Data Privacy Laws: How Does the US Stack Up Against the EU?
by Josh Lake
As the media attention surrounding the repeal of the data privacy framework begins to calm down, now is the perfect time to examine where the USA stands with our current laws. As one of the most culturally and economically similar parts of the world, comparing our laws against Europe’s can provide a good frame of reference.
While the US government is focusing on stripping back red tape in a bid to kickstart business, the European Union has gone in the other direction and is stepping up its bureaucracy with the General Data Protection Regulation (GDPR). These new laws come into play in May 2018, so businesses are hard at work to make sure they will be compliant when the date swings around.
These two approaches show a clear difference between the two unions, one that can be attributed to cultural values as much as recent political developments. Americans place great importance on individual freedoms, while Europeans can often have a more collectivist stance.
When it comes to data privacy regulation, neither side of the spectrum is without its problems. Lack of regulation can lead to abuse, while too much can cause businesses to stagnate under the heavy weight of compliance.
So how do regulations compare on either side of the Atlantic? In contrasting the two, we need to be mindful that the EU has been working on these rules for years, while the current US system is in a state of flux. With suggestions that the Trump administration will move data privacy regulation back to the FTC, the US rules could see a massive overhaul.
So Where Does the US Stand?
US data privacy regulation is made up of a patchwork of different legislation. In addition to the federal laws, there are also separate state regulations that augment how data can be used and processed.
There is no overarching umbrella that establishes the rights of data subjects, however different pieces of law touch on the legality of data processing in separate industries. There is also an expectation for enterprises to self-regulate in many cases. Some of the key data privacy laws include the Privacy Act of 1974, HIPAA, COPPA, ECPA and the FCC interpretation of the Telecom Act.
The Privacy Act of 1974
This act governs how personal information is collected and processed. It prohibits the disclosure of personal information without the subject’s consent, unless the data is for specific purposes. These include law enforcement, government agency, administrative, congressional, statistical and archival purposes.
The Privacy Act of 1974 allows an individual to access and amend their records, as well as to discover whether they have been disclosed for any purposes. Agencies are mandated to have adequate security and administrative procedures in place to protect these records from unauthorized access.
The Health Insurance Portability and Accountability Act (HIPAA) is a complex piece of legislation that focuses on the health industry. It set out specific requirements for how individual health records can be processed, helping to reinforce the right to privacy over identifiable medical data. Under HIPAA, Protected Health Information (PHI) can only be disclosed when required and authorized by the subject. There are exceptions to this, such as when it is needed for law enforcement purposes.
Individuals have the right to correct any inaccurate data, while organizations must take reasonable steps to keep the communication confidential. The HITECH Act of 2009 added further regulations, forcing organizations who have suffered data breaches of more than 500 people to notify the authorities, the media and the affected individuals.
The Children’s Online Privacy Protection Act (COPPA) focuses on the data collection about children who are less than 13 years old. Among its stipulations, organizations must obtain parental consent before collecting or processing children’s data. Parents must also be able to review this data and reasonable steps must be taken to protect it.
The Electronic Communications Privacy Act (ECPA) of 1986 covers email and other electronic communication, however it has been left behind by the growth of technology, making it relatively ineffective. The act has many loopholes, such as allowing law enforcement to seek out emails without judicial review. All they have to do is provide a written statement saying that the content is needed for an investigation.
Another hole in the legislation is that emails are legally considered abandoned if they have been stored on a third party server for more than six months. This may not have been an issue in the early days of email, but the rise of online email services such as Gmail has led to many users permanently storing their emails on third party servers.
How Are the European Laws Different?
Europe is currently under the Data Protection Directive, but will be moving to the much stricter General Data Protection Regulation (GDPR) next year.
The Data Protection Directive
These laws came into effect in 1995 and focus on data privacy as well as individual rights. There are seven key principles:
- Notice – subjects should be notified when their data is being collected.
- Purpose – data should only be used for its original purpose.
- Consent – data should not be disclosed without the consent of the subject.
- Security – the data should be kept secure.
- Disclosure – the subject should be made aware of who is collecting their data.
- Access – the subject should be able to access their data and make any necessary corrections.
- Accountability – data collectors should be held accountable if they don’t abide by the principles.
In response to changes in technology, the European Union will be bringing in the General Data Protection Regulation on May 25, 2018. It aims to take European data requirements further and give more protection to individuals. It will also synchronize data law across the EU, making it easier for businesses to become compliant across the whole region.
The GDPR is built on principles of data protection by default and privacy by design. It brings individuals a range of rights, including the right to access their personal data, the right to be informed of what is being collected, the right to object to their data being processed, the right to restrict data processing, the right to have personal data removed, the right to have their data rectified and the right to have their data transferred to another service. The UK Information Commissioner’s Office covers these rights in more detail.
The new regulations also state that organizations that process data on a large scale, or that process special kinds of data, will have to appoint a Data Protection Officer. This is an individual who works independently within the company to ensure that the obligations under the GDPR are being met.
Under the regulations, data breaches need to be reported to the authorities within 72 hours and individuals need to be notified if the data was not encrypted. Penalties for non-compliance with GDPR regulations can be up to €20,000,000 or 4% of global annual turnover.
Which Regulations Are Best?
This is a difficult question to answer, because it really depends on what ideologies you hold to be most important. The US laws are relatively sparse and can make it easy for businesses to meet the standards. The patchwork approach does present some problems, because there are often gaps in protection for individuals. The complex nature of the interrelated legislation can also make compliance confusing.
In comparison, companies in Europe have to meet much higher standards, which can often cost them significant sums of money. Requirements such as employing a Data Protection Officer can be particularly draining on the finances of a smaller company. Although the GDPR is expected to cost businesses in the short term, bringing in a consistent and simplified system across the whole of Europe may reduce compliance costs in the future.
The main upside of the European regulation is that it brings significantly more protection to individuals. Some people may not think that this is a big issue, while others would place great importance on the additional rights.
So which approach is best? If you think regulations hamper the progress of business, you will probably prefer the US system. If you don’t trust businesses to act in a responsible manner, you will most likely prefer the protections of EU data law. It’s all a matter of perspective.
However, historically we have seen that when data security is left up to companies, it is often neglected. This results in a landscape of insecurity and endangers the sensitive data of individuals. A glaring example of this is the US healthcare system. Even with the HIPAA laws, many organizations struggle to achieve an adequate level of security, or they continue to neglect security while focusing on sales. The results of this are obvious, considering all of the breaches that have been in the news over recent years.