One of the most fascinating courses in Arkansas State University’s Master of Science in Strategic Communications with an Emphasis in Technology Law and Policy is EU and U.S. Data Protection Law. The course compares data protection systems in the European Union and the United States, including sector-specific regulations such as those from the Federal Trade Commission.
The European Union and the United States take different approaches to data protection. The U.S. favors a bottom-up approach, reflecting states’ rights in governing, while the EU likes top down, which balances intergovernmental and supranational policies. The EU has comprehensive overarching legislation and has made data protection a high priority, whereas the U.S. has taken a piecemeal approach without all-encompassing regulations or a regulating federal agency.
The European Union implemented its General Data Protection Regulation (GDPR) in 2018 as the legal framework for data protection and privacy for every member state. This complex legislation affects all businesses that trade with the EU and features measures to ensure compliance, including fines of up to 4% of annual global turnover or €20 million, whichever is greater. The GDPR aims to protect EU citizens’ sensitive data and give them better control over how it is accessed and used. Requirements include controls over cross-border data transfers and citizens’ rights to have data deleted.
The GDPR is structured according to seven principles:
- Lawfulness, fairness and transparency of personal data
- Data collected only for specified, explicit and legitimate purposes
- Data collection and storage limited to what is necessary in relation to such purposes
- Must be accurate and kept up to date
- Stored for no longer than necessary for the intended purposes
- Security maintained with integrity and confidentiality
- Accountability, with recourse for affected individuals and entities
The United States lacks a single governing data protection piece of legislation like the GDPR. Instead, according to International Comparative Legal Guides, federal and state laws protect citizens’ privacy and online data. Federal laws are enforced through the Federal Communications Commission, American Civil Liberties Union and Electronic Frontier Foundation, each of which provides legal frameworks. Privacy for America, a lobbying organization, represents the business interests of a conglomerate of industry bodies in data privacy.
Five key sector-specific federal data protection laws complement state legislation:
- The Federal Information Security Modernization Act (FISMA), part of the larger E-Government Act of 2002, which requires federal agencies to develop, document and implement an information security and protection program.
- The Health Insurance Portability and Accountability Act (HIPAA), a set of standards created to secure protected health information by regulating healthcare providers.
- NIST 800-171, a publication released by the National Institute of Standards and Technology aimed at protecting controlled unclassified information (CUI) in non-federal organizations.
- The Gramm-Leach-Bliley Act (GLB Act or GLBA), also known as the Financial Modernization Act of 1999, which seeks to protect the personal information of consumers stored in financial institutions.
Much of this legislation addresses data security and the importance of private records but does not go nearly as far as the GDPR in protecting individual citizens’ data privacy.
EU-US Privacy Shield
The U.S. Department of Commerce and the European Commission collaborated on an agreement to facilitate transatlantic exchanges of personal data. Companies wanting to engage in this practice must be certified under the Privacy Shield.
The United States and the Federal Trade Commission support monitoring and enforcement, but companies that do not meet standards are simply excluded from doing business with the EU. The U.S. imposes fines only if businesses violate the administrative orders or court orders sought by the Federal Trade Commission.
From a citizen rights perspective, the EU is clearly ahead of the U.S. on matters of data protection and privacy, but the gaps likely will be addressed after the 2020 presidential election.