General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR), which came into effect in May 2018, is a set of regulations that create new rights for individuals with respect to their personal data. The GDPR applies to any company that processes the personal data of the European Union (EU) citizens, regardless of whether those companies are based inside or outside of the EU.
The GDPR represents a significant step forward in the effort to establish comprehensive data privacy protections. However, it is important to note that GDPR does not supersede national laws, meaning that companies must still comply with any applicable national laws in addition to GDPR.
Under GDPR, individuals have the right to know what personal data is being collected about them, the right to have that data deleted, and the right to opt-out of its collection altogether. Companies that violate GDPR provisions can be fined up to 4% of their global revenue or $23 million (whichever is greater).
Comprehensive US Data Privacy Protections
In the United States, there is no federal law that governs data privacy. The reality instead is a myriad of complicated laws ranging from sector-specific, medium-specific, and general open to various interpretations. These regulations apply to the telecom and financial sector along with health and credit information.
Optimism Is On the Horizon
Nonetheless, some optimism is on the horizon, a recently proposed federal privacy law known as the American Data Privacy Protection Act (ADPPA), has shown more promise than its predecessors.
The ADPPA seeks to establish a national standard for data privacy, one that would apply to any company that collects and processes the personal data of American citizens, regardless of whether those companies are based in the United States or not.
The proposed law, alike to GDPR, would give individuals the right to know what personal data is being collected, the right to delete that data, and the right to not allow its collection. It would also create enforcement mechanisms to ensure that companies comply with these provisions, including fines of up to 4% of a company’s global revenue or $20 million (whichever is greater) for violations.
The ADPPA is still in the early stages of development, and it remains to be seen whether it will garner enough support to become law. However, it represents a significant step forward in the effort to establish comprehensive data privacy protections in the United States.
In the meantime, companies that collect and process the personal data of American citizens should be aware of the patchwork of laws that currently govern data privacy in the United States and take steps to ensure compliance with all applicable regulations.
United States Privacy Laws
The Federal Trade Commission (FTC) serves as a crucial and as the most influential data law enforcement agency in the United States. The Federal Trade Commission Act grants its consumer protection rights authority with broad jurisdiction over commercial entities to prevent unfair or deceptive trade practices. In the past, underfunding and lack of appropriately qualified personnel and resources have limited the scope of their abilities, but that appears to have changed.
They will finally receive an appropriate budget with the necessary personnel and resources to serve as the United States de-factor privacy regulators. The FTC’s ability to not only issue regulations but also enforce penalties against organizations that fail to abide makes it a critical component at this particular time. The FTC on behalf of consumer protection can severely punish organizations that fail to follow published privacy policies or choose to mislead consumers by making false security representations etc.
There are also the following federal laws that govern the collection of information online. The Children’s Online Privacy Protection Act (COPPA) oversees the collection of information on minors. The Health Insurance Portability and Accounting Act (HIPAA), governs the collection of health information. The Gramm Leach Bliley Act (GLBA), handles personal information collected by financial institutions and banks. The Fair Credit Reporting Act (FCRA), regulates the use and collection of credit information.
The United States maintains a plethora of sectoral data privacy and data security laws among its states. Subsequently, the US state attorneys general supervises the data governance regulations, such as handling social security numbers and data breach notifications, etc.
Because of the Federal Government’s inability to find consensus, it is driving privacy legislation at the state level. Rather than additional delay, state lawmakers have been encouraged by consumers and consumer advocates to take the initiative.
The state of California inspired the domino effect. Four other states have joined to be at the vanguard – Colorado, Connecticut, Utah, and Virginia. They have all executed comprehensive consumer data privacy laws so both consumers and companies know exactly where they stand and have full clarity over important provisions like the right to access or delete information and opting out of the sale of personal information.
Is There a US Version of GDPR?
The General Data Protection Regulation (GDPR) is the most vital data protection legislation enacted at this point in history. It governs crucial criteria, such as the collection use, transmission, and security of data collected from residents of 28 countries, members of the European Union.
The law applies to all EU residents, regardless of the entity’s location that collects the personal data. It maintains the authority to issue fines of up to 23 million USD equivalent or as high as 4% of the total global turnover, as mentioned above. Very significant fines indeed ought to serve as a benchmark for a United States framework.
Even though no specific federal data privacy law like the GDPR exists in the United States, however, some national laws were enacted specifically to regulate the collection of data in targeted industries. 1974 brought about the creation of the US Privacy Act governing rights and restrictions of data housed by US government agencies.
The Driver’s Privacy Protection Act is another example of data privacy legislation enacted in the United States. This law regulates personal information included in state motor vehicle records.
The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999, is a United States federal law that requires financial institutions to explain their information-sharing practices to their customers and safeguards the confidentiality and security of customer information.
The GLBA was enacted in response to the increased consolidation of the banking and securities industries. The act repealed parts of the Glass–Steagall Act of 1933, which prohibited any one institution from acting as both an investment bank and a commercial bank.
The GLBA requires financial institutions to develop and maintain a comprehensive security program to protect the confidentiality and security of customer information. The FTC has broad authority under GLBA to take law enforcement actions against companies that it believes have engaged in unfair or deceptive practices affecting consumers’ privacy.
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is another example of data privacy legislation in the United States. HIPAA regulates the use and disclosure of protected health information (PHI) by covered entities, which are defined as health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically.
HIPAA establishes national standards for the security of electronic PHI, including physical, technical, and administrative safeguards. Covered entities must also comply with HIPAA’s Privacy Rule, which governs the use and disclosure of PHI for treatment, payment, and healthcare operations purposes.
The Children’s Online Privacy Protection Act (COPPA) of 1998 is another example of data privacy legislation in the United States. COPPA applies to online service providers that collect, use, or disclose personal information from children under the age of 13.
COPPA requires online service providers to obtain parental consent before collecting, using, or disclosing personal information from children. COPPA also establishes safeguards for the protection of children’s personal information, including requirements for data security and data retention.
The FTC has enforcement authority under COPPA and may impose civil penalties of up to $40,654 per violation.
EU-US Privacy Shield
The EU-US Privacy Shield is a voluntary program that allows companies to transfer personal data from the European Union to the United States in compliance with EU data protection law.
The Privacy Shield sets forth requirements for companies that participate in the program, including a commitment to comply with EU’s data protection principles and to provide robust protections for the personal data of EU citizens. Companies must also provide individuals with certain rights concerning their personal data, including the right to access, correct, and delete their data.
The US Department of Commerce and the European Commission have jointly created a set of Frequently Asked Questions (FAQs) about the EU-US Privacy Shield.
The US Federal Trade Commission (FTC) is the primary federal agency with enforcement authority over privacy and data security issues. The FTC has tools at its disposal to enforce compliance with US privacy and data security laws, including investigations, audits, civil penalties, and injunctions.
The FTC also works with other federal agencies to address privacy and data security issues, including the Department of Homeland Security, the National Cybersecurity and Communications Integration Center, and the Department of Justice.
In conclusion, there are compliance requirements for GDPR and US data privacy regulations. Companies that transfer personal data from the European Union to the United States must participate in the EU-US Privacy Shield program and comply with the FTC’s enforcement authority.
When Will the First US Privacy Law Be Enacted?
The likelihood of a single all-encompassing federal data protection regulation imitating GDPR is unlikely in the short term as political entities cannot seem to agree on bipartisanship measures. However, certain states like California have taken up the mantle and introduced their versions of GDPR.
Time will tell whether a US privacy law will eventually be enacted, but in the meantime, companies that handle personal data should assess their compliance posture and make certain they have data handling procedures in place to protect the critical information entrusted to them.
Best practices for companies handling personal data include:
- Developing and maintaining a comprehensive security program to protect the confidentiality of customer information
- Implementing policies and procedures to ensure the proper handling of personal data
- Assessing compliance with data privacy laws and regulations regularly
- Training employees on data privacy best practices
- Working with trusted third-party service providers that have robust data privacy and security practices in place
Enacting a federal data privacy law would provide muchneeded clarity and certainty for businesses and consumers alike. It would also level the playing field for companies doing business in the United States, and help to build consumer trust in the handling of their data.
Similar controls between GDPR and US Data Privacy Regulations
- Commitment to comply with data protection principles
- Enforcement authority over privacy and data security issues
- Right to access, correct, and delete personal data
- Robust protections for the personal data of individuals
Conclusion GDPR and US Data Privacy Regulations
- The EU-US Privacy Shield program is not required for companies transferring data from the EU to the US.
- The FTC does not have the same powers as GDPR regulators. For example, it cannot impose fines on companies that violate US privacy laws.
- There is no all-encompassing federal data protection regulation in the US. However, some states, like California, have introduced their own versions of GDPR.