For the most part, the data space in the US has remained unregulated unlike the EU and its GDPR. One might get the impression anyone can request any information, do whatever they want with it, and no one would blink an eye. American citizens have historically shown trust in the activities and processes of data service providers. And they routinely volunteer personal data with comparatively minor protections from their government.
With individual states taking the lead, like with the California Consumer Privacy Act of 2018, might now be the right time for the federal government to enact nationwide GDPR-like laws?
On April 14, 2016, the EU Parliament approved the General Data Protection Regulation (GDPR), after four years of intensive groundwork and deliberations. The GDPR is a regulation on data protection, privacy, and the transfer of personal data for all citizens of the European Union as well as the European Economic Area.
The idea of data regulation is important and necessary. The US can glean lessons from the EU’s GDPR if it wants to enact similar consumer privacy protections through data regulation. Below are four such examples.
1. Synergy and the GDPR
The first thing to note is the synergy between the European Union member countries. It took four years to approve the GDPR. This may seem like a long time, but it takes a lot of willpower for countries to agree on cross-country regulations. The unity of the EU in reaching this milestone is laudable.
If the US is to make headway in this regard, it must be willing to form alliances with other stakeholders outside its governing bodies. If not with other countries, the government should at least be willing to meet with data experts, companies, and other relevant stakeholders to work on new regulations.
2. Legal Implications
Every regulation once agreed on becomes legally binding. Though GDPR was officially launched in Europe, by its implication every global business engaging in targeted marketing to customers located in the EU (whether they are citizens of EU nations or not) can be legally affected by the regulation.
Some regulations make it difficult for global businesses to thrive within the EU market. The GDPR implies that even if data protection and privacy is not a law in your locale, for you to target customers within the EU, you must comply with the regulations. This is capable of crippling international business operations for some American companies.
The fines imposed on breaches, and misunderstandings about which companies are subject to GDPR rules, are also capable of pushing popular sites to ban EU citizens from accessing their websites. For example, there was a €50 million fine on Google for alleged GDPR violations, and there have been bigger fines handed down since then.
3. GDPR Education
The GDPR has become a sort of gold standard in consumer data privacy regulations. This gives momentum to the call by some lawmakers in the US for the introduction of America’s own new data privacy regulations.
The US has been known to be a pacesetter, not a follower of policies and regulations of other countries. It has thriving multi-million (and multi-billion) dollar data-powered businesses and industries to consider in addition to consumer privacy protections.
As a result, US officials must also be willing to educate themselves on what works and what doesn’t in regards to economic effects of such regulations. A year after the introduction of GDPR, a variety of unintended consequences became clear.
Bearing in mind that GDPR has fallen short of some people’s expectations, lawmakers and other relevant stakeholders in other countries have an opportunity to do better, rather than repeat Europe’s mistakes. They should take the opportunity to learn from the precedent.
4. Cost Implications
Regulations like the GDPR are meant to protect the privacy of data for all, not to impose heavy financial burdens on the companies it is meant to regulate.
According to the 2017 Privacy Governance Report, the IAPP and EY found Fortune’s Global 500 companies were expected to spend roughly $7.8 billion preparing for GDPR compliance. And that doesn’t account for the cost of fines where compliance is deemed lacking.
According to some, the EU needs to reform GDPR if it wants to thrive in today’s data-driven economy. But the EU’s regulation still has a lot to teach US regulators if they want to better protect their own consumers while also preserving national economic interests.
The General Data Protection Regulation (GDPR) has been officially enforced since May 28 of 2018
While it was officially created in Europe, every global business whose current or future customers may be located in Europe can be legally affected by the regulation.
On January 25, 2019, the European Commission issued the most recent numbers and updates on that important online privacy regulation:
- Telemarketing and promotional emails are the two GDPR breeches that are most often reported to EU national data protection authorities
- Almost 100,00 complaints have been lodged with EU national data protection authorities since the regulation went into effect
- The data protection authorities have started 250 investigations in the context of EU cross-border data processing activities
- There have been three fines issues so far:
- €5,280 fine on a sport betting café for unlawful video surveillance
- €20,000 fine on a social network operator for failing to protect users’ personal data.
- €50 million fine on Google for alleged GDPR violations (The biggest fine in GDPR history so far)
For legal consultation concerning the privacy regulations and how it may impact your business, refer to a qualified lawyer.