Is It Time For A U.S. Version Of GDPR?

AI Impact on Society/artificial intelligence

Saryu Nayyar | Forbes.com »

The author E. A. Bucchianeri once pointed out a real irony, writing, “You know something is wrong when the government declares opening someone else’s mail is a felony but your internet activity is fair game for data collecting.”

Personal information on individuals is collected with every click on every app and every flash of a payment card. As the internet grows, so, too, does this data harvesting. As users, we allow it because we get something in exchange: a free social media account, use of search engines that answer every query, discounts from loyalty programs, free photo storage and more. For the providers of these services, the payoff is mass monetization of the personal data they collect.

In recent years, people have become acutely aware of the erosion of their personal privacy. It’s hard to ignore the intrusion of being profiled when creepy ads stalk you everywhere.

Have we reached a point at which the privacy genie is out of the bottle and it’s never going back in? Not necessarily.

In The European Union, Data Privacy Is Protected

The EU member countries codified the right to personal data privacy in April 2016 with the General Data Protection Regulation (GDPR). More specifically, the GDPR is a regulation on data protection and privacy in the EU and the European Economic Area, as well as on the transfer of personal data outside those areas. The law became enforceable in May 2018 with significant penalties for violators.

A primary objective of the regulation is to give control over personal data back to citizens and residents (called “data subjects”). Another is to simplify the regulatory environment for international business by having just one European-wide data protection regulation that’s the same across all member states.

The regulation is large and complex, and many companies have struggled to comply with all of the provisions. Nevertheless, the intent of the law is in the best interest of individuals whose personal information is too often abused by these very same corporate entities. Some of the most notable requirements imposed on organizations include:

  • Providing the means for individuals to take their data out of one system and into another.
  • Gaining explicit consent for collecting data and deleting data if consent is withdrawn.
  • Allowing data subjects to access their information and accommodating corrections and deletions as requested.
  • Eliminating all traces of a data subject’s information in a “right to be forgotten.”
  • Designing business processes and applications with explicit measures to ensure data privacy.

The GDPR specifies that data subjects get to determine what happens with their personal information. The approach in the U.S. is generally that individuals must selectively opt-out of processes that allow businesses to collect and store personal information.

The European Commission has declared that, although there’s more progress to be made, the GDPR is “an overall success” in that individuals are “more empowered and aware of their rights.” Another measure of success is that other legislative bodies outside the EU are considering similar actions. That said, is it time for a U.S. version of GDPR-like privacy legislation?

Data Privacy At The State Level

In the absence of federal data privacy legislation, some U.S. states are devising their own. California enacted the California Consumer Privacy Act (CCPA) in 2018 and updated it with the California Privacy Rights Act of 2020. Similar to GDPR, the California regulations enable the state’s residents to control their own personal information. Specific rights include knowing what information is being collected, being notified if personal information is sold or shared and being able to deny the sale of personal information.

Virginia passed the Consumer Data Protection Act in March 2021. Its provisions draw heavily from California’s Consumer Privacy Act. A few months later, Colorado enacted the Colorado Privacy Act, drawing provisions from the GDPR, as well as the California and Virginia laws. More than a half dozen additional states have data protection and privacy legislation in development at the time of this writing.

Federal Regulation Would Be A Unifier

The concern with a state-by-state implementation of individual data protection and privacy laws is that although there are similarities among the states’ regulations, there are also differences. This creates a problem for businesses that operate nationwide, or at least across state lines, that must comply with a range of mandates — some of which may contradict each other. For simplicity’s sake, businesses want one unified and standard set of regulatory requirements to meet. This is precisely what the GDPR did, replacing numerous disparate regulations instituted by various EU member states.

In truth, the U.S. federal government already regulates data protection and privacy on a nationwide basis, albeit only for specific industries. The Health Insurance Portability and Accountability Act (HIPAA) restricts how personal health information can be handled and by whom. The Family Educational Rights and Privacy Act (FERPA) does the same for students’ private information.

Both of these regulations, along with some of the specifics from the GDPR, are good starting points for developing an all-encompassing federal data protection and privacy law. Using the GDPR as a model would be helpful to global organizations that do business across the EU and within the U.S. Then, they could have one closely related set of provisions to be attuned to and conduct their operations in a standard manner no matter where they do business.

Any society that respects individuals’ right to privacy should codify regulatory requirements for data handling. Individual states are doing so. When will this be addressed on a national scale?

About Author
Saryu Nayyar
Saryu Nayyar, CEO, Gurucul

Saryu Nayyar is CEO of Gurucul, a provider of behavioral security analytics technology and a recognized expert in cyber risk management.

Read Full Bio

GDPR

Fight Ransomware
External Link: Is It Time For A U.S. Version Of GDPR?

Share this page:

Related Posts