about data breaches, and enforcement issues to the mix, and you’ll get a rather chaotic legal mess.

The complex and arguably incomplete nature of US data privacy law is often criticized by countries that have more comprehensive data protection legislation. First of all, in the US there is no single, comprehensive federal (national) law regulating the collection and use of personal data. However, each Congressional term brings proposals to standardise laws at a federal level. Instead, the US has a patchwork system of federal and state laws and regulations that can sometimes overlap, dovetail and contradict one another. In addition, there are many guidelines, developed by governmental agencies and industry groups that do not have the force of law, but are part of self-regulatory guidelines and frameworks that are considered “best practices”. These self-regulatory frameworks have accountability and enforcement components that are increasingly being used as a tool for enforcement by regulators.

USA is home for world’s most well-established technological companies and a huge number of startups, it’s no wonder that the number of cyber attacks is huge there. Last year broke the record for most data breaches (5,207 exactly), exposing almost 8 billion information records all around the world, and massive percentage of them happened in the US. Such big name companies as Verizon, Uber and Equifax were affected, with personal data compromised and credit card information stolen.

Each data breach which makes headlines prompts speakers from the industry to propose a national standard of notifying about and preventing data breaches, but is is the individual people cases that should be addressed, not the overall case of legislation. While companies don’t usually lose lots of money, clients’ losses are more significant, which means that a clear and comprehensive legal framework should be built in order to protect clients’ data. Who can collect and share information, how it will be stored and protected, should all be placed in one law.

There are already a panoply of federal privacy-related laws that regulate the collection and use of personal data. Some apply to particular categories of information, such as financial or health information, or electronic communications. Others apply to activities that use personal information, such as telemarketing and commercial e-mail. In addition, there are broad consumer protection laws that are not privacy laws per se, but have been used to prohibit unfair or deceptive practices involving the disclosure of, and security procedures for protecting, personal information.

In 2012 such a law was close to being suggested, when Barack Obama’s administration proposed a blueprint of Consumer Privacy Bill of Rights, based on Fair Information Practice Principles (FIPPs). It was met favourably, but it wasn’t developed fast and lost momentum, which led to a draft bill being composed only in 2015. Trump’s administration didn’t have much interest in it, so we can’t be sure, whether the USA will soon be able to compare with GDPR, while some world’s big economies, such as Canada or Japan have already started developing projects quite similar to it. The lack of a comprehensive unified legal framework can lead to more data breaches and less economic victories.

In summary, it seems reasonable to assert that current US data protection legislation has failed to achieve a satisfactory balance between the interests of the individual and those of security and commerce. Ironically, numerous consumer surveys have pointed to the negative commercial impact of privacy violations that have occurred in the name of security. At the same time, there is plenty of evidence that few Americans are confident that their records will remain private and secure in the hands of commercial entities. Sadly, more than four decades after Ware (1973) articulated a Code of Fair Information Practice for Americans “Ninety-one percent of adults agree or strongly agree that consumers have lost control of how personal information is collected and used by companies”

Even in the USA data protection is far from ideal. Don’t rely on someone else to protect you, come and join IDM!