EU leads in data privacy while U.S. plays catch up
PARIS – The European Union’s new sweeping data protection law to ensure citizens’ right to privacy online is already having a major impact on online providers. Privacy advocates say the U.S. should have taken the lead and now has to play catch up.
The EU’s General Data Protection Regulation, which took effect last May has broadened the spectrum of data under legal authority, developed penalties for companies and improved conditions of user consent. The new framework was also meant to educate citizens on privacy rights, inform them of any breaches and establish the “right to be forgotten” which allows users to erase or “cease further dissemination” of their data.
Each country has its own “Data Protection Authority” that reports to the European Data Protection Board.
“We have different philosophies with regards to data protection, that’s evident,” said Emilie Brunet, a legal and policy officer at the Commission nationale de l’informatique et des libertés. “It’s not a consumer right, for instance, with us — it’s a citizens’ rights.”
TheCNIL, or National Commission on Informatics and Liberty, is responsible for monitoring and sanctioning companies with a set of regulations that includes informing and protecting individuals of their rights afforded under the GDPR.
“We have no interest, that’s why also it’s not linked to the markets, it’s really linked to the common rights of the person,” Brunetsaid.
The CNIL assists all countries within the EU and has obligated non-EU member states to designate a representative to voice each nation’s concerns.
“The U.S. could have been a leader here,” said Marc Groman, a former White House adviser and chairman of the Federal Privacy Council that was established by President Barack Obama. “Now we’re arguing from sort of a position where we don’t have the authority, the leadership or the credibility in the area of privacy and that was our own doing.”
The EU has already enforced sanctions against tech giants like Google including a $1.7 billion fine on Wednesdayfor online search advertising practices. This is included with a $4.9 billion fine in July for pushing its own apps on smartphones and $2.7 billion for steering customers to online Google owned shops.
The American Civil Liberties Union principles note that the absence of regulation “will only intensify as the full fury and genius of capitalism applies itself to spying on all of us.” And while corporate privacy invasions are mostly invisible or poorly understood by the public, a lack of consumer choice leaves people vulnerable and without another option but to “give up their privacy in exchange for valuable services.”
The organization even published “Privacy & Free Speech: It’s Good For Business,” which includes guidelines for transparency, moderation, corporate-consumer partnerships and case studies.
In the United States, the Federal Trade Commission’s Bureau of Consumer Protection has 35 people in charge of enforcing the Federal Trade Commission Act, which prevents unfair or deceptive practices by businesses in order to protect consumer interests and maintain a competitive market.
While the EU is worried about big companies collecting data, citizens in the U.S. are more concerned about government data collection. But this may be because most of the big companies in question are American, Ashkan Soltani, a former White House adviser and the chief technologist for the FTC, pointed out.
“The intersection of privacy and competition is a critical area of how companies use access to consumer information to hurt competitors,” said Soltani said.
Groman said giving all the responsibility to the FTC shows a lack of resources that the government has put toward companies’ protection of people’s data.
“If we think that privacy’s a serious issue, if we value it, if we want to demonstrate we care, that status quo cannot be maintained or we look like a joke,” Groman said.
Brunet said CNIL is required to investigate every complaint.
“When we see the complaint, we have to deal with it,” Brunetsaid. “We cannot choose between the complaints which ones are the most important for our market and then just deal with them.”
The problem for U.S. policy-makers has been American industries not wanting regulation or limitations, but rather a “light touch approach,” Groman said. While different sectors are trying to obtain a competitive advantage and lobby for their competitors to be more regulated, it has prevented a federal law from being passed.
Several sector-specific statutes under the FTC include the Children’s Online Privacy Protection Act, the Fair Credit Reporting Actfor consumer and credit reports and the CAN-SPAM Actfor email.
“That kind of debate is playing out on the Hill and it’s going to be very difficult for Congress and policy makers to try to navigate that to satisfy all the powerful stakeholders and still produce a law that is meaningful,” Groman said.
During the Obama administration, an attempt to pass a federal privacy law failed, which Groman attributes to the Democratic administration battling with a Republican-controlled Congress.
“Money and politics is probably the most pressing issue when it comes to creating policy,” Soltani said. But he also pointed out that many of the large companies in question are American.
“There’s a more principled approach in Europe,” Soltani said, “As well as the fact that there are many of the companies here in the U.S. so regulators might be more sympathetic to those companies.”
In February, the FTC established a new task force to monitor technology markets to investigate anticompetitive practices and enforce repercussions. While Bureau of Competition Director Bruce Hoffman said the branch will work with the Bureau of Consumer Protection, its main role will be overseeing market fairness.
Sen. Ron Wyden, D-Ore., in November proposed a bill that has been compared to the GDPR and increases government regulation and suggests up to 20-year prison sentences and fines for big company executives who mislead the FTC.Meanwhile across the aisle, Florida Republican Marco Rubio drafted a bill to increase FTC powers for data security.
“The focus is not on generally citizen rights or citizen control of information, here in the U.S. it is a narrower discussion,” Groman said. “That doesn’t mean, however, that we can’t come out with a very similar outcome and that’s a different discussion.”