Is it time for “GDPR” in the United States?

Finjan TeamBlog, Cybersecurity

Finjan Is it time for GDPR in the United States?

Concerns about data privacy and security have never been higher in the United States. With the steady stream of news regarding data breaches and theft, anxiety and a feeling of helplessness are commonplace. A 2018 survey of 10,000 consumers, conducted by the Harris Poll revealed that 78 percent of U.S. respondents say a company’s ability to keep their data private is “extremely important”. A staggering 91% think they have lost control over their online data, according to Pew Research. Those statistics are stunning considering a 2017 survey, also by Pew Research, showed eight in 10 Americans are now shopping online. Given all this, you would think calls for stronger data protection laws would be quickly passed by Congress. But, compared to Europe, the US has fallen short for regulating how organizations use and protect individual’s data.

Europe’s Answer to Data Privacy: GDPR

The European Union implemented data privacy regulations and laws back in 1995. In 2016 the EU, recognizing how much online usage and Ecommerce are intertwined in daily life, moved to strengthen its data privacy laws. The General Data Protection Regulation (“GDPR”) represents sweeping changes and requires businesses to protect the personal data and privacy of European Union citizens for transactions that occur within EU member states. It covers all companies that deal with the data of EU citizens; specifically banks, insurance companies, and other financial companies. Organizations that do not comply with GDPR regulations face monetary penalties.

Since GDPR applies to any organization – located anywhere – that offers goods or services to, or monitors the behavior of EU citizens, many US enterprises and organizations must adhere to this regulation. Have you been curious as to why, when you visit a website, you are asked to agree or acknowledge their privacy or cookie policy? Yes, that is part of GDPR in action.

Is it time for GDR in the United States?

There are many lawyers and advocates who believe the time has come for some sort of GDPR regulation in the US. Take Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy and data security training. He loves GDPR and the thinks that the United States should love its own version of GDPR. In fact, he has written a lengthy blog titled “Why I Love the GDPR: 10 Reasons”.

Amie Stepanovich, a lawyer and U.S. policy manager at Access Now specializing in cybersecurity, privacy law and drone surveillance, argued the public appetite for data privacy regulation was strong. “Cambridge Analytica and Facebook really raised the profile of this issue in the United States,” she told me. “It showed people who really weren’t sure just where they could be harmed from a privacy perspective.”

Justin Brookman, Director of Consumer Privacy and Technology Policy at Consumer’s Union, argued that companies don’t write clear privacy policies for their consumers and any American privacy regulation should address this reality. He argued that potential privacy regulation should contain transparency and provide consumers with information on where their data is going.

Somewhat surprisingly, segments of Silicon Valley are on board. In September 2018, Apple and Google urged lawmakers to create new federal privacy legislation. A month later, Apple CEO Tim Cook demanded new rights for American consumers. “It’s time to face facts,” he said. “We will never achieve technology’s full potential without the full faith and confidence of the people who use it.”

GDPR’s results in the EU; is it working?

Nearly one year in, it is hard to say. One gauge will be to measure the amount and number of fines levied on EU companies who do not comply. Thus far, there is no clear data. “On the face of it, it’s very hard to tell”, says Dr. Guy Bunker, SVP of products, Clearswift. Six months in and there are still stories of data breaches on an almost daily basis and we have yet to see any of the mammoth fines which can now be handed out.”

New York Law School professor Ari Ezra Waldman, in a paper in the Washington Law Review published online, argued that strengthened privacy laws actually offer “false promises” for consumers. He said that laws like the European Union’s GDPR or California’s state privacy rules are failing to deliver on their promised protections partly because of the “booming market” in tech vendors hawking privacy compliance tools.

But there are those who are more optimistic. Steve Giguere, global solution architect at Synopsys remarked, “From a cybersecurity perspective, contrary to what headlines may suggest, my experience has been that many organizations have noticeably improved their security posture or, at the very least, are paying closer attention to how they store, transmit, and process personally identifiable information. While GDPR didn’t prescribe what good looks like or even what bad looks like, it does appear that its overarching mandate, in combination with its clarity of potential ramification has been the right recipe to wake many businesses from their cyber security slumber.”

What will Congress do?

Despite concerns over efficacy and increased regulation, the US federal government’s chief auditor recently recommended Congress consider developing legislation similar to GDPR. The recommendation was included in a 56-page report issued by the Government Accountability Office (GAO), the government agency that provides auditing, evaluation and investigative services for Congress. Supporting its conclusions, GAO investigators cited the Facebook Cambridge Analytica scandal, and its own previous reports about:

  • The dangers to user privacy due to the lack of regulation and oversight in the ever-growing Internet of Things (IoT) sector where devices collect massive amounts of information without users’ knowledge.
  • Automakers collecting data from smart cars owners.
  • The lack of federal oversight over companies that collect and resell user information.
  • The lack of protections for mobile users against secret data collection practices.

Currently, both the House and the Senate are holding hearings on privacy legislation, transparency about how data is collected and shared, and the stiffening of penalties for data-handling violations. Where this actually winds up, what legislation actually gets enacted – and when – is anyone’s guess. But clearly, it is time for the United States to strengthen its data privacy laws to better protect consumers and enterprises.