By: Adrian Mosqueda
April 11, 2022
Data protection has become increasingly important in recent years. Whether sensible or not, individuals should have some control over how their information is handled and what it is used for. Unfortunately, United States laws and regulations do not offer adequate protection to individuals. By contrast, other jurisdictions such as the European Union have developed a comprehensive set of rules that put individuals’ data protection rights ahead of the economic interests of large corporations. Hopefully, the United States will learn from this practice and implement similar approaches.
The most complete data security law in the world is the General Data Protection Regulation (GDPR) developed by the European Union. The GDPR governs all processing of all personal data by all types of public and private entities. The GDPR defines personal data much broader than personally identifiable information such as names or addresses. Every datum that identifies a person or could identify a person in the future is personal data. It applies if you process the personal data of EU citizens or residents, or you offer goods or services to such people, even if you’re not in the EU. Article 6 provides the six specific reasons which will make it legal to process someone’s data. Even when data processing is lawful, it must be done in a responsible manner. To deter noncompliance, the penalties are very high. There are two tiers of penalties, which max out at €20 million or 4% of global revenue (whichever is higher), plus data subjects could seek compensation for damages.
Most countries outside the US and the European Union have also come up with comprehensive data protection regulations that resemble the GDPR. For example, Canada developed the Personal Information Protection and Electronic Documents Act (PIPEDA) in 2000. Even though PIPEDA only governs private commercial enterprises, the EU has deemed “adequate” the protection offered by this statute. Other countries with similar data protection regulation includes Israel, Argentina, South Africa, and South Korea.
There is no such wide data protection regulation in the United States. The consumer protection jurisdiction of the Federal Trade Commission (FTC) has the broadest privacy authority at the federal level. However, it is limited to commercial businesses operating in interstate commerce and excludes a range of organizations such as financial institutions and common carriers. How the FTC can regulate data protection also differs from the GDPR. The FTC will generally reach settlements with large corporations to deter similar misconduct. For example, in 2019, the FTC reached a settlement with Facebook for five billion dollars for a violation of a previous FTC order. The downside of this practice is that many small business or entities that do not practice interstate commerce can remain unregulated. Other data protection laws in the US are even more segmented to industries such as in the medical context with HIPPA.
Moreover, some states are making their own progress in the data protection context through legislation. Utah is on the verge of passing legislation to provide consumers more access to and control over how companies handle their personal information beginning on the final day of 2023. Utah would be the fourth State to pass this kind of legislation. Previously, California, Virginia, and Colorado had enacted similar statutes. These laws could a be a step in the right direction for consumer protection. For instance, the Utah law would give consumers the right to access, delete and freely transfer to another provider their data and to opt out of the sale of their data and the processing of this information for targeted advertising. However, most of these statutes leave the ability to enforce the statute in the hands of the state attorney rather than the consumers.
The most efficient way for the US to enhance its data protection rules is to expand the jurisdiction of the FTC. Another solution is to allow states to come up with their own laws regulating data protection. Adopting a uniform regulation that resembles the GDPR at the federal level seems unlikely, but it would offer more protection to consumers. The bottom line now is that many entities now in the US are highly irregulated when it comes to data protection and the consumers are the most affected.