More than half of Americans feel that their data is less secure today than it was 5 years ago. Given the exponential growth of personal data online, this is an especially discouraging statistic. Consumers have long lamented the lack of personal data security, and demanded increased data protection.
At the same time, businesses have insisted that the lack of invasive regulation in the technology industry is exactly what caused silicon valley to flourish in the United States. According to this argument, the US government should maintain the market’s competitive advantage by steering clear of over-regulation.
For as long as this conversation has existed, it has been left in gridlock. The United State’s information privacy law is a patchwork of various statutory instruments, regulatory initiatives, and state-specific legislation and enforcement. The result is a confusing, often ineffective, and malaligned system. This might soon change, however.
Failures in Privacy Protection
Recent history has provided clear evidence of the gaps in current data and privacy protection law. In the past year, Equifax reluctantly admitted to a catastrophic data breach on its system; email accounts at Yahoo were hacked; and Uber attempted to hide a breach of personal data. In an interesting twist on the usual concerns for data protection, an alleged serial killer was arrested based on genealogy data of his family found online, raising a number of privacy concerns. Naturally, the most prominent reason for society’s recent revisit of the drawing board on data protection is Facebook. The social media giant admitted that the personal data of more than 80 million users had been compromised and used to attempt manipulation of the 2016 Presidential election. In the wake of this scandal, the tides might be turning in favor of uniform, federal regulation of personal data protection.
What the EU’s GDPR Regulations Mean for Privacy Protection
What would more extensive privacy protection look like? Perhaps some indication can be obtained by looking toward Europe. The EU’s General Data Protection Regulation (GDPR) is set to modernize the landscape of personal data protection when it enters into effect in May 2018. The regulation grants users the right to be forgotten, in terms of which all their data must immediately be removed upon their withdrawal of consent that it be held by a service provider. Users also receive the right to obtain direct visibility over all their personal data that is being used by companies as well as over where and how that data is used. Companies can only collect user data if there is a specific and delineated business purpose for that data, which will eliminate the practice of gathering as much data as possible without an immediate goal. Most importantly, esoteric terms and conditions will have to be replaced by easy to read, commonly understandable, web agreements.
The cost of complying with GDPR will be considerable. However, given that most large US companies have at least some European users, these costs will necessarily be incurred. It is likely cheaper to adopt the required changes across the board than doing so only for European users. The result may be that US users will benefit from the adoption of GDPR compliant practices by US firms.
Regardless of whether this happens, it seems highly probably that uniform, federal regulation of personal data protection lies ahead. Hopefully, such regulation can adopt some of the provisions seen in the GDPR. At the very least, it ought to change current incentive structures so that companies aim to prevent data breaches, instead of focussing on damage control procedures after the fact.
Expert Advice on Web Agreements
If you’d like to find out more about how your company can position itself optimally for the information privacy law of the future, talk to one of our Web Agreement experts.