Comparison of European and American Privacy Law
With the introduction of the General Data Protection Regulation (GDPR) just around the corner on May 25, 2018, many people are wondering how the new European law will compare to American privacy laws.
An important point to note from the outset is that the GDPR will not just apply to organizations based within the EU, but to any organization which collects or processes the data of individuals based in the EU. The chief determining factor of GDPR applicability is the location of the data subject, not the location of the company.
To further clarify this point, many organizations believe that the GDPR only applies to EU citizens. This is not the case. If the data has been collected in the EU, even if the data relates to a non-EU citizen, the information is subject to the protections of the GDPR and the controller and processing entities must treat it in compliance with these rules. Similarly, should a citizen of an EU country have their data collected and processed outside of the EU, their data is not subject to the GDPR protections as it was not collected within the EU.
As well as confusion arising from different legal systems and different locations, some cultural differences are also affecting perceptions of the GDPR and privacy laws.
A European Attitude to Privacy and Personal Information
One of the main aims of the GDPR is to ensure that every individual located within the EU, no matter which member state, is guaranteed the same rights and freedoms – including the right to privacy, which is thought of as a basic human right. To accomplish this, the GDPR will enshrine this and other rights in the legislative framework of the EU member states. The desired result will be a cohesive and secure approach to processing personal data collected across the EU, which will protect individuals and their privacy.
An American Attitude to Privacy and Personal Information
In a legal sense, the United States does not provide for an overall expectation of privacy. The collection and processing of personal data is generally regulated based on the type of data under discussion. This is why, for example, data related to healthcare is subject to the Health Insurance Portability and Accountability Act, commonly known as HIPAA, and financial data is governed by the Gramm-Leach-Bliley Act, known as GBLA. As there is no current law in the US that is analogous to the GDPR, many types of data that are covered by the GDPR do not have corresponding protections under American law. This will more than likely result in a situation where data gathered from within the EU will have to be processed and stored to different requirements and to different standards than data gathered from within the US.
How is This Liable to Affect US Organizations?
Implementing, managing, and overseeing two different but parallel approaches to data processing will probably strain the resources of many US based organizations. Making use of several systems depending on the type of data and the location from which it was gathered introduces a level of complexity that may impact the efficiency of operations and that could lead to mix ups and mistakes, potentially resulting in fines or sanctions for non-compliance with the correct regulations.
Further confusing the issue is that a single individual may have data that falls under both or multiple sets of legislation. In an increasingly globalized world, it is not out of the question for someone living in New York to have their data gathered within the US throughout the course of their daily activities, and to then take a trip to Europe for business or pleasure and have their data gathered within the EU during the trip. If their data is collected by the same US based multinational group, say a coffee shop chain, online accommodation service, or electronics manufacturer, then this company would have data from the same individual subject to different sets of legislation – essentially prohibiting the merging of the data and the ability to extract useful information from it.
A solution that is being proposed to this double standard is to simply eliminate it by applying the same procedures to all data collecting and processing activities. While it may take time and resources to design a system that meets the requirements of all the relevant laws, the gains in efficiency and the reduction in risk could largely make up for this. However, it is not yet sure whether many organizations will implement this solution.