Many Americans would love to see a law on the books that gives them more control over how their personal data is used, and even the right to have it completely deleted. While there’s little political will for such legislation in the US, the European Union is about to enact a sweeping law that will put personal data back in the hands of its citizens. And while the General Data Protection Regulation (GDPR) doesn’t apply to Americans, its impact on American companies could also lead to some positive changes for US citizens.
A Move Toward the Future
The EU has long had a more progressive view of electronic privacy. In 1995, it adopted the Data Protection Directive, a framework for the handling of personal data. It defined personal data as “any information relating to an identified or identifiable natural person (‘data subject’).” The definition was purposely broad in an attempt to future-proof it from new advances in technology.
The directive developed the idea that data should not processed unless for a legitimate purpose and with the consent of the individual. And while compliance from EU member states was voluntary, it did force each country to create a supervisory authority to monitor its data protection initiatives.
This was a move in the right direction for privacy advocates, but the differences in privacy laws between each country, as well as other advances in technology, was ultimately the impetus for the passage of the GDPR in 2016. When it officially goes into effect on May 25, 2018, the GDPR will create a uniform data protection law for all EU citizens and important new rights that must be recognized by EU governments and companies that do business with them.
What the GDPR Does
The GDPR expands on the definition of personal data in the Data Protection Directive by also including information that can indirectly identify an individual, such as location and genetic data. The regulation then goes on to identify specific responsibilities of data controllers (organizations that collect data) and data processors (organizations that process data on behalf of data controllers, such as cloud service providers). For example, data processors must notify data controllers of a data breach, while data controllers must notify the proper EU authority within 72 hours.
The GDPR also requires that data controllers include data protection by default in their business and security designs. While this isn’t clearly defined by the regulation, it expresses a need for high security settings when developing systems that hold data, and strongly favors data encryption.
The regulation also creates two new rights for EU citizens. The first, the right to data portability, requires that an individual be allowed to transfer their data from one electronic processing system to another without interference from a data controller. Upon request, the data must be provided to the individual in a commonly used open standard format.
For example, if you would like to see any personal information WalMart has collected on you over the years, you could request that, and it would have to be provided to you in a Word or Excel document, rather than an obscure internal format used by the company.
The second right, the right to erasure, creates a right to request that data be erased on several grounds, including noncompliance with the GDPR, and where the rights of the individual override the rights of the controller. Previously, data only had to be deleted if it caused significant damage or distress to an individual.
Again using the WalMart example, let’s say you’ve decided you don’t ever want to shop there again and you don’t want the company to have any more of your information. If Walmart is done with your data and can’t show any good reason why it should still have it, the company would need to delete it.
While the GDPR is an EU law, it applies to any company doing business in the EU handling the personal data of EU citizens, so it impacts a stunning number of American companies. And the penalties for noncompliance are severe. While the first infraction comes with a warning and risks regular audits, repeat violations come with a fine of up to €20 million (more than $23 million) or four percent of the annual global turnover of the company for the previous fiscal year, whichever is greater.
How the GDPR Affects Americans
Despite the huge impact the GDPR will have on American companies, coverage in mainstream American news has been nearly nonexistent. Most of what’s out there comes from little-read business and tech blogs and focuses on the importance of compliance to avoid costing companies lots of money.
While there is an important economic component to the GDPR, it’s a shame that more Americans aren’t aware of it because it could influence the conversation here of how personal data is handled by American companies and the American government.
If they were aware it was an option, many Americans would love to have a law that let them tell the government to delete their data if it’s no longer needed for the government’s far-reaching PRISM program (and indeed most of that data is of no importance to federal investigations). Or it would just be nice to finally have all personal information deleted from a business’s records when you no longer shop with them to avoid having a credit card number compromised.
While it doesn’t seem like Americans will get a right to erasure anytime soon, the GDPR should make more Americans’ personal information safer anyway. That’s because, if you’re a major American corporation with personal information about thousands or even millions of customers around the world, it’s not going to make financial sense to hold that data on two different systems, one that’s GDPR-compliant for EU citizens, and one for everyone else. Furthermore, as the GDPR requires data protection by default, it should motivate international businesses to make decisions that will protect personal data for all of their clients.
So while the US will continue to lag behind Europe when it comes to the rights individuals have to their personal data, at least some of us will see the benefit of the EU’s new data protections. Maybe it’s even time for U.S. citizens to demand the same rights as their European counterparts when dealing with American companies.