The current state of U.S. data regulation

What is data privacy? Data privacy is defined as protection against the collection, storage, or dissemination of one’s personal information. It is distinguishable from cybersecurity, which includes prevention of systems level intrusions. On the Federal level, the U.S. system represents what is widely perceived as a “patchwork” of data regulations. In short, it lacks a clear and centralized guiding framework. Although individual states, such as Illinois, New York, and California, have adopted modern rules, regulations, and statutes for data privacy and protection. One example is the California Consumer Privacy Act (CCPA). In short, the CCPA provides consumers with control over their personal information collected by businesses. Further, it secures key consumer rights, including: the right to know what information businesses collect; to delete much of the personal information collected; to opt-out of the sale and sharing of personal data; and the right to non-discrimination (retaliation) for exercising rights under the CCPA.

Despite the progress made by individual states, the lack of a clear and established Federal framework leaves much to be desired, resulting in an unnecessary and avoidable data and privacy management gap.. Existing models could fill mend this,  such as the EU’s General Data Protection Regulation (GDPR). In summary, the GDPR is unambiguous regarding individuals’ protected rights, including the right to access, rectify, and erase personal data, as well as the right to data portability, protections which mirror certain aspects of U.S. Federal law (i.e. HIPAA). If adopted on a federal level, the U.S. would have a foundation and effective baseline to which all interested parties could rely upon for best practices and regulatory compliance.

Federal and state regulation

Historically, the U.S. Federal government has taken some broad steps to protect personal user information, privacy rights, and data of individuals, entities, and organizations. Certain Federal examples include the Children’s Online Privacy Protection Act (COPPA) , which requires web sites that collect the private information of minors ages 12 and under to follow strict rules. Another is the Privacy Act of 1974, which regulates the federal government’s collection, maintenance, use and dissemination of  information. Additionally, the Gramm Leach Bliley Act (GLBA) requires that financial institutions have an affirmative and ongoing obligation to respect the privacy, security, and confidentiality of its customers’ nonpublic personal identification data.

Shifting to the healthcare industry, the Health Insurance Portability and Accountability Act (HIPAA) established guidance in terms of providing notice, protecting personal health information, overseeing proper release of such information, and providing patients with a broad right of action for violations. Alongside HIPPA is one of the most impactful Federal laws – the Federal Trade Commission (FTC) Act (The Act). The Act allows regulation of unfair and deceptive practices in or affecting commerce, including data transactions between, and within, entities and individuals, including organizations, partners, clients, and customers. The FTC exercises certain broad regulatory authority in the realm of data usage. The lack of a centralized regulatory framework to replace the current “patchwork” system of laws, rules, and regulations is an ongoing concern for stakeholders across industries. However, international regulatory frameworks have been effectively implemented by international partners, among the most notable being the EU’s GDPR.

The EU’s General Data Privacy Regulation (GDPR)

In terms of possible model solutions, we look to the EU’s General Data Protection Regulation.   Enacted in 2018, and replacing its predecessor, the Data Protection Directive, the EU determined to develop a regulatory framework which not only guaranteed data protection rights, but addressed technological progress, and the increasingly international nature of data transfer processes. Drawing on considerable consultation and an extended drafting process, the EU’s purpose was to establish the rights of individuals and the obligations of regulated business entities, developing new user protections. Although not without its critics, the GDPR has been applauded for its clear, central structure and core pillars. For instance, the GDPR maintains a broad scope, as it applies to any organizational entity established in the EU, offering products of services or monitoring the activities of EU data subjects. Additionally, the GDPR is comprehensive and rights based, offering unified regulation in terms of processing users personal data and providing privacy rights to individuals. In terms of enforcement, the GDPR mandates strong enforcement mechanisms, including fines and strong penalties for non-compliance (similar to the Federal Sentencing Guidelines).

Ultimately, the U.S. would benefit greatly from a standard, consistent data and privacy framework, which would be an  effective upgrade from its current patchwork system of sector-specific laws and regulations. The EU’s GDPR represents a comprehensive, field tested example of a broad and effective program. Although not a “silver bullet,” the U.S. could draw on the GDPR’s central framework and key features while developing its own necessary innovations, building a comprehensive framework with broad solutions to meet the modern moment.