The GDPR and how the U.S. can (is) learn(ing) from it
2019 is on pace to be the worst year for data breaches on record. According to a report by Risk Based Security, a cyber threat intelligence company, in the first half of 2019 alone, over 3,800 data breaches were reported, up 54% when compared to the first half of last year. The business sector accounted for 67% of the reported breaches and 84.6% of the 4.1 billion in ultimately exposed records of data, according to the report.
In a world where data collection, preservation, and usage is more prominent than ever, how are companies protecting our personal data? Well, as we have seen in recent years, many have not been doing so, or have been doing so unsuccessfully, and the public has suffered as a result.
The private sector has historically pushed back on cyber security legislation, arguing that behavioral economics should incentivize companies to protect their data. Others in the tech industry also believe that privacy regulations have the potential to hinder innovation.
However, based simply on the sheer amount of personal data that private companies now hold, and therefore, the continuing, increasing likelihood of additional data breaches, we can‘t simply leave this up to market dynamics. While the private sector has begun implementing new cybersecurity protections, the federal and state governments must also act. As is the case with most legislation, data privacy laws have been reactionary, in the sense that laws have been passed in response to the plethora of data breaches that have occurred over the last few years. Europe and California have been the so-called “trailblazers” of this process.
The GDPR
In Europe, the General Data Protection Regulation (GDPR), signed into law on April 14, 2016, established a set of data privacy guidelines by which businesses in the EU and EEA must abide. It is the most comprehensive law globally that regulates the collection and use of personal data.
The law requires that companies anonymize personal data so that it cannot be used to identify an individual without having additional information, which must be stored in a separate location. The regulation also states that companies which expose data will be fined up to 4% of their annual global revenue, or €20 million, whichever is greater. Additionally, the GDPR makes notification of breaches mandatory within 72 hours of companies becoming aware of the breach.
Perhaps, from the perspective of a consumer like myself, the most impactful part of the legislation expands the rights of private citizens with regards to their own data. EU citizens have the right to ask companies if their data is being held and what it is being used for, as well as request a free copy of their data, which can then be transferred to a third party data controller. Individuals can also request to have their data erased and no longer allow the company to disseminate their information.
What is the United States doing?
At the federal level, a number of bills have been introduced in the House, but as is typical of federal legislation, the bills will likely take longer than any state laws to come to fruition. A federal law would ensure consistency across states, much like the GDPR in the EU, but it is more likely that we will see states pass their own, unique laws and companies will unfortunately have to comply with varying, inconsistent regulations across the U.S.
Given that reality, a number of states have introduced their own state legislation. For example, in June 2018, California became the first state to enact basic laws around data privacy in the passing of the California Consumer Privacy Act. The law, set to go into effect in 2020, expands the definition of personally identifiable information (“PII”) to include biometric data, geolocation, internet browsing history and even inferences a company might make about the consumer based on their data. Specific requirements for companies include:
- disclosing what kinds of information they are collecting about California residents and why
- deleting personal data upon request from the customer
- allowing customers to opt out of the sale of their information, even requiring that websites have a “clear and conspicuous” place to click that is specifically titled “Do Not Sell My Personal Information.”
- providing customers with a “readily useable format” of their data, which can be easily transferred to other firms
Does this sound familiar? It should! Many of these rights were introduced by the GDPR. In fact, some have described the law as “almost GDPR in the US.” The CPPA generally isn’t as strict on businesses when compared to the GDPR.
The California law also introduces new regulation around online advertising which prohibits “third-party behavioral profiling.” If a person reads an article on a website about popular handbags, that website has the right to advertise handbags to the reader. However, the reader won’t see additional ads for handbags on a third party website, as the original site is not permitted to share the behavioral data.
The passage of California’s privacy law seemingly sparked a flood of new state bills. While many of these proposals will end up dying somewhere along the way, both Maine and Nevada have passed their own, albeit slimmed down, versions of the CPPA. To the left is a great overview from the IAPP Westin Research Center, which details the current status of data privacy laws in each state in which a bill has been introduced (last updated on July 31, 2019). In this graphic, the 17 common privacy provisions are broken into two categories — consumer rights and business obligations — many of which exist in both the GDPR and CPPA.
Closing thoughts
It is evident that data privacy bills are well on their way to being official state law. The GDPR and CPPA are currently the most impactful and robust legislation to date and have set a precedent for those that will follow. Eventually, once fully implemented, these laws will no longer simply force companies to pay a fine and deal with some bad PR, but will require better systems and controls around data protection and provide citizens with increased control of their personal data.
