The recent enactment of Europe's new General Data Protection Regulation has spurred discussion of whether the U.S. needs a similar standard, and if so, what it would look like.
While some believe the U.S. should create a less onerous alternative to Europe's privacy regime, others say the country should work with the EU and other governments to create a harmonized global norm. Amid the ongoing debate, none of the U.S. Congressional bills introduced thus far have seen much movement, though a few states — most notably California — have pursued their own laws. Policy experts suggest that Europe's law could set the global standard for privacy rules unless U.S. federal lawmakers take action.
Part 1: Tech firms face data disruption amid Privacy Shield uncertainty
Part 2: US weighs potential response to EU's new data protection law
Part 3: US big tech reports mixed impact from EU data protection law
The European Union's landmark privacy law, enacted in May, overhauls the way its citizens' data is collected, stored and managed. The rules apply to organizations operating within the EU, as well as foreign entities that offer goods and services to EU customers. Among other provisions, the GDPR requires companies to receive unambiguous consent from a user before collecting or processing the user's personal data, and it instructs companies to alert users of certain types of data breaches within 72 hours of learning of the occurrence. Companies found in noncompliance could face steep fines.
Unlike the EU, the U.S. does not have an all-encompassing data privacy law. Rather, U.S. privacy protections are governed by various sector-specific laws and regulations covering different types of data, such as health and financial information. About 120 countries have enacted data privacy laws, according to a 2017 study from the University of New South Wales in Australia.
Christopher Painter, a former top cybersecurity diplomat at the State Department, pointed to the failed Consumer Privacy Bill of Rights as a potential model for a federal framework. The proposal, introduced in 2012 by the Obama administration, was designed to give consumers more control and transparency over what data companies collect and how they use it. While multiple bills were introduced that incorporated some of the Obama administration's suggested framework, none made it out of the committee review phase.
Roslyn Layton, a visiting scholar at conservative think tank American Enterprise Institute who analyzes the impact of policies on digital technology, said there are problems with Europe's GDPR and the U.S. should not rush to counter it.
"I think that we're going to find out that GDPR cannot fly," she said in an interview, suggesting the privacy regime's enforcement could see international challenges. Instead, Layton believes the U.S. should focus on educating consumers about privacy and allowing the tech industry to incentivize its own innovations.
Despite much discussion about the U.S.'s response to GDPR, it remains unclear which branch of government would take the lead on efforts to enhance privacy safeguards — the White House, Congress or states.
The U.S. Department of Commerce has reportedly reached out to tech companies, major internet service providers and consumer advocacy groups with the intention of rolling out a national draft privacy framework by this fall.
In Congress, various bills have attempted to offer a federal U.S. privacy solution, such as the Balancing the Rights Of Web Surfers Equally and Responsibly, or BROWSER, Act from Rep. Marsha Blackburn, R-Tenn. That bill would authorize the U.S. Federal Trade Commission to enforce privacy protections requiring broadband providers, search engines, mobile applications and other players to obtain opt-in consent before using sensitive customer information. In the Senate, Amy Klobuchar, D-Minn., and John Kennedy, R-La., introduced the Social Media Privacy Protection and Consumer Rights Act, which would mimic some GDPR provisions like giving consumers the right to opt-out of data collection and requiring that companies notify users of a breach within 72 hours of discovery. Neither bill has made it beyond the committee review phase.
It remains unclear what could be in the Trump administration's privacy framework, expected to roll out later this year.
Several states have taken matters into their own hands by passing state-level privacy regulations. California's law, widely considered the most ambitious enacted to date, gives consumers the right to request the categories and types of information a business has collected about them, as well as the source of the information and the business purpose behind the collection. The privacy bill passed California's legislature and was signed into law in June.
Layton believes that state laws like the ones in California actually break down commerce and should not be emulated in other parts of the country. "California has more privacy laws than any state – people don't feel more safe or more private in California," she said.
She does, however, approve of the Commerce Department's efforts to confer with major U.S. tech companies and internet service providers about how to better protect consumer privacy. She also noted that companies with opaque privacy policies have already seen market backlash, pointing to the response this past quarter to Facebook, which faced increased scrutiny over its data protection efforts after a series of disclosures that indicated user data may have been mishandled by some third parties. The company lowered its guidance and saw its stock price tumble after disclosing weakness in some of its second-quarter user figures and saying that expenses related to improving data security would remain higher-than-normal in the near term.
Some members of the business community believed a global, harmonized standard would ease the regulatory burden on companies that do business across international borders.
"I think we should be looking at different models around the world and all the conversations we are having and hopefully, hopefully get to a place where it's not just there are clear rules in the United States, but there are clear and consistent rules globally," said Victoria Espinel, president and CEO of U.S.-headquartered trade group Business Software Alliance, on a recent episode of C-SPAN's "The Communicators" series. The BSA's membership includes large companies such as Microsoft Corp., International Business Machines Corp. and Oracle Corp.
James Bladel, vice president of policy at GoDaddy Inc., recently told lawmakers that GDPR and GDPR-equivalent frameworks are gaining momentum overseas. "I think the answer is that we continue to show U.S. leadership by helping to push back on the differences and the inconsistencies between the various frameworks and focus on those areas of commonality," he said.
Painter believes the U.S. should act soon to assert its values in the global privacy debate and called on the U.S. to put forth an "attractive alternative" to the GDPR and other international privacy standards during recent Senate testimony.
"If we don’t have a key or… an attractive alternative to other countries who are looking at this, they’re going to adopt those standards," he said.
Editor's note: This article is part of a series about the future of privacy and data regulation in the EU and the U.S.