US businesses that have customers or clients in Europe are scrambling to comply as GDPR is now in effect. There are some concerns that the US private sector will have to look out for the policy here at home.
With every major data breach, people become more outraged which will likely prompt policy action. The EU GDPR marks a turning point in the policymaking arena due to one fundamental premise. Under the GDPR individuals have the right to privacy and to control what happens to their data. This means all personally identifying information (PII) that a company uses is now under the control of the individual and companies must comply with all requests and permissions regarding an individual’s PII.
This paradigm of data ownership established by the EU is of course clashing with the ambiguous ideas of data ownership that US businesses are used to operating under. The GDPR paradigm is also redefining expectations for American citizens. Almost every company that has an international presence has had to send out new privacy notices to users/customers to reflect their compliance with the GDPR. This likely would have gone unnoticed by the American public if the privacy notices didn't flood their inboxes all at once.
As a result, publications have taken notice and reported to the American public exactly why they have been seeing these notices. As the American public becomes more aware, articles that highlight the difference in treatment between US citizens and EU citizens will become even more relevant. All it will take is the next major data breach for the American public to start demanding ownership of their personal data.
So, the important question is, how will this affect US policy and your business?
If your business tracks the regulatory environment, then you may notice a recurring pattern. Cities or states develop policy programs, if successful then they scale up to the federal level. While cyber security policy is following this traditional trend, the sense of urgency has prompted action from US defense agencies and the executive branch. The US government has actually been leading much of the innovation in cyber security, not the private sector. This makes sense since defense is kind of their thing.
Expect to see more developments at the state level when it comes to cyber security. It may be a year or two before anything is implemented. However usually when a policy is introduced, it causes some buzz among experts.
Here are my predictions on what the US states and federal government may propose in the coming months of 2018:
State level prediction #1: non-ownership experimentation
Do not expect the ownership question to be on the table, it is not politically viable to include in any policy. This includes the provisions about data portability and the right to be forgotten. The GDPR is massive and includes quite a few innovative approaches that are compatible with the current political and business environment. The following parts of the GDPR carry some potential use among US states:
De-identification
Contained within the GDPR (recitals 26, 28, 29, 75, 85, 156) are strong suggestions for pseudonymization. What is also specified in Recital 26 is that the processing of anonymous data is not of concern to the GDPR. Essentially data can be used much more liberally once it has been decoupled from the data subject. This recital is an important specification because it creates an incentive for companies to keep data itself untraceable to any individual citizen.
There are many ways to achieve this, some of which include: pseudonymization, anonymization, suppression, generalization, and hybrid encryption schemes. Any mixture of these would help keep data de-identified thus unusable to anyone who manages to breach other security measures.
Beyond the GDPR, incentivizing or mandating data to be anonymous could help protect the general public even when a data breach happens. This could reasonably be picked up in US policy proposals.
Notification & data transparency
The GDPR requires that data subjects (people) are informed in concise, transparent, and intelligible form. While there is no explicit digital privacy or transparency law in the United States, there are a series of legislations that organizations must comply with.
The Gramm-Leach-Bliley Act for example requires that financial institutions provide notice of its privacy practices to the public, but it does not require a disclosure to an oversight agency.
Under HIPAA the situation is similar. The difference with the GDPR is the level of scrutiny the government does, and also how involved the frequency of communication with oversight agencies.
Among states you can expect some experimentation with enhanced notification requirements modeled from the GDPR. Such requirements include notification about not just data breaches, but also data collection, which would have impacts for any businesses operating in the states.
Last month Delaware’s new data breach notification law went into effect. The law contained the most recent cyber security laws to date at its time of drafting. Some of those included language changes of what triggers the need for notification. Now it is required to notify, unless proven that a data breach will not have a negative impact on the victim.
Another popular US custom is to include free credit monitoring to those impacted by the breach. Nationally free credit monitoring is not required, but in Delaware it is required. In the future, states might now begin to borrow from the legal GDPR framework.
State level prediction #2: data protection agencies (DPA)
The GDPR mandates that independent agencies be established for the sole purpose of enforcing the GDPR. What is important here is that the GDPR was developed as a policy framework which focuses on the protection of personal data. This means that it was not just a common market-based policy, if any organization interacts with EU citizen data they must comply with the GDPR. It should be noted that DPAs are each formed within each member country of the EU.
In the United States, states could establish their own independent Data Protection Agencies that align with local laws. For states where an independent agency is not feasible, resources could be rearranged to enhance existing agencies to become data protection regulators. In either case, states who want to better protect local citizens may find inspiration from the GDPR’s impacts.
Federal prediction #1: privacy/secure-by-design
The GDPR now requires data protection by design and default, meaning privacy will be the new standard. Privacy by design is not a new concept at all and in fact has been part of political discourse for a few years now. This has become a focus with the rise of the internet of things, where security is often very poor and an afterthought in product and service development. To remedy this in the United States, last year a policy called Cyber Shield Act was introduced. This bill was a combination of security-by-design and a security quality rating label.
The act was first proposed by Senator Edward Markey and looked optimistic as there was excitement from both major political parties in the US. If there are any developments, this would actually place the US government one step ahead when it comes to helping protect consumers with actionable information and defaults combined.
Expect the US government to build on this in 2018, given the amount of excitement this proposal generated when it was introduced. While it is not as expansive in who is regulated as with the GDPR, it would be a strong start for security-by-design. It should also be noted that the US’s friendly neighbor to the north, Canada, has even considered a privacy-by-design policy as well.
Federal prediction #2: impact assessments
The GDPR requires that organizations assess the impacts of any new attempts to process data. This requirement might have foresight in the US – the Securities and Exchange Commission (SEC) approved guidance back in February for cyber security disclosures to be included in reports going forward. Companies are required to discuss cyber security risks and incidents in their filings.
The data protection impact assessments from the GDPR are still miles ahead of the cyber security disclosures required from the SEC. Despite this, there is growth potential for the SEC disclosures. If the SEC takes inspiration from the impact assessment requirements, then there may be more definition to what companies are required to analyze and report on. There is also possibility for the impact assessment to become state or federal policy for all companies in the US, including LLCs and sole proprietorships.
The US has a lot of room for growth when it comes to cyber security. The GDPR allows the US to watch what unfolds, borrow from the EU policy and localize provisions to what works within the United States’ strong market economy.