Policymakers in the United States and in the European Union have both taken legislative and enforcement actions to ensure data privacy and protection to citizens. The EU has gone further than the US by implementing the General Data Protection Regulation (GDPR) in 2018 as the legal framework for data protection and privacy for every member state. This is the first legislation worldwide aimed at international control over how businesses handle consumer data.
European consumers welcome this legislation given concerns about the safety of personal information they provide online and a general distrust of online businesses.
What Is the GDPR?
According to the Congressional Research Service, “The GDPR establishes a set of rules for the protection of personal data throughout the EU. It seeks to strengthen individual fundamental rights and facilitate business by ensuring more consistent implementation of data protection rules EU-wide.” This complex piece of legislation has several goals:
- Identify legitimate bases for data processing and create common rules for data retention, storage limitation and record keeping
- Further develop the EU’s Digital Single Market (DSM) to create a standard on digital policies for all member states
- Bolster the EU’s technology sector relative to Chinese and U.S. competitors
The GDPR protects seven types of privacy data:
- Basic identity information such as name, address and ID numbers
- Web data such as location, IP address, cookie data and RFID tags
- Health and genetic data
- Biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation
Why This Legislation Matters in the US
Multinational companies that are based in the U.S. and do business with and in the EU must comply with the rules in the GDPR if they meet the following criteria:
- Have a presence in an EU country
- Have no presence in the EU, but process personal data of European residents
- Employ more than 250 people
- Employ fewer than 250 people, but their data-processing impacts the rights and freedoms of data subjects, is not occasional, or includes certain types of sensitive personal data. That effectively means almost all companies. A PwC survey showed that 92% of U.S. companies consider GDPR a top data protection priority.
The GDPR places liability on data controllers (the organizations that own the data) and data processors (outside organizations that help manage that data). If your organization uses a third-party processor that is not in compliance, it means your organization is not in compliance. Companies that meet the criteria are responsible for ensuring compliance by hiring a data controller, data processor and a data protection officer (DPO).
The legislation challenges American businesses to apply stricter measures of data privacy and protection in their processes. When the GDPR was instituted in 2018, one in three adults planned to exercise their rights to remove personal data from online retailers’ databases and to request the cessation of data use for marketing purposes. As consumers become more educated about the implications of data exposure, this percentage is likely to rise.
To be compliant, companies need the same level of protection for things like an individual’s IP address or cookie data as they do for name, address and Social Security number. As another example, businesses cannot assume consent and give consumers a way to opt out in online forms. They will have to enable explicit consent for data collection. They also need to provide transparent responses to submitted forms with sensitive data, along with copies of the data collected in electronic format. These are just a few of the many required steps, and many companies are struggling to comply, in part due to some of the more vague language in the legislation. Smaller companies are also finding this more difficult because they cannot afford consultants and lawyers to ensure compliance.
Measures to ensure compliance include fines of up to 4% of a business’s annual global turnover or 20 million euros, whichever is greater. Companies not in compliance may be liable to consumers for compensation claims for damages suffered. Additional fallout includes reputational damage and loss of consumer trust as cases are publicized.
To make it simpler to standardize data privacy and protection with the EU, and to provide Americans with similar protections, U.S. policymakers are assessing the need for comprehensive national legislation. Currently, the U.S. has only by-sector and by-state legislation. Similar federal legislation would help to put the U.S. on equal footing with the EU and make it easier for American companies to be compliant with both sets of standards. Consumer and industry advocacy groups are calling for similar approaches, but Privacy for America, a lobbying organization, represents the business interests of a conglomerate of industry bodies in data privacy. Their objectives may not always overlap with those of Congress and the advocacy groups.
The EU does not shy away from imposing steep fines for regulatory non-compliance. U.S. companies are taking it seriously, and EU citizens are benefiting. It is highly likely that the U.S. will institute similar legislation to protect its own interests and citizens as matters of data privacy and security continue to intensify.
Learn more about USI’s online MBA program.