Data Privacy in the U.S. 6 Months On
It’s now been just over half a year since the deadline for compliance with the European Union’s General Data Protection Regulation (GDPR), and – predictably – the regulation has affected organizations far beyond the EU. Nick Henderson discusses what’s come to pass since May 25 and what changes may be coming.
One could be forgiven for assuming that the EU’s General Data Protection Regulation (GDPR) would have little impact on companies outside the EU. However, after just six months since the legislation was enforced, it is clear that quite the opposite is true. Many American corporations are still grappling with compliance and have implemented some drastic and desperate strategies in response to the new regulations.
For example, a number of organizations that failed to get a handle on the rules in time have resorted to simply blocking all EU visitors from their websites in an effort to altogether avoid the complications of processing their data. Taking it to a further extreme, the social media company Klout decided to simply call it a day and shut down on May 25 due to their inability to comply with the legislation’s requirements. It’s therefore important to take a closer look at how and why GDPR has impacted American organizations and what the future of data protection may look like in the U.S.
Why are U.S. companies affected by GDPR?
American organizations are impacted by GDPR to almost the same extent as their EU counterparts. This is because Article 3 of the regulation states that if you collect data from anyone in the EU, you must comply with the rules of GDPR. Therefore, any organization with a website that collects data from its visitors is subject to the legislation, irrespective of which countries they operate in physically. In other words, pretty much every organization around the world is subject to the regulation.
What does this mean for GDPR compliance in the U.S.?
Europeans do not differentiate between EU and non-EU companies when considering what is happening to their data. This means U.S. firms are just as likely as European firms to receive subject access requests from individuals in the EU. Therefore, American organizations require the expertise to process these requests and must be familiar with GDPR recordkeeping rules. Consumers will also expect the same standards from U.S. organizations with regard to the rights mandated by GDPR to opt out of marketing and have their information deleted.
There is also no distinction between EU and non-EU organizations in terms of the penalties that can be imposed for breaches. Under old European privacy laws, a company could be fined up to £500,000 ($650,000). This pales in comparison to the £20 million ($26 million) or 4 percent of turnover (whatever is larger) that can be enforced under GDPR. There will be several U.S. firms breathing a sigh of relief that their data scandals occurred the other side of May 25. Most notably, Facebook would have been staring down the barrel of a $1.6 billion fine, approximately 3,000 times the size of the slap on the wrist they received for the Cambridge Analytica scandal. That said, the Wall Street Journal recently reported that it may have only been a temporary reprieve for the social media giant, as fresh investigations are underway into additional data breaches.
Further, GDPR has gained such attention and is so far-reaching that it has caused people across the globe to be more wary of how their data is being used. Therefore, even the organizations that technically don’t have to comply with GDPR are likely to have their data practices scrutinized by the parties they interact with.
California’s Data Privacy Law and Beyond
It’s no surprise that in the data-conscious climate created by GDPR, the State of California, which is home to the world’s most powerful internet enterprises, has stepped up their game on data privacy. The California Consumer Privacy Act, passed by the legislature in June, takes a stride toward aligning America’s data protection laws with Europe’s. While not quite all-encompassing, with only firms that meet certain criteria being subject to the requirements, many of the provisions seem to be modeled on GDPR’s, such as the “right to erasure” or transparency over how your data is being used.
Advocates of federal data protection laws also now seem to be making significant progress. After more than a decade of stagnation, the Senate has recently been debating the introduction of new legislation with more intent than ever before. Discussions were held in Congress on both September 26 and October 10, 2018, and there is a feeling that it will be taken more seriously this time, not least because representatives from Amazon, Apple, Google, AT&T, Twitter and other tech titans were all present in September to endorse the proposal.
Additionally, Senator Ron Wyden has recently unveiled his Consumer Data Protection Act bill that proposes not only colossal fines for data privacy breaches, but also up to 20 years’ jail time for executives that are responsible for noncompliance. Whether a bill containing such severe ramifications will pass remains to be seen, but it is plain to see that it is only a matter of time before the need for reform of federal data privacy legislation in the U.S. will be met.
There is no doubt that GDPR has instigated a global shift in how ownership of data is perceived. Lawmakers in America have taken note and are starting to act. It’s highly unlikely that the phenomenon of blocking web access in certain locations due to panic compliance (or lack thereof) with data protection regulations has seen its final day. U.S. organizations must ensure they have their policies, procedures and GDPR training in place to avoid running into trouble, and they should be looking ahead at what data privacy legislation is on the horizon so they can prepare internally.