U.S. data privacy law is a mishmash of federal, state, and industry regulation. Should we enact a single universal federal data privacy law like GDPR?
Yes, oui, ja!
GDPR is a massive step forward for the data protection of European residents, and we would love to see our friends in America similarly defended. The truth is that many U.S.-based companies have already had to do much of the work needed to be GDPR-compliant because they have European customers, and so it makes enormous sense for any U.S. legislation to closely mirror GDPR rather than having a different set of data protection regulations for U.S. consumers.
—Graham Cluley, former longtime editor of the Sophos Naked Security blog, host of the Smashing Security podcast, researcher, blogger, and speaker
The patchwork of local, state, and federal U.S. privacy laws and enforcement models must evolve into a comprehensive framework that accounts for modern technology and requires a “this will hurt” level of penalties for willfully misusing both personal data and data about persons.
The U.S. doesn’t need “GDPR” per se—a framework that has resulted in little more than millions of website pop-up privacy notices, a few fines, a giant bureaucracy, and apparently still allows “law enforcement” to record all people in public and punish those who choose not to comply—but we should certainly learn from that debacle.
—Sammy Migues, principal scientist, Synopsys
The US should absolutely have a comprehensive, baseline federal privacy law. While such a law could take many forms, it should provide many of the same core rights and protections enjoyed in the EU—many of which stem from core American principles (especially, the 1973 Fair Information Practices), including the right to access, delete, or correct one’s own information, and to object to certain types of processing.
—Stacey Gray, senior counsel, Future of Privacy Forum
My view on GDPR is we are always going to have this issue, which is that anything that is a standard today will have to continue as the technology evolves. That said, my own point of view is that it is a fantastic start on really treating privacy as a human right. I am hopeful that even the US will have something that is along the same lines. In fact, I hope the world over that we all converge on a common standard, because one of the things we do not want to do is to fragment the world and increase transaction cost. Ultimately, it is going to be born in our economic figures. I hope that we come together, the US and Europe first, and China, to set a global standard. That is what is going to help. People think of this as a conflict between regions. It is not. In a digital world, of course every country and region should put their interests first, but the digital world will help all of us grow if we realize that it is a connected world to start with.
—Satya Nadella, CEO, Microsoft
Actually, the U.S. established the precursor to a GDPR-like regulation in the healthcare industry, called HIPAA (Health Insurance Portability and Accountability Act). The GDPR goes further in a few areas, but when you do a side-by-side comparison, GDPR truly does have many of the same general requirements that HIPAA established almost 20 years ago. I’ve long believed that the general concepts and requirements for privacy protections should be established for all U.S. sectors, not just the healthcare industry.
For many reasons:
One overarching regulation that applies to all types of personal information, in all forms, is necessary to make any effective progress in protecting individuals’ privacy now and in the future.
—Rebecca Herold, CEO, The Privacy Professor
In 2019, it’s time to stand up for the right to privacy—yours, mine, all of ours. Consumers shouldn’t have to tolerate another year of companies irresponsibly amassing huge user profiles, data breaches that seem out of control and the vanishing ability to control our own digital lives.
This problem is solvable—it isn’t too big, too challenging or too late. Innovation, breakthrough ideas and great features can go hand in hand with user privacy—and they must. Realizing technology’s potential depends on it.
That’s why I and others are calling on the U.S. Congress to pass comprehensive federal privacy legislation—a landmark package of reforms that protect and empower the consumer.
—Tim Cook, CEO, Apple
Despite the high level of interest in exercising control over personal data from U.S. consumers, the United States has yet to join the EU and other nations around the world in passing national legislation that accounts for how people use technology in their lives today.
In the absence of federal action, California took an important first step forward in advancing privacy protection with the passage of the California Consumer Privacy Act (CCPA), which goes into effect on January 1, 2020. A watershed for U.S. privacy law, CCPA was the first law in the United States to include rights inspired by GDPR.
Now, it’s Congress’s turn to adopt a new framework that reflects the changing understanding of the right to privacy in the United States and around the world. Like GDPR, this framework should uphold the fundamental right to privacy through rules that give people control over their data and require greater accountability and transparency in how companies use the personal information they collect.
—Julie Brill, corporate vice president and deputy general counsel, Microsoft
That’s a complex question, made more so due to the interplay between the U.S. Constitution, powers granted to the Federal Trade Commission, and the states’ police power.
The current patchwork of state and federal laws covering data privacy within the U.S. invites comparison to the GDPR. While adopting a U.S. version might seem appealing, we need to look at how existing federal legislation is influencing data privacy. For example, the Health Insurance Portability and Accountability Act (HIPAA) is designed to protect a class of personal information—personal health information. Despite the sensitivity of the data and covering legislation, there is no guarantee of adequate security, as evidenced by the June 4 SEC disclosure by LabCorp of a breach impacting 7.7 million of its customers.
A situation like this exists in part due to legislative focus being on processes and penalties without clear criteria covering when data can be appropriately collected, how it should be secured, what data retention is considered appropriate, how it might be transferred to third parties, and how individuals can effectively audit the entire lifecycle of any data provided.
Effectively, in its focus on process and penalties, HIPAA defers implementation decisions, allowing individual health care providers to determine an appropriate level of security for the underlying data, which could easily result in weaker or less costly options being selected.
—Tim Mackey, technical evangelist, Synopsys
For decades, the domestic conversation regarding privacy focused on the need to protect citizens’ privacy rights from government, often in the context of privacy in the home. Recent data security lapses, however, have begun to dramatically refocus the conversation on the need to protect citizens and their data from abuses by private industry, who in the digital age often know far more about an individual than any past government entity ever did. In recent weeks Google has apologized for failing to disclose the presence of a microphone in its Nest Guard product while the Government Accountability Office issued a report recommending that Congress pursue comprehensive data privacy legislation. We have rightfully recognized that it is time for government to act to protect citizens from corporate misuse of their data, though we in the United States have yet to agree on what that action might be.
—Michael Chertoff, co-founder and executive chairman, Chertoff Group
The absence of a privacy agency is still a gaping hole in American law. The Europeans, building on the United States’ experience and facing similar challenges, managed to develop a privacy regime that is both more coherent and more effective.
Back [in 1974], Congress well understood the need to limit the collection of personal data. And Congress did not view privacy protection and the free flow of information as a trade-off. In the same year that Congress enacted the Privacy Act, it also strengthened the Freedom of Information Act.
There is still much that Congress can do to strengthen privacy protections for Americans. Enacting federal baseline legislation and establishing a data protection agency would be a good start.
—Marc Rotenberg, president, Electronic Privacy Information Center
There is a golden opportunity for the U.S. to take the lead on data privacy globally and demonstrate how data protection can be an economic driver for growth and innovation. What could be more American than protecting property rights—your personal data—and providing the model to inspire those across the globe to similarly demand the data privacy that is at the core of democratic institutions and economic growth. We’ve been waiting too long for the market to do this alone, and we’ve reached the tipping point.
The United States is the country of the Fourth Amendment, and we’ve been focused on individual rights and privacy for more than 200 years. Now is the time for the US to start leading again on privacy.
—Justin Antonipillai, founder and CEO of WireWheel, and John Ackerly, CEO and co-founder of Virtu