Public Knowledge Responds to European Union’s New Data Privacy LawMay 25, 2018
Today, the European Union’s General Data Protection Regulation goes into effect. The GDPR seeks to give European consumers control of their personal data in the digital era. It creates stringent rules for the collection, processing, and transfer of personal data of European residents. It also emphasizes the importance of explicit consent as a basis for data collection and processing, lists users’ rights, and encourages companies to adopt more privacy and security-oriented approaches to the collection and processing of personal data.
Companies violating the GDPR can be fined up to 4 percent of their annual global revenue. Virtually all American companies or organizations that collect or process Europeans’ personal data, or target services or products to Europeans, will be subject to these new data privacy rules. American consumers are already receiving some rights listed in the GDPR as a by-product of some companies’ compliance efforts. Public Knowledge welcomes these voluntary efforts, but the United States ultimately needs comprehensive privacy legislation, and Congress should pay attention to some aspects of the GDPR when thinking about how to protect Americans’ privacy.
The following can be attributed to Gus Rossi, Global Policy Director at Public Knowledge:
“The many data breaches and privacy violations in the headlines lately have highlighted the insufficiency of the American privacy framework and caused many to look to the GDPR as a blueprint. Europe’s move to strengthen its comprehensive approach to privacy protection has also revealed the limitations and costs for consumers of the patchwork-of-protections approach that America has.
“We believe that copying and pasting EU law would not be an efficient or reasonable way to protect Americans’ privacy — the institutions, legal systems, and consumer preferences are just too different.
“However, we suggest Congress critically study and understand the GDPR, as it outlines some interesting elements for a strong comprehensive privacy bill. A comprehensive American privacy bill should also encourage companies to rethink their data collection and processing practices to guarantee security of user information, require meaningful notice and consent for personal data sharing, list user rights, and designate at least one independent enforcement agency.”
You may view our recent blog post, “Is the GDPR Right for the United States?,” for more information on what the United States might consider adopting from EU’s new data privacy rules. You may also view our recent white paper, Principles for Privacy Legislation.