US struggling to follow EU’s success in creating coherent strategy for data protection
The US could borrow some ideas from Europe on data privacy. Executives from Amazon, Apple and Alphabet unit Google, among others, told US senators on September 26 that a federal privacy law is needed to avoid fragmented state rules.
Under pressure, Silicon Valley is belatedly embracing national privacy standards. In June, California passed a law giving more power to consumers by allowing them to view data collected on them by large firms and to request its deletion. The EU’s General Data Protection Regulation, which went into effect in May, forces companies to obtain a clear opt-in from consumers for permission to use personal data. It’s partly in the hope of avoiding anything as strict that the tech giants are now speaking up. But a federal intervention could also head off growing administrative balkanization and complexity. The Senate hearing focused on the role of the Federal Trade Commission. Yet on September 25, the US Commerce Department’s National Telecommunications and Information Administration issued a request for comment on how nationwide data-privacy rules should be developed.
There are still industry divisions too. Representatives came to the Senate hearing from the telecommunications and tech sectors, but companies outside those industries like Walmart, Procter & Gamble and McDonald’s also collect consumer data. The Gramm-LeachBliley Act, for instance, requires financial institutions to disclose data-sharing practices and to safeguard customer data. Yet the likes of Uber also handle financial information.
The US healthcare industry has its own standard under the Health Insurance Portability and Accountability Act. But it does not apply to tech companies like Apple or Fitbit, which collect health data through wearable devices.
Concerns about Europe’s new privacy regime include high compliance costs, but it does at least provide data protection for consumers with a single set of rules and a level playing field across industries, all of which are required to guard sensitive information. America’s lawmakers could get the ball rolling by cribbing the best parts of the GDPR – and getting some of the cooks out of the US data-privacy kitchen.