Could EU General Data Protection Regulation (GDPR) Strengthen the United States Consumer Privacy Protection Laws?

Young Choo, MJLST Staffer

 

The EU General Data Protection Regulation (GDPR) will replace the Data Protection Directive 95/46/EC in May of 2018. Unlike the Directive, GDPR does not require each European state to enact a national statute. The GDPR would uniformly apply to countries in the European Union. European Commission proposed the GDPR to “strength and unify data protections for people in the European Union.” The regulation also addresses the export of personal data outside of the European Union. More specifically, Article 3 of GDPR says that “if you collect personal data or behavioral information from someone in an EU country, your company is subject to the requirements of the GDPR.”  Consequently, companies in United States dealing with European Union consumer information are expected to be in compliance with GDPR.

 

In light of the new regulation, the U.S. companies, either have facilities in the EU or having personal data of European, are busy to be in compliance with the GDPR. What would be generally required under the GDPR for the U.S. companies? The first step would be deciding whether GDPR applies to the company. The second step would be having a Data Protection Officer (DPO). A Data Protection Officer (DPO) is “a position within a corporation that acts as an independent advocate for the proper care and use of customer’s information.” The third step would be creating a strategy to be in compliance with the GDPR. To do so, drafting a Privacy Policy agreement in line with the GDPR is necessary. Key requirements should be provided in the privacy policy under the GDPR would be (1) “Privacy Notices”; (2) “Consent”; (3) “Data Subjects’ Rights”; (4) “Security”; (5) “Data Protection Assessment”; (6) “Breach Notification”; (7) “Service Providers”.

 

Could these U.S. companies’ movement to be in compliance with GDPR also influence the United States’ Data Protection law as well? The answer is “possibly”. California recently initiated the move toward more stringent data privacy laws. “The California Consumer Personal Information Disclosure and Sale Initiative (#17-0039) may appear on the ballot in California.” The Initiative includes the following rights for consumers:

 

Gives consumers right to learn categories of personal information that

businesses collect, sell, or disclose about them, and to whom information

is sold or disclosed. Gives consumers right to prevent businesses from

selling or disclosing their personal information. Prohibits businesses from

discriminating against consumers who exercise these rights.

Allows consumers to sue businesses for security breaches of consumers’ data, even if consumers cannot prove injury. Allows for enforcement by consumers, whistleblowers, or public agencies.

 

Another impact the movement toward stringent data protection compliance could bring is the changes of perception of “harms” in the data breach setting. United States courts have not considered “data breach” itself as a harm. They always required an additional showing of consequential harm arising out from the data breach, such as money spent on monitoring the data breach or any credit card misuses arising from the breach. On the other hand, the E.U. data protection law is strongly based on the idea that data breach itself is a harm because privacy is a fundamental human right. It is important to note how circuit courts would decide Article III on a standing issue, one of the requirements for the plaintiffs to prove is a “concrete and particularized harm”, in the data breach setting.