The EU's New Sweeping Privacy Law and Why the U.S. Should Take Note

The European Union is implementing a new law that is being heralded as “the biggest shake-up of personal data privacy rules since the birth of the internet.”

The new law is titled the General Data Protection Regulation (GDPR), and it is slated to take effect in May. The GDPR comes as companies in the United States and throughout the world have succumbed to massive data breaches. Most notably in the United States, Equifax suffered a breach which put approximately 143 million American’s social security numbers at risk. The GDPR is not a direct response to the Equifax breach, but it does show a changing mindset among world governments in regards to personal data.
The GDPR is significant as it sets new standards in the industry to protect consumer’s personal data. For example, the law significantly increases fines for failure to comply and requires companies to report data breaches to authorities “within 72 hours of first having become aware of the breach.” Additionally, one of the most important changes is an increase in the scope of who the law applies to. The law “applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location.” This requires companies that do not reside in the European Union to abide by the new procedures.
The GDPR’s impending enactment has resulted in an increased demand for cybersecurity tech companies around the world in order to make private companies compliant. Additionally, companies are doing things that they have not previously done. For example, Facebook announced that they are publishing their “privacy principles” that describe how they use their user’s personal information. Facebook claims these principles give users the control over their privacy while also helping “people understand how their data is used.” Going above and beyond, Facebook has even rolled out videos aimed to help users learn to better control their personal data. Admittedly, this is a direct response to the GDPR and allows users to have more control over how their information is used. It is an example of a global company bowing to the pressures and requirements of the GDPR. Fortunately, this results in Americans getting the benefits of a law that technically does not govern them.
The United States should consider adopting the GDPR or something comparable. It seems every day we hear of a new data breach—almost to the point where it is expected. The best way to get companies to better protect their customer’s personal data is to increase the penalties for non-compliance. Fortunately, because a lot of American companies also do business in Europe, they are already making changes, such as Facebook’s actions mentioned previously. However, our current privacy data laws are insignificant compared with the GDPR.
The United States differs significantly from the European Union in regards to data protection laws. For starters, the United States has no sweeping data protection legislation, instead relying on multiple pieces of legislation that cover specific legal areas. For example, healthcare privacy is governed by the Health Insurance Portability and Accountability Act, colloquially known as “HIPAA.” Meanwhile the GDPR in the European Union works as an all-encompassing law protecting personal data as a whole. This overarching law helps guarantee that there are no gaps in data security. The current statutory model in the United States would require a specific law for every single sector of our lives. Practically, this is infeasible. Thus, a better alternative is something along the lines of the GDPR.
Companies know they need to better protect customer data. However, they are not the only ones that are feeling pressured to do so. The recent data breaches could and likely will lead to increased political pressure on representatives to enact legislation to better protect their constituent’s data. With the GDPR as a model, the ball is in Congress’s court to ensure that our data is adequately protected.