A US State of Readiness?

Written by

Last year was undoubtedly a watershed in the public’s approach to effective data control and privacy. Many in the UK were paying close attention to the ongoing IT saga at retail bank TSB, where infrastructure faults led to customers being able to see each other’s personal data, and Facebook’s data security issues came to light as audiences globally witnessed the Cambridge Analytica headlines unfold.

In Europe, 2018 also saw the deadline for GDPR compliance and as a result, public sensitivity rose regarding the way companies are using personal data.

GDPR’s ripple effect
Outside the EU, other nations are looking at the implementation of GDPR as a model for creating their own regulation – both to make their own countries more privacy aware and to ensure that their companies are still able to do business in Europe.

Japan and South Korea, for example, are both upping their data protection game so that domestic regulations come in line with those of the EU.

The significance of this for US businesses is that a lax approach to privacy laws at home could cause them difficulties in territories beyond Europe. 

It is this growing awareness and concern that, I believe, prompted a number of global players in the tech industry to call for the US to take a steer from Europe and create its own version of the GDPR.

The Disunited States
Where the EU has been keen to push uniformity on data protection, the US has been slow to do the same at the federal level, so states have been leading the way. The California Consumer Privacy Act (CCPA) - passed into law in June of 2018 - was the first such state-level bill with similarities to GDPR.

Other similar bills are currently going before state assemblies, helping to fill the void left by the absence of a federal law on data protection. US federal legislation is slower to move through the process, and thus states have forged ahead to meet growing demand for personal data privacy protections.

Given that attempts to police the use of data across the nation are generally inconsistent, the landscape is therefore extremely complex for businesses that operate not only across a number of states, but also in countries outside of the US. 

Companies are faced with a patchwork of different compliance standards and reporting requirements, so it’s understandable that some businesses might be reluctant to endorse the creation of federal law regarding data protection.

In reality, though, a uniform federal code would likely make life much easier for businesses in the long-term, with a single set of standards allowing them the freedom to operate anywhere in the country with reduced fear of multi-compliance complexity.

It would also lessen the shock to the system some US-based companies feel when they start to operate internationally. Doctrines like GDPR set a much higher bar than is currently enforced in America, regardless of which state you’re in. What’s more, the fines that GDPR empowers European data regulators to impose are applicable to any company, US-based or otherwise, if they conduct business with EU residents.

It’s not difficult to see why it would be easier for American companies to avoid the attention of European regulators if data protection law at home was as robust as it is overseas. 

Playing catch-up
It’s therefore high time, in my opinion that the US Federal Government started to follow the example that GDPR has set – just as many other governments are doing. A single regulation to rationalize data protection in the States would be a win for companies and consumers alike – provided that it is constructed effectively.

First and foremost, it needs to put the interests of consumers at its core. Just like GDPR, an effective regulation would be geared towards giving control over data to the people who own it, while still enabling companies to use that data in new and innovative ways once they have a defensible justification for doing so.

An effective regulation must also have teeth. GDPR gives regulators license to levy fines of up to four per cent of global turnover. A US regulation shouldn’t shy away from equipping enforcers with a comparable arsenal so that it is taken seriously.

What’s hot on Infosecurity Magazine?