On May 25, the data protection laws in Europe will undergo their most significant changes in the past 20 years. In recent years, companies both foreign and domestic have been adjusting their business practices to be in compliance with the European Union’s General Data Protection Regulation. The GDPR will replace the European Commission’s Data Protection Directive passed in 1995, officially called Directive 95/46/EC.
The new regulation will hold companies accountable when it comes to their collection and use of European citizens’ personal data. It will prescribe a standardized law for data protection across all EU member states, differing from the Data Protection Directive, which required member states to transpose the requirements of the Directive into national law, resulting in similar but different data protection standards and levels of enforcement across the EU.
In the United States, there is no single comprehensive data protection law. They have sectoral data protection laws that regulate certain types of data and certain uses of data.
For example, the United States has the Fair Credit Reporting Act that regulates information related to credit, insurance and employment; the Health Insurance Portability and Accountability Act, which regulates the use of protected health information; the Health Information Technology for Economic and Clinical Health Act, which regulates the electronic transmission of health information; the Controlling the Assault of Non-Solicited Pornography and Marketing Act, which regulates the use of email addresses for email marketing and the Children’s Online Privacy Protection Rule, which regulates the use of children’s information and others.
Additionally, the Federal Trade Commission regulates privacy and data collection through Section 5 of the FTC Act, which “prohibits unfair or deceptive acts or practices in or affecting commerce.”
A key distinction between the EU and U.S. legislation is the type of data that is protected as “personal” under each data protection regime. Personal information is anything that can be used to identify the user directly such as a phone number or social security or indirectly, via cookie ID or device ID.
In the EU, personal data is protected just because it is personal data regardless of the use. The GDPR requires that an entity must first have a lawful basis, or reason, to collect personal data before doing so.
In the context of data collection online, that lawful basis is often consent, meaning that an EU consumer must opt-in to having their personal data collected online.
Section 5 of the FTC Act requires that an entity provide consumers with notice about the type of data they are collecting and what they are using it for, with an opportunity to opt-out. There is no requirement, however, that a consumer opt-in, unless the collection falls under a specific sectoral law or the data being collected is deemed sensitive data.
This begs the question as to what a U.S. citizen should expect of privacy when compared with an EU citizen come May 25. On one hand, action is required to release personal data in the EU.
On the other, in the United States action is required to keep that data private. This fundamental difference in the way data is collected suggests that Americans have a higher tolerance when it comes to volunteering personal data in order to use the tools and platforms on the internet that are available to them.
With Mark Zuckerberg’s recent appearance in front of the Senate Commerce and Judiciary committees, and the questioning that followed, it is all too apparent that the rules are not nearly as cut and dry as one would think. Maybe it is time that the United States adopt some policy directives from the EU.