This is part two of a multi-part look into the European Union’s General Data Protection Regulation (GDPR) and why U.S. companies need to be aware of the law and how it may impact their business. We will conclude the series with a webinar in 2018 that will review the series and provide further insights and comments on any updates that may have occurred since the beginning of the series. In this second part of our series, we think it is important to provide some insight into the differing approaches to privacy between the U.S. and EU.
The U.S. and EU have a fundamentally different approach to privacy law. Generally, the 28 EU member states view privacy as a fundamental human right and legislate access to their citizen’s data with that philosophy. The EU model, even prior to the GDPR, employs a comprehensive approach to privacy law. This generally means that they have one law that covers the collection of all information and data about EU citizens. In essence, the cornerstone of EU privacy law is that when it comes to the collection, use and sharing of personal information, nothing can happen absent the notice and consent of the individual subject of that information.
By contrast, the U.S. does not legislate with the understanding that privacy is a fundamental human right. The word “privacy” doesn’t even appear in its Constitution. Generally, it has been argued that the U.S. does not view privacy rights in the same context as the EU, due in part to its history and commitment to First Amendment protection. Rather than create fundamental overarching privacy regulations, the U.S. tends to create privacy laws when a need for them arises. When it comes to regulating and protecting individual privacy in business, the U.S. follows uses a sectoral approach. Under this approach, regulations concerning information about U.S. citizens are often based on the category into which the information falls. For example, health information is regulated under HIPAA, financial information is regulated under GLBA and FCRA, and marketing can be regulated under the TCPA, TSR, and CAN-SPAM regulations.
In practice, having two different philosophies and regulatory models can be difficult to navigate for a U.S. company. The differing approaches can create new and challenging problems that must be solved. Under the U.S. sectoral approach, companies can be generally certain with what regulations they must comply. Since the EU model covers all categories of data, companies that may not be used to operating under strict regulations will now have to adopt and develop new policies, procedures and compliance mechanisms. “GDPR brings its own challenges to U.S. companies, especially those that do not operate in regulated areas, says Scot Ganow, Senior Counsel at Taft. “While companies do need to understand the specific requirements of a law, including the GDPR, we often encourage our clients to think more holistically about privacy and seek to protect personal information period–regardless of how it is regulated. Adopting such a broad approach and implementing best practices across the board will better server companies to adjust as the law continues to change in the face of continued threats to privacy and security.”
Another key difference is transferring data across borders. The GDPR has regulations concerning how and if data about EU citizens can be transferred outside their member states’ borders. Essentially, in order to be allowed to transfer data to a country that is not subject to the GDPR, the sending entity must ensure that receiving country has been deemed to have equal or better data protection laws in place. Only a handful of non-EU countries currently meet that criteria. You may (or may not) be surprised to learn that the U.S. is not one of them. This can be a complicating factor for many companies in today’s digital environment. Transporting information across borders is now as easy as clicking a mouse, but the consequences of transferring that data without complying with the law can be devastating. As we mentioned in our previous post, the fines for a violation can be as much as 4% of worldwide annual revenue.
U.S. companies have to understand what personal information they collect and use from E.U. citizens, whether they are employees or customers. Furthermore, companies have to ensure they have a compliance program to satisfy the requirement to properly and safely transfer such personal information to the U.S. In future posts, we will discuss the GDPR’s requirements, enforcement mechanisms and how companies can develop those compliance programs.
Brian Eaton is a member of the Taft Privacy and Data Security practice area and is a Certified Information Privacy Professional in EU privacy law.