All of a sudden, Americans have found themselves deluged by so many emails promising updated privacy practices that these notices have reached meme status—and yet for many people, the underlying cause of this sudden hullabaloo has been a mystery.
The cause, of course, was GDPR—the General Data Protection Regulation in the European Union (EU), which went into effect on May 25th.
For Americans, this regulation understandably flew mostly under the radar, since after all, it’s European. However, most American companies were all too aware of the fact that they had to comply regardless, if they had any personal information on EU citizens.
In fact, any company, anywhere on the world with such information—say, any organization with an email mailing list that has someone from Europe on it—must comply with GDPR or face draconian fines and other enforcement measures.
Doesn’t the US already have regulations like GDPR?
The US is not without its own privacy regulations as well, of course. In fact, anti-spam legislation provides for some of the same controls that GDPR does—giving email recipients the right to opt out, for example.
Email, however, is only the tip of the GDPR iceberg. The regulation goes well beyond email, covering everything a company might do with personal information: collecting it, storing it, using it, and disseminating it.
In large part, GDPR regulations are stricter than the American equivalents—although this rule is not universal, as in some cases, US laws are even tougher than Europe’s.
For US firms who must comply with both GDPR and US laws, the question thus becomes one of consistency: what set of activities must a company undergo in order to be sufficiently compliant overall?
Providing direction for US regulation
Answering this question in a global context is more difficult than it seems. If only legislators would adjust US law to bring it into alignment with GDPR, then every companies’ compliance challenges would be that much simpler.
Here are some parts of the GDPR that the US Congress, as well as federal regulators, might want to take into account in order to achieve this alignment:
1. A clearer definition of ‘personal data’—what we in the US often refer to as ‘personally identifiable information’—and rules for processing such data
The GDPR has different rules for processing of special categories of personal data, for example, data about racial or ethnic origin, political or religious beliefs, or sexual orientation.
A lack of common terminology not only leads to confusion. It also complicates compliance, thus increasing the risk of compliance breaches.
2. Better handling of ‘consent’
You may have noticed that some of the flurry of recent GDPR-related emails asked you to resubscribe to a particular list, while others did not. Why the difference?
The answer has to do with vagaries on the definition of consent. GDPR calls for ‘explicit, clear, granular, and informed’ consent, as well as clear guidelines for how to inform individuals about how an organization is going to use, handle, and protect their data. US-based companies must now follow these rules for EU citizens, so it would only make sense for the same rules to apply to everyone.
3. Stricter ‘data minimization’ rules
Data minimization rules are essentially ‘no fishing’ directives. If an organization lawfully collects an individual’s information for one purpose, the GDPR doesn’t allow the company to go fishing for other ways to use that information.
In the US, data minimization rules are largely nonexistent. If you give a company permission to use your data for one purpose, it essentially has the go-ahead to use that information for other, similar purposes without any additional consent on your part.
4. Clearer rules about ‘legitimate interest’
Legitimate interest applies to the tricky situation where someone has legal access to a person’s information without their consent—for example, in the case of a subpoena, for the purposes of guaranteeing network security, or for processing a legal contract.
Clearly, a lack of clear and rigorous rules for legitimate interest might lead to all manner of loopholes that unscrupulous organizations might try jumping through in order to skirt the regulations. Calling for consistency in how to handle legitimate interest would be to everyone’s advantage—except the cheaters.
5. A mandate for independent supervisory authorities
The EU is made up of various independent countries, similar to the way the US is made up of states. The parallels are not exact, of course, but the US Constitution gives the states lawmaking and enforcement capabilities just as European countries enjoy as sovereign nations.
The GDPR, in fact, reflects this federated nature of the EU, allowing for each member country to have one or more independent Data Protection Agencies (DPAs) that are individually responsible for enforcing the GDPR.
Given the powers the US Constitution reserves for the states, it would be unlikely that Congress would attempt to mandate that each state enforce any federal GDPR-equivalent in a particular way. But it’s still possible for Congress to influence the states to establish consistent enforcement processes and procedures that would reduce confusion, facilitate commerce, and lower the costs of compliance for everyone.
6. Certification mechanisms
GDPR calls for (but does not mandate) EU-level certifications of compliance. The US has no equivalent, although it does have parallels in areas like food safety certification.
Such a certification process would serve multiple purposes. First, it would give companies an explicit set of tasks to undergo that would give them the comfort level that they were adequately compliant with relevant laws.
Second, such certification would give consumers a simple, explicit way of determining whether a company is in fact in compliance with such laws.
The Intellyx take
The six broad recommendations above are by no means a complete list. However, should the US implement them, US consumer data protection would largely become consistent with Europe’s. The core benefit: companies and consumers alike would have clearer expectations about user privacy and control over personal data.
There’s little to no chance Congress will move forward on such recommendations as a single effort. The best we can really hope for is sporadic progress toward better consumer data protection, given the complexity of the American political landscape.
Nevertheless, there are many business advantages to bringing US law into alignment with the GDPR, including streamlined, less expensive compliance and perhaps most importantly, reduced reputation risk.
In the meantime, executives in the US should err on the side of caution as a matter of policy. Whenever US and European law are at odds, the safest course of action is to comply with the stricter regulations.
In certain situations this advice may lead to overkill, but better that than being out of compliance due to an oversight.
Jason Bloomberg is an IT industry analyst, Forbes contributor, and globally recognized expert on multiple disruptive trends in enterprise technology and digital transformation. He is also founder and president of analyst firm Intellyx.
Copyright © Intellyx LLC. As of the time of writing, Apptio is an Intellyx customer. Intellyx retains final editorial control of this content.