The European Union’s General Data Protection Regulation (GDPR) takes effect on May 25, 2018. In advance of that, the growth industry of GDPR coaching is available for US firms through Microsoft, SAP, BMC/Forrester, PWC, McAfee and dozens of consultancies. Fewer than 50% of large companies will be n in full GDPR compliance by end of 2018.
We have chosen to view GDPR through the lens of its impact on US consumers. The upside to GDPR is that it will inspire business practices that protect an American individual’s privacy, and when in compliance, it will foster more high value US exports.
Any firm that processes or stores in databases information about EU individuals is required to comply with GDPR regulations. Indeed, personal data cannot be transferred to countries outside the European Union unless those countries guarantee the same level of data protection. If US social networking and search sites hold information from EU individuals, they must come into compliance with GDPR regulations, regardless of whether the information is stored in the EU or elsewhere.
The GDPR regulations most relevant to US persons are summarized below:
Personal information about a EU person includes data provided by the person or data observed from the person’s behavior. The personal information can relate to a person’s private, public, or work-life.
Foreign court orders relating to personal information are unenforceable unless the foreign country has a mutual international agreement in place to honor such orders. EU regulations governing trans-border, national security, and police inquiries are contained in a cluster of regulations separate from GDPR.
Persons have a right to Opt-In and Opt-Out. Personal information may not be processed unless the person has given explicit consent that covers the information and the processing to be done. There are other limited contexts that justify a processor getting access to the data and processing it. Processors must be able to prove “consent” (opt-in), and consent may be withdrawn.
A processor that suffers a security breach must notify the GDPR authority within a day unless there is no chance that an individual’s information is exposed. Personal information held by a processor must be protected from disclosure in the event of a security breach. A process called “pseudonymization” (one example is encryption, with keys stored separately) is urged because it renders personal information unintelligible to unauthorized persons. Somewhat alarming, the GDPR notes that data storage on remote clouds is practical and relatively safe if only the data owner, not the cloud service, holds the decryption keys.
Persons have a “right of access,” Upon request, a processor must provide the categories of data that are being processed and a copy of the actual data, along with details such as the purposes of the processing with whom the data is shared and how it acquired the data.
Persons have a right to erasure, a slightly watered down version of the ‘right to be forgotten.” The right to erasure authorizes requesting that a processor remove many classes of personal information.
Persons have a right to transfer personal information from one processor into another. Data that has been sufficiently anonymized is excluded.
The primary downside to GDPR is the pyramid of remote, unelected potentates that GDPR calls for. GDPR’s army of officials is the sort of undemocratic bureaucracy that irritates Americans. The US has enough talent in the Federal Trade Commission to handle adaptation of US regulations to GDPR sufficiently well that we do not suffer trade difficulties.
On the other hand, those unconcerned with economics and jobs will be tempted to focus on all the pretty new “rights” that GDPR proposes. In the US, we should avoid the term “rights” to prevent confusion with the weakly specified privacy mentioned in our constitution.
We must not allow ourselves to get bogged down mimicking the EU’s festival of new “rights.” New rights and entitlements invariably come with costs that are assigned to someone else or for another day. The Congress and White House generate too many of these already.
GDPR does not treat privacy as an innate human right. GDPR specifies privacy in a pragmatic way. In the GDPR, privacy results from business and government procedures designed to protect information about an individual.
We can admire the cluster of privacy principles such as opt-in/opt-out, disclosure protection, access to personal data, and transfer of data. We do not need to copycat the EU’s towering bureaucracy and new privacy entitlements.