When the European Union’s (EU’s) General Data Protection Regulation (GDPR) became law on May 25, 2018, it set an impressive precedent for data privacy and digital rights—but it also sent shockwaves throughout the tech industry. Consequently, some web services such as Klout, which measures one’s social media influence, had to shut down, while other companies like Verve decided to radically change their business model. Verve has since closed their European operations. Their Chief Marketing Officer Julie Bernard stated, “The regulatory environment is not favorable to our particular business model. The implications and ramifications of GDPR compliance will challenge numerous organizations with resources on scales smaller than, say—and in particular, Facebook and Google.”
This is an important point, as most tech companies have way less money than Facebook or Google. That means big, “Goliath” companies can spend a lot more on lawyers and information security specialists than smaller, “David” companies. But it also means huge corporations can easily survive if they become subject to fines for violating the GDPR, even though these financial penalties are supposed to be indexed according to a company’s revenue.
There’s a lot of nuance and complexity when it comes to comparing data privacy laws around the world. But in general, the EU’s GDPR is much better at protecting ordinary internet users than any of the data privacy laws in the U.S. Here’s why:
The GDPR in a Nutshell
The GDPR is a long and somewhat complicated series of regulations. In fact, there’s so much to understand, the EU has made a website dedicated to explaining it. Here’s a glimpse at the key details:
*The GDPR applies to all companies and entities who hold data on EU residents, regardless of where the company is based and regardless of the physical geographic location of the data storage and transmission. If a company like Nintendo, who is based in Japan, stores user data on their servers in Washington State, the GDPR still applies to that user and their data, regardless of where they live.
*Here’s one of the best parts of the GDPR. Companies have 72 hours to notify a third party of a data breach. Not three business days—72 hours, regardless of whether or not it’s a holiday or a weekend. According to experts, “A data breach occurs when the data for which your company/organization is responsible suffers a security incident resulting in a breach of confidentiality, availability or integrity. If that occurs, and the breach poses a risk to an individual’s rights and freedoms, all organizations must notify the supervisory authority without delay, and at the latest within 72 hours after having become aware of the breach.” Recent tech news and history suggests companies have been keeping this type of security knowledge to themselves for far too long—sometimes months, years, or as long as they can get away with it.
*Organizations can’t just collect information willy-nilly. They have to have a reason for collecting a specific type of data, which they should be able to explain. Businesses will be able to collect and process data only for a well-defined purpose. They will have to inform the user about new purposes for processing.
*Saying nothing no longer implies consumer consent to data processing. The user has to explicitly say yes, and there must be affirmative consent.
*GDPR violations which are considered to be “lower level” are subject to fines of up to €10 million, or 2% of the worldwide annual revenue of the prior financial year, whichever is greater. “Upper level” violations are subject to fines of up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is greater.
When it comes to data privacy and protection laws in the U.S., you almost need a lawyer to help figure out what’s going on. That’s because it’s a complicated mess. Most of the laws and regulations vary from state to state and then only apply to that state exclusively. Some federal laws and (quite often) federal regulations contradict state regulations—or vice versa. At the federal level, the closest American equivalent to the GDPR is the Electronic Communications Privacy Act, and even that mainly pertains to wiretapping, with only some parts which apply to the internet. Another similar federal law, the Stored Communications Act, only applies to the use of data by governments.
According to a summary of the Electronic Communications Privacy Act, “It is a federal crime to wiretap or to use a machine to capture the communications of others without court approval, unless one of the parties has given their prior consent. It is likewise a federal crime to use or disclose any information acquired by illegal wiretapping or electronic eavesdropping. Violations can result in imprisonment for not more than five years; fines up to $250,000 (up to $500,000 for organizations.)”
A lawyer representing a client who believes their digital privacy has been violated might try argue to a judge that an internet service’s data storage and permission activities was an act of using a machine to capture the communications of others without court approval. If that angle works in court, $500,000 is still way less money than €10 million, and the law carefully says, “up to.” As far as state legislation is concerned, the new California Consumer Privacy Act AB 375 is considered to be one of the strictest data privacy laws anywhere in the United States. California Governor Jerry Brown just signed it last June, and it takes effect in January 2020. Hopefully that will give Silicon Valley plenty of time to prepare.
Data Privacy and Protection: America vs. EU
The law is still weaker than the GDPR where it counts. After all, it does apply to Californians regardless of where their data physically resides. It gives Californians the right to identify the personal data businesses collect on them; the right to deny the sale of this data; the right to have it deleted; and the right to know the business or commercial purpose of that data collection. But affirmative consent isn’t required, which means not complaining implies consent to data usage for individuals age 16 years or older. And the possible fines are paltry when compared to the GDPR—that is, unless millions of citizens gang up in a class action lawsuit. According to the law, “For data breaches, consumers may be able to sue for up to $750 for each violation, while the state attorney general can sue for intentional violations of privacy at up to $7,500 each. For both consumer and state lawsuits, companies have to be given 30 days to fix the problem.” Also, 30 days is way longer than 72 hours.
So far, it is the best state law, as none of the others come close to the California Consumer Privacy Act, let alone the EU’s GDPR. For example, many states don’t have specific time limits for reporting data breaches. Things may be gradually improving across the board, but when it comes to having your data compromised, it pays to be a Californian.