The European Union’s General Data Protection Regulation (GDPR) went into effect on May 25. As companies scramble to ensure compliance with the new regulation, the GDPR has also brought the future of data privacy laws into question in countries around the world. On June 26, the Council on Foreign Relations hosted a discussion about the future of data privacy in the United States in the wake of the GDPR, moderated by technology journalist David Kirkpatrick.
The experts leading the discussion seemed to agree on four main points:
- The United States has lost its global leadership stance on this issue, and countries are looking to the European framework as an example for their own data privacy laws;
- There is an urgent need for a federal omnibus data privacy law;
- Data privacy is a nonpartisan issue, but there are issues in Congress that could delay progress;
- California’s progress in this area will likely be an impetus for passing a federal law.
Loss of Leadership
Among the group of speakers, there seemed to be consensus that the EU became a leader because they took the initiative to pass such a regulation when it was clear that privacy issues were causing too much harm. Given the recent data breaches and Cambridge Analytica scandal, American companies are not well trusted.
Marc Groman, Principal of the Groman Consulting Group, believes that the United States is “not seen as a trusted entity around the globe when it comes to data, data security, and data protection.” Therefore, countries are looking towards the European model as they negotiate their own data privacy regulations. Karen Kornbluh, Senior Fellow for Digital Policy at the Council on Foreign Relations, points out the efforts towards a privacy bill under the Obama administration, but they were ultimately unsuccessful. Groman believes that it should be concerning to American industry that we are no longer leading discussions on data privacy and internet regulation.
Need for a Federal Law
Despite general agreement that there needs to be a law at the federal level, there were a few differences in ideas on how such a law would look. Groman disagreed with a law that would emulate the GDPR or even be a watered-down version of it, but said that he would prefer a broader approach. He calls for a framework that includes accountability, limitations, data security, transparency, and consumer control, with risk at the core. In his view, there are some positives in the GDPR, particularly around ideas of data governance, which he believes is fundamental to risk, security, cybersecurity, privacy, and business development. However, when consulting his clients, he does not recommend investing significant resources in a GDPR compliance program, but rather in a strategic, comprehensive, forward-looking and global data program.
Additionally, the lack of a US data protection authority came into question. There are clear lines of authority regarding data protection in the EU and other countries, however, there is no such direct authority in the US government. In order for a federal law to pass, a clear authority must be established. An audience member suggested that the Federal Trade Commission has already taken on the role of a privacy regulator in the US.
Holdups in Congress
The United States must establish a clear authority to implement a federal data privacy law, but even if this were to occur, there would be many setbacks found along the way within Congress. Lynn Goldstein, CEO of GDPR Simple, says that the way Congress is organized with the various committees and sectors and committees associated with those sectors, it would make it very difficult to get a comprehensive privacy bill passed. She believes the way Congress approaches legislation impacts why the US failed to create a federal bill and why it may not succeed in the future.
Groman highlighted another point that contributes to the difficulty of creating a federal privacy bill. There are many stakeholders that would have influence in the process, including telecommunication companies, the tech industry, finance, health, and all the third parties for each company affected. Each sector already follows many laws that impact their privacy and data protection. Groman blames the current sectorial approach to privacy for why it has created such a challenge in passing a federal law. The main issue with this approach is that the standards and definitions differ in each law, which creates difficulty in generating an omnibus framework.
California recently passed its own data privacy law. Though this event occurred two days before the election, the speakers outlined how this law may impact the movement for a federal law. As Kornbluh put it, “California is right now forcing tech’s hand and the country’s hand.” This law reflects elements of the GDPR, such as the right to access your information, a right to deletion, and a right to know. There are also opt-out and opt-in for kids, and a private right of action on a data breach, with big damages.
The law will have a one-year delayed implementation, which Kornbluh believes will create a lot of impetus for a federal action to preempt California. She mentions reports of the White House beginning talks on privacy with tech companies, as well as the Information Technology Industry Council meeting in California.
As the world becomes “an interconnected mesh of devices and data,” and data collection practices continue to cause harm, the creation of an extensive data privacy law was inevitable. The GDPR is the first comprehensive data privacy regulation that is bound to serve as an example for other countries as data protection becomes increasingly demanded. The United States is no exception. There are many difficulties that have and will continue to hinder the creation and implementation of a federal data privacy law in the US, but there is also an increased need as the US misses out on leadership and faces pressure by the public.
Watch the recap of the event here.