The recent Netflix documentary, The Social Dilemma, may have highlighted to many Americans just what happens to the wealth of personal information they regularly – and willingly – share online. It may be especially concerning, then, to know that companies in the United States aren’t required by federal law to protect this information.
The outcome of the Presidential election may be about to change this, however. It’s widely anticipated that the question of data privacy will be a significant priority for the Biden Administration. The issue has been largely overlooked under President Trump, but with many other countries enforcing GDPR-type regulations, it’s time the US acknowledged the real importance of protecting its citizens’ personal information.
Data privacy clearly matters to consumers. Most of the respondents (87%) to a recent US survey by PWC said they’d take their business elsewhere if they didn’t trust a company to handle their data responsibly. This is worrying news for businesses, especially when only a quarter of respondents felt most companies handled their personal information responsibly.
Elsewhere around the globe, of course, strict regulations are in place to ensure that companies do just this. Probably the most well-known of these, the EU GDPR, is a legal framework that sets guidelines for the collection and processing of personal information from individuals living in the European Union, and gives those individuals greater control over their own data. Variations of these regulations exist elsewhere. Canada recently introduced the Digital Charter Implementation Act, for example, while India has its Personal Data Protection Bill, Australia its Privacy Amendment (Notifiable Data Breaches), and Japan its Act on Protection of Personal Information.
Although there are exceptions – health information is regulated, as is data on children under 13 – the closest the country has come to regulation at a national level was the EU-US Privacy Shield, a framework designed to facilitate transatlantic data transfers. But this was invalidated by the Court of Justice of the European Union in July 2020.
Instead, there is a patchwork of regional data protection laws. Since California became the first state to pass legislation requiring companies to report breaches of personal information in 2002, other states have passed their own breach notification laws. However, each has its own definition of what constitutes personal information, and its own reporting requirements and processes. In the absence of a consistent federally legislative framework, this piecemeal approach is a logistical and regulatory minefield for American businesses. In the wake of the Coronavirus pandemic, this kind of administrative burden is one of the last things the US economy needs right now.
Signs of support
What happens next will depend on the Georgia Senate runoff, the outcome of which we won’t know until early January. If the Democrat challengers flip both seats, the party will hold a majority in both the Senate and the House, lending much-needed leverage to any plans that President-elect Biden might have. If the Republican incumbents maintain their seats, that leverage will be reduced.
But whichever way the vote in Georgia plays out, passing a piece of legislation which sets out clear definitions of personal information, and firm guidance on its secure and respectful handling, should be toward the top of the Biden Administration’s to-do list. Fortunately, there are signs of support for such legislation from both sides of Government.
In July, for example, the bipartisan Cyberspace Solarium Commission published the draft of its proposed Personal Data Security and Privacy Protection Act of 2020, which outlines the need to provide consumers with transparency and access to their data, states requirements for reasonable security measures, and that considers the importance of international interoperability.
Since then, the US Senate Committee on Commerce, Science and Transportation has held a hearing entitled “Revisiting the Need for Federal Data Privacy Legislation”, and both Republicans and Democrats have introduced bills relating to data privacy – the Setting an American Framework to Ensure Data Access, Transparency, and
Accountability (“SAFE DATA”) Act, and the Consumer Online Privacy Rights
Act (COPRA), respectively.
Strength of momentum
Consumers are, understandably, concerned about the safety and security of their personal information, and businesses are working hard to comply with inter-state as well as international regulations. To satisfy the concerns of both consumers and businesses, the incoming administration needs to implement something along the lines of the GDPR – a single, consistent framework of rules that can be rigorously enforced with strict financial penalties for non-compliance.
As we’ve seen from recent activity in the Senate, there is some momentum behind the introduction of the kind of legislation we’ve seen in place elsewhere in the world. However, we won’t know just how strong that momentum is until the new year. Watch this space. This topic and several other trends that we anticipate impacting 2021 are discussed in the “Where Do We Go From Here? 2021 Security Predictions”. We invite you to listen the fire side chat here.